aster.cloud aster.cloud
  • /
  • Platforms
    • Public Cloud
    • On-Premise
    • Hybrid Cloud
    • Data
  • Architecture
    • Design
    • Solutions
    • Enterprise
  • Engineering
    • Automation
    • Software Engineering
    • Project Management
    • DevOps
  • Programming
    • Learning
  • Tools
  • About
  • /
  • Platforms
    • Public Cloud
    • On-Premise
    • Hybrid Cloud
    • Data
  • Architecture
    • Design
    • Solutions
    • Enterprise
  • Engineering
    • Automation
    • Software Engineering
    • Project Management
    • DevOps
  • Programming
    • Learning
  • Tools
  • About
aster.cloud aster.cloud
  • /
  • Platforms
    • Public Cloud
    • On-Premise
    • Hybrid Cloud
    • Data
  • Architecture
    • Design
    • Solutions
    • Enterprise
  • Engineering
    • Automation
    • Software Engineering
    • Project Management
    • DevOps
  • Programming
    • Learning
  • Tools
  • About
  • Architecture
  • Cloud-Native

Five Exciting Things About Istio Ambient Mesh

  • aster.cloud
  • October 11, 2022
  • 5 minute read

Istio ambient mesh is a new, sidecar-less data plane architecture introduced in the Istio community on 9/7. I am personally proud to be part of the ambient mesh launch after many months of working with our brilliant engineers. About two years ago, I wrote the “Service mesh is still hard” blog and many of the points in that blog are still valid with the sidecar architecture. In this blog, I want to highlight five things in ambient mesh that I am extremely excited about while circling back to some of the points I made in my earlier blog.

Simplified Operation

If you used a sidecar-based approach before, you had to inject the sidecar to your application pod either when initially deploying your application or by restarting your application. When there is any CVE related to the sidecar proxy, you have to restart your application pod to refresh to the newer sidecar proxy that contains the CVE fixes. This restart is required even when you have no change in your application which could add a lot of operational overhead to running your application.


Partner with aster.cloud
for your next big idea.
Let us know here.



From our partners:

CITI.IO :: Business. Institutions. Society. Global Political Economy.
CYBERPOGO.COM :: For the Arts, Sciences, and Technology.
DADAHACKS.COM :: Parenting For The Rest Of Us.
ZEDISTA.COM :: Entertainment. Sports. Culture. Escape.
TAKUMAKU.COM :: For The Hearth And Home.
ASTER.CLOUD :: From The Cloud And Beyond.
LIWAIWAI.COM :: Intelligence, Inside and Outside.
GLOBALCLOUDPLATFORMS.COM :: For The World's Computing Needs.
FIREGULAMAN.COM :: For The Fire In The Belly Of The Coder.
ASTERCASTER.COM :: Supra Astra. Beyond The Stars.
BARTDAY.COM :: Prosperity For Everyone.

Including an application in ambient is as simple as annotating a namespace with the dataplane-mode:ambient label. Pods will start to be automatically included in ambient as soon as the istio-cni component detects the newly added label and configures the traffic redirect from the application pod to ztunnel. You can keep your applications running while it is being included as part of ambient, and you don’t need to restart your application or inject sidecars to your application at all.

Broader Application Support

Two challenges I highlighted in my earlier blog are:

  • Your service may break immediately after a sidecar is injected
  • Your service may have odd behavior at the start or stop time

Remember the hours you spent trying to figure out why your application stopped working the moment it had sidecar injected? For me, I would go to the Istio application requirement page, to check if my application didn’t satisfy any requirements on the list. Because the list is not small, from not supporting Kubernetes Jobs, server-send-first protocols, or a list of reserved ports, etc, I usually find my application doesn’t meet the requirements. Further, because sidecars are not official concepts in Kubernetes, there is no standard way to manage how sidecars’ lifecycle relates to application containers at startup or stop time, which becomes even more challenging when the application itself also has its own init container or sidecar.

Read More  LitmusChaos Expands Adoption, Contributors, And Announces 3.0 Beta

With HTTP Based Overlay Network (HBONE) introduced as the tunneling mechanism for inter-service mesh communications, ambient mesh is designed to support broader applications by removing many of these application requirements in Istio. For example, you can deploy Kubernetes Jobs or applications that use server-send-first protocols or call pod IPs directly from your applications as your applications are included in ambient mesh. The broader support of applications will reduce your effort and surprises when onboarding your application to the mesh.

Better Incremental Adoption

One of the key innovations with ambient mesh is the two-layer approach that separates the secure overlay layer from the Layer 7 processing layer. The two-layer approach effectively enables you to adopt the mesh incrementally starting with the secure overlay layer and enjoying the benefits brought by the layer such as mTLS with cryptographic identity, simple Layer 4 authorization policy, and telemetry. If you do need L7 traffic management, resiliency, or rich authorization policies, you could enable the L7 processing through waypoint proxies only for the applications that need them.

One challenge I highlighted in my earlier blog is that, “Service owners need to understand nuances of client and server-side configurations”. The ambient layer 7 processing layer effectively moves all source-side processing to the destination side so you only need a waypoint proxy on the destination side. This architecture not only helps reduce an extra L7 processing hop and an xDS client that the Istiod control plane needs to push data to, but also simplifies some of the learning hurdles service mesh users have regarding if a given policy is implemented in the source or destination sidecar and where to debug upon failure. For example, in a traditional sidecar approach, route configurations (either VirtualService or HTTPRoute resources) are implemented on the source sidecar while authorization policy is implemented on the destination sidecar. In ambient mesh, both are implemented on the destination waypoint proxy.

Read More  Cloudian Announces Object Storage Certification With VMware Tanzu Kubernetes Grid

Reduced Infrastructure Cost

The Istio project has gone a long way to reduce infrastructure cost with service or resource visibility and Sidecar configuration, and we designed ambient to further reduce infrastructure cost. The ztunnel is designed to be multi-tenancy that handles zero-trust as the secure overlay layer for all co-located pods in the ambient mesh. The waypoint proxy is designed to handle L7 processing only for a single tenant (which could be either per service account or namespace) on the destination side to avoid outages, noisy neighbors, budgeting and cost attribution issues caused by multi-tenancy L7 processing. Waypoint proxies reduce infrastructure cost by scaling independently outside of the application pod. You can share the waypoint proxy of a single service account across multiple services.

The multi-tenancy nature of ztunnel and single tenancy nature of waypoint proxy enable us to further reduce infrastructure costs beyond what the service visibility and sidecar resource configuration can provide. Not only do we reduce the provisioned CPU and RAM of these data plane resources, but also the data transfer over the network from the Istio control plane to a much fewer number of connected xDS clients. Refer to the What Istio Ambient Mesh Means to Your Wallet blog for more details.

Sidecars continue to be supported and can interoperate with sidecar-less

We expect sidecars will continue to be around, which is why we designed ambient mesh to support both sidecar and sidecar-less data plane architectures so that both types of services interoperate. You might continue to use sidecars simply because you feel comfortable with that approach, you need more granular enforcement than a service account, or you are waiting for ambient mesh to be production ready.

Read More  Three Things To Know Before Debugging Your Spring Application

Istio sidecars in ambient mesh already support HBONE. The same HBONE support will land in Istio sidecars in all Istio installation profiles very soon, which paves the path for all existing Istio sidecars to be upgraded to interoperate with sidecar-less services because the sidecars, ztunnels, or waypoint proxies can send and receive HBONE traffic. This is important if you are using sidecar today and may choose to migrate some or all of your workloads to sidecar-less in the future, or you are planning to run some of your applications in the mesh with sidecars and some without sidecars.

What is next?

Istio ambient mesh brings the transparent service mesh to you with simplified operation and broader application support, without compromising security compared with sidecars. A build of Istio which supports ambient mesh is available to download and try in the Istio Experimental repo. Or you can try the free get started with ambient mesh workshop with a lab environment provided for you. As the community works towards making ambient mesh production ready as the default in Istio, we invite you to be part of the journey, with your feedback or contribution to help shape the ambient mesh, in the ambient channel on the Istio Slack or GitHub.

About Lin

Lin is the Director of Open Source at Solo.io and a CNCF ambassador. She is a founding member of the Istio Technical Oversight Committee and Steering Committee. Previously, she was a Senior Technical Staff Member and Master Inventor at IBM for 15+ years. She is the author of the book Istio Explained and has more than 200 patents to her name.

 

 

Community guest post from Lin Sun, Director of Open Source at Solo.io and a CNCF ambassador
Source CNCF


For enquiries, product placements, sponsorships, and collaborations, connect with us at [email protected]. We'd love to hear from you!

Our humans need coffee too! Your support is highly appreciated, thank you!

aster.cloud

Related Topics
  • Ambient Mesh
  • CNCF
  • Istio
  • Open Source
You May Also Like
View Post
  • Cloud-Native
  • Multi-Cloud

Oracle Expands Multicloud Capabilities with AWS, Google Cloud, and Microsoft Azure

  • September 11, 2024
Cloud computing concept image double exposure Digitally Enhanced Smart City Concept with Cloud Computing
View Post
  • Cloud-Native
  • Computing
  • Hybrid Cloud
  • Multi-Cloud
  • Public Cloud

Make Your Business Resilient By Integrating These Best Practices Into Your Cloud Architecture

  • July 29, 2024
Image by:Opensource.com
View Post
  • Architecture
  • Computing
  • Engineering

5 reasons virtual machines still matter

  • June 28, 2024
Huawei Cloud Cairo Region Goes Live
View Post
  • Cloud-Native
  • Computing
  • Platforms

Huawei Cloud Goes Live in Egypt

  • May 24, 2024
View Post
  • Cloud-Native
  • Computing
  • Engineering

10 Cloud Development Gotchas To Watch Out For

  • March 29, 2024
Storage Ceph
View Post
  • Cloud-Native
  • Data

The Growth Of IBM Storage Ceph – The Ideal Foundation For A Modern Data Lakehouse

  • January 30, 2024
Clouds
View Post
  • Cloud-Native
  • Platforms
  • Software Engineering

Microsoft Releases Azure Migrate Assessment Tool For .NET Application

  • January 14, 2024
View Post
  • Cloud-Native
  • Engineering
  • Platforms

Top Highlights From AWS Worldwide Public Sector Partners At Re:Invent 2023

  • December 27, 2023

Stay Connected!
LATEST
  • 1
    Just make it scale: An Aurora DSQL story
    • May 29, 2025
  • 2
    Reliance on US tech providers is making IT leaders skittish
    • May 28, 2025
  • Examine the 4 types of edge computing, with examples
    • May 28, 2025
  • AI and private cloud: 2 lessons from Dell Tech World 2025
    • May 28, 2025
  • 5
    TD Synnex named as UK distributor for Cohesity
    • May 28, 2025
  • Weigh these 6 enterprise advantages of storage as a service
    • May 28, 2025
  • 7
    Broadcom’s ‘harsh’ VMware contracts are costing customers up to 1,500% more
    • May 28, 2025
  • 8
    Pulsant targets partner diversity with new IaaS solution
    • May 23, 2025
  • 9
    Growing AI workloads are causing hybrid cloud headaches
    • May 23, 2025
  • Gemma 3n 10
    Announcing Gemma 3n preview: powerful, efficient, mobile-first AI
    • May 22, 2025
about
Hello World!

We are aster.cloud. We’re created by programmers for programmers.

Our site aims to provide guides, programming tips, reviews, and interesting materials for tech people and those who want to learn in general.

We would like to hear from you.

If you have any feedback, enquiries, or sponsorship request, kindly reach out to us at:

[email protected]
Most Popular
  • Understand how Windows Server 2025 PAYG licensing works
    • May 20, 2025
  • By the numbers: How upskilling fills the IT skills gap
    • May 21, 2025
  • 3
    Cloud adoption isn’t all it’s cut out to be as enterprises report growing dissatisfaction
    • May 15, 2025
  • 4
    Hybrid cloud is complicated – Red Hat’s new AI assistant wants to solve that
    • May 20, 2025
  • 5
    Google is getting serious on cloud sovereignty
    • May 22, 2025
  • /
  • Technology
  • Tools
  • About
  • Contact Us

Input your search keywords and press Enter.