Istio Ambient Mesh: A New Data Plane Model That Eliminates Sidecar Overhead

Istio announced a new data‑plane mode called ambient mesh, which removes the sidecar proxy from application pods and deploys a shared proxy on each node, aiming to solve the coupling between mesh infrastructure and application deployment.

Istio and Sidecar

The traditional sidecar model embeds an Envoy proxy alongside each workload, offering traffic management, security, and observability without code changes, but it suffers from invasiveness, inefficient resource usage, and potential traffic interruption.

Separate L4 and L7 Processing

Ambient mesh splits Istio functionality into a low‑overhead secure overlay (L4) that runs in a shared ztunnel on every node, and an optional L7 layer provided by waypoint proxy pods, allowing users to adopt mesh capabilities incrementally.

Building an Ambient Mesh

A shared ztunnel creates a zero‑trust tunnel (mTLS) that redirects all workload traffic to the node‑local proxy, separating the data plane from the application and enabling independent scaling and upgrades. L7 features are handled by waypoint proxies, which are ordinary Kubernetes pods that can be autoscaled per namespace.

Resource and Performance Impact

Because ztunnel performs only L4 functions, its CPU and memory footprint is minimal, while waypoint proxies can scale dynamically based on actual traffic, resulting in lower overall resource reservations compared with per‑pod sidecars.

Security Considerations

The shared ztunnel’s limited L4 attack surface and the fact that waypoint proxies are scoped to a single service account reduce the risk of cross‑tenant vulnerabilities; even if an application is compromised, the mesh can still enforce strict security policies.

Compatibility with Sidecar

Ambient mesh and sidecar mode can coexist in the same mesh, and Istio continues to support sidecar deployments for scenarios requiring dedicated data‑plane resources or strict compliance.

Getting Involved

The ambient mesh preview is available for testing, and the Istio community encourages contributions and feedback to help bring the feature to production readiness.