BestHub
Sign in
Cloud Native 7 min read

Simplify Kubernetes Egress with ASM Ambient Mode and Waypoint

Learn how ASM's Ambient mode and the Waypoint component streamline L7 egress traffic management in Kubernetes by replacing complex Sidecar configurations with simple ServiceEntry and Waypoint labels, reducing configuration overhead while preserving powerful security and observability features.

Alibaba Cloud Infrastructure
Alibaba Cloud Infrastructure
Alibaba Cloud Infrastructure
Simplify Kubernetes Egress with ASM Ambient Mode and Waypoint

Ambient Mode: A New Approach to Egress Traffic Management

Managing egress traffic in a Kubernetes cluster traditionally relies on security groups or native NetworkPolicy, which operate at L3/L4 and control access by IP and port. When finer‑grained control—such as limiting an application to a specific external API path or monitoring QPS and latency—is required, these methods fall short.

Many organizations adopt a service mesh for L7 egress control, but the classic Sidecar model demands multiple resources (ServiceEntry, Gateway, VirtualService, DestinationRule) and considerable Istio expertise. ASM introduced the ASMEgressTrafficPolicy to bundle these, yet the learning curve remains.

How Ambient Mode Simplifies Egress

Ambient mode leverages the Waypoint component to replace the complex Sidecar workflow. The core steps are:

Define a ServiceEntry : Register the external service (e.g., api.externalservice.com) so the mesh can recognize the destination.

Enable a Waypoint proxy : Add a label to the ServiceEntry, causing its traffic to be handled by a Waypoint proxy.

With these two steps, L7 egress control is established without manually configuring an Egress Gateway or intricate routing rules; the Waypoint proxy automatically performs the functions previously spread across several resources.

Configuration Comparison: Experience the Simplicity

Below is a side‑by‑side illustration of the traditional Sidecar configuration versus the Ambient approach for a simple HTTP egress service.

apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
  name: external-svc-http
spec:
  hosts:
  - aliyun.com
  location: MESH_EXTERNAL
  ports:
  - number: 80
    name: http
    protocol: HTTP
  resolution: DNS
---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: egress-gateway
  namespace: default
spec:
  selector:
    istio: egressgateway
  servers:
  - hosts:
    - '*'
    port:
      name: http
      number: 80
      protocol: HTTP
    tls:
      mode: ISTIO_MUTUAL
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: egressgateway-vs
spec:
  hosts:
  - aliyun.com
  gateways:
  - egress-gw
  - mesh
  http:
  - match:
    - gateways:
      - mesh
      port: 80
    route:
    - destination:
        host: istio-egressgateway.istio-system.svc.cluster.local
        port:
          number: 80
        weight: 100
  - match:
    - gateways:
      - egress-gw
      port: 80
    route:
    - destination:
        host: aliyun.com
        port:
          number: 80
        weight: 100

These resources are advanced and challenging for beginners to understand and troubleshoot.

In Ambient mode, the equivalent configuration is dramatically shorter:

# Deploy Waypoint (shared if already present)
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: waypoint
spec:
  gatewayClassName: istio-waypoint
  listeners:
  - name: mesh
    port: 15008
    protocol: HBONE
---
apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
  name: external-svc-http
  labels:
    istio.io/use-waypoint: waypoint
spec:
  hosts:
  - aliyun.com
  location: MESH_EXTERNAL
  ports:
  - number: 80
    name: http
    protocol: HTTP
  resolution: DNS

Only a single label delegates the complex egress routing logic to the Waypoint proxy, achieving maximal simplification.

Real Benefits of Ambient Mode

Configuration drastically simplified : What previously required multiple linked resources now reduces to a single entry, lowering the barrier to adoption and operational overhead.

Feature set unchanged : Full L7 control remains available via AuthorizationPolicy, DestinationRule, VirtualService, etc., allowing precise path‑level access, retries, timeouts, and TLS upgrades.

Enhanced observability : All traffic passing through Waypoint is automatically recorded, providing QPS, P99 latency, success rates, and other metrics without code changes.

In summary, ASM’s Ambient mode offers a streamlined path for sophisticated L7 egress management, letting developers and operators focus on security and observability policies rather than low‑level infrastructure.

ASM supports Ambient mode starting from version 1.25; users are encouraged to upgrade and explore the simplified service‑mesh experience.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

cloud nativeKubernetesservice meshambient modeEgress TrafficWaypoint
Alibaba Cloud Infrastructure
Written by

Alibaba Cloud Infrastructure

For uninterrupted computing services

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment