How Ambient Mesh Redefines Service Mesh Data Plane with Sidecar‑less Architecture

Service Mesh Overview

Service mesh technologies such as Istio have been used for four to five years, decoupling service‑governance capabilities into sidecar proxies that form a mesh data plane, while a control plane provides APIs for managing network behavior.

Sidecar vs. Ambient Data Plane

Traditional sidecar proxies intercept traffic via iptables, causing multiple TCP/IP stack traversals. To reduce latency, eBPF can bypass the kernel stack for L4 traffic, while Envoy continues handling L7 traffic. Ambient mesh introduces a layered data plane: a lightweight L4 layer for basic routing, security, and observability, and a richer L7 layer for advanced traffic management.

L4/L7 Split and Waypoint Proxy

L4 layer : TCP routing, simple 4‑layer authorization, mutual TLS, TCP metrics and logs.

L7 layer : HTTP routing, load balancing, circuit breaking, rate limiting, fault tolerance, retries, timeouts, fine‑grained 7‑layer authorization, HTTP metrics, access logs, and tracing.

In ambient mode, the L4 proxy runs as a DaemonSet CNI component on each node, while the L7 proxy (Waypoint) runs as a dedicated pod per ServiceAccount.

CNI Configuration for Nodes and ztunnel

The mesh CNI plugin creates an IP set ztunnel-pods-ips to store IPs of pods enabled for ambient mode, configures two Geneve virtual interfaces ( istioin and istioout) on each node, and sets interface parameters ( rp_filter=0, accept_local=1).

It also installs iptables chains (e.g., ztunnel-PREROUTING, ztunnel-OUTPUT) that mark packets from ambient pods with 0x100 and redirect them to the appropriate istioin or istioout interfaces.

Geneve Tunnel and Routing

Each node’s istioin and istioout interfaces are connected via Geneve tunnels to the corresponding pistioin and pistioout interfaces inside the ztunnel pod. The CNI plugin adds routing tables (100, 101, 102) and ip rule entries so that packets marked with 0x100, 0x200, or 0x040 are routed through the appropriate tables.

End‑to‑End Traffic Flow

For L4‑only requests, ambient pods write their IPs to the ipset, packets are marked 0x100, intercepted by iptables, sent to istioout, tunneled to pistioout, forwarded to ztunnel port 15001, and finally reach the destination service.

For L7 requests, after the L4 path the traffic passes through the Waypoint proxy, which performs HBONE handling, authentication, and L7 policy enforcement before forwarding to the appropriate cluster.

Key Takeaways

Ambient mesh decouples the data plane from application pods, eliminating the need to inject sidecars.

The layered L4/L7 design allows incremental adoption and resource‑efficient traffic management.

CNI and Geneve tunnels provide high‑performance, low‑latency networking for ambient pods.

eBPF acceleration reduces TCP/IP stack overhead for L4 traffic while preserving Envoy’s L7 capabilities.