Traffic management, connectivity and networking
Ambient mesh is implemented as a data plane mode for Istio, and as such the control plane infrastructure remains the same as used for other modes, including sidecar and gRPC.
Istio’s service registry
In order to direct traffic within a mesh, Istio needs to know where all your endpoints are, and which services they belong to. Istio maintains an internal service registry containing the set of services, and their corresponding endpoints, running in a service mesh. If you’ve installed Istio on a Kubernetes cluster, then Istio automatically detects the services and endpoints in that cluster.
You can augment this registry by adding service entries, which allows you to configure routing of traffic to services outside the mesh.
This registry is used to program both the ztunnel and waypoint proxies using xDS.
Istio automatically provides basic load balancing between the endpoints of a service, which can be enhanced by adding destination rules.
Routing traffic
The ztunnel overlay sends traffic to one of two destinations:
- The destination, as specified by the IP address
- A waypoint proxy, if one is configured for the destination service.
To gain the ability to control routing of traffic destined for a particular service, you can configure a waypoint for it. You then gain access to Istio’s full set of Layer 7 features, including HTTP routing & load balancing, circuit breaking, rate limiting, fault injection, retries, and timeouts.
In ambient mesh, routes are expressed using the Gateway API.1
When a routing decision has been made, you can use destination rules to configure what happens to traffic for that destination. This can include your preferred load balancing model, TLS security mode, or circuit breaker settings.
Dive into traffic management
Explore the following sections to learn about ambient mesh:
-
The legacy Istio VirtualService API can also be used, but is only recommended for use where the Gateway API does not support a particular feature. ↩︎