Ambient mesh is an evolution of Istio service mesh, designed to simplify deployment, improve scalability, and reduce resource overhead by eliminating sidecar proxies. Just like the sidecar mode of Istio, the ambient mode provides advanced security, observability, traffic management, and resiliency across distributed workloads.

Ambient mesh fundamentally differs from traditional service mesh solutions through its sidecar-less architecture, which uses shared ztunnels for L4 traffic and optional waypoint proxies for L7 processing, instead of requiring a sidecar proxy for each workload. This architectural shift results in lower resource overhead and simplified operations, as resources are shared across workloads rather than dedicated per pod. Unlike conventional service meshes that combine L4/L7 processing in sidecars, ambient mesh separates these concerns, allowing for more efficient resource utilization and providing a flexible path for gradual adoption. Organizations can transition from existing sidecar deployments while maintaining compatibility, enabling them to modernize their infrastructure at their own pace.

Ambient mesh does not rely on sidecars embedded in each service pod for security, observability, traffic management, and resilience. Ambient mesh centralizes these functions into a shared data plane layer at the network level. This sidecar-less approach reduces complexity, lowers CPU and memory usage per pod, and enables more efficient scaling in large environments. However, users retain the granular traffic control and security policies of a service mesh while streamlining operations, making it a compelling option for modern cloud-native infrastructure.

Yes! Ambient mesh is built on Istio’s ambient mode and designed specifically for cloud-native environments and workloads including those operating in Kubernetes.

If you feel comfortable with Istio sidecar deployment, you can keep using it! However, if you feel like you can benefit from the features of ambient mesh, you can easily choose to gradually upgrade your sidecar deployment to ambient mode.

If users want enterprise features and support for their Istio service mesh deployments they can benefit from the additional knowledge provided by Solo.io through their support packages or enterprise ambient mesh extensions through Gloo Mesh.

Yes! You can find the most comprehensive documentation on ambient mesh on this site.

Yes! Ambient mesh is built on Istio’s ambient mode. Learn how you can contribute to the Istio project.

Ambient mesh transparently adds mutual TLS (mTLS) encryption to all enrolled workloads allowing users to easily configure policies for authentication and authorization to help mitigate threats. You can learn more in our docs.

Yes! With ztunnel, ambient mesh users can collect basic logs and TCP metrics. A waypoint proxy is required if advanced L7 metrics are required. For advanced observability capabilities, users can choose to subscribe to enterprise solutions like Gloo Mesh to get comprehensive data including logging, tracing, and metrics without a waypoint proxy.