How Alibaba Cloud Service Mesh’s Ambient Mode Boosts Performance and Cuts Costs

Ambient Mode Overview

Alibaba Cloud Service Mesh (ASM) is a fully managed service mesh platform. In version 1.25 ASM officially supports Ambient mode, a sidecar‑less data‑plane architecture.

Why Ambient?

Traditional sidecar injection ties the lifecycle of the sidecar container to the business pod, increasing resource consumption and operational overhead. Ambient decouples the mesh from the pod, eliminating the need to restart pods for mesh upgrades.

How It Works

Enabling Ambient for a namespace automatically activates mTLS and basic L4 capabilities without redeploying applications. For L7 features such as HTTP header‑based routing or observability, a Waypoint proxy (a separate Deployment based on Envoy) can be enabled per Service.

The core components are:

Ztunnel : an L4 proxy written in Rust that runs as a process on each node.

CNI plugin : redirects pod traffic to Ztunnel.

Waypoint : optional Envoy‑based L7 proxy that can be scaled independently.

Performance and Cost Benefits

When only L4 is needed, traffic passes through Ztunnel once instead of two Envoy sidecars, reducing average latency by about 75 % and cutting resource usage. With L7 enabled via Waypoint, latency still improves (~30 % reduction) while keeping resource consumption lower than the sidecar model.

Feature Comparison

Both modes provide the full Istio feature set, but Ambient requires Waypoint for L7 capabilities. Key differences include:

Traffic Management : Full Istio features in both; Ambient needs Waypoint for L7.

Security : Ambient offers mTLS and L4 authentication out of the box; L7 authentication requires Waypoint.

Observability : L4 telemetry is native; L7 telemetry via Waypoint.

Scalability : Ambient reuses a single Ztunnel per node and Waypoint per Service, reducing per‑pod overhead.

Resource Utilization : Sidecar consumes more CPU/memory per pod; Ambient’s shared proxies lower average cost.

Deployment : Sidecar requires namespace labeling and pod restarts; Ambient only needs a namespace label.

Conclusion

ASM 1.25’s Ambient mode delivers a stable, high‑performance, and cost‑effective service mesh experience on Alibaba Cloud Kubernetes clusters, with optional Waypoint for advanced L7 features.