By Yuanyuan Ma
Alibaba Cloud Service Mesh (ASM) is a fully managed service mesh platform provided by Alibaba Cloud. ASM supports Ambient mode in the latest 1.25 version.
Sidecar is one of the most widely known concepts in service meshes. In this mode, ASM components intercept and process traffic by injecting a Sidecar container into the Pod when the Pod starts. This mode has evolved over the years, boasting rich functionalities and supporting the production services of numerous enterprises.
Sidecar lifecycle is strongly bound to business containers. While this architecture provides higher security for the Pod, it also results in higher resource consumption and maintenance burdens. Therefore, the service mesh introduced the Ambient mode in 2022. After continuous iteration, ASM has officially supported the Ambient mode in the latest 1.25 version.
Ambient is a new Sidecarless data plane architecture, whose core idea is to decouple the processing at Layer 4 (L4) and Layer 7 (L7). With Ambient mode enabled, you will no longer see the Sidecar container in the application Pod.
You only need to enable Ambient mode for the namespace, and the application will immediately switch to mTLS communication and be able to use some L4 features. The entire process requires no application redeployment at all.
If you confirm that certain applications need to use L7 capabilities, such as authentication and routing based on HTTP request headers, and L7 observability, you can selectively enable the Waypoint proxy for specified services. Waypoint is a separate Deployment that is completely decoupled from applications. You can independently scale and upgrade without needing to restart the applications. Waypoint is implemented based on Envoy proxies and provides full L7 features. It supports a wide range of routing, security, and observability capabilities and can be extended by using WASM plug-ins.
In Ambient mode, ASM and applications are completely decoupled. You no longer need to consider Pod restarts when upgrading or enabling ASM.
You only need to enable Ambient mode for the namespace. There's no need to restart the application or inject Sidecar, and you can immediately enable encrypted communication and use some L4 features. How is such an amazing effect achieved?
Ztunnel and CNI components are the key to making this process possible.
• The Ztunnel component functions as the actual L4 proxy and is developed in Rust.
• The CNI component is responsible for redirecting traffic to Ztunnel.
After you enable the Ambient mode at the namespace level, the Ztunnel component starts a corresponding virtual proxy for each workload pod within its own process. This virtual Proxy operates under the network namespace of the workload Pod. Thus, there is no need to restart workload Pods to deploy Sidecar. The Ztunnel and CNI components can transparently encrypt traffic and handle Layer 4 traffic.
With the Ztunnel component in place, Waypoint becomes much easier to understand. The ASM control plane can detect which service you have enabled the Waypoint proxy for, and the Ztunnel component will automatically forward traffic to the corresponding Waypoint proxy.
If your business needs can be met without advanced L7 features, traffic will only go through Ztunnel's L4 processing twice. Compared to the two L7 processings by Envoy in Sidecar, this setup results in a significant performance improvement, with average latency reduced by approximately 75% (data sourced from Service Mesh community documentation).
If your business requires L7 features, the traffic path will then include an additional L7 processing step through Waypoint proxy. Compared to the two L7 processing steps in Sidecar mode, this approach still delivers a notable performance improvement, with average latency reduced by approximately 30%.
Ambient mode enables the reuse of L4 proxies at the node level and L7 proxies at the namespace level. Compared with Sidecar mode, its resource consumption is significantly reduced. You can leverage all the capabilities of the service mesh at a lower cost.
| Sidecar | Ambient | |
|---|---|---|
| Traffic management | Complete Istio feature set | Complete Istio feature set (Waypoint required) |
| Security | Complete Istio feature set | Complete Istio feature set: Ambient mode provides encryption and L4 authentication. L7 authentication requires Waypoint |
| Observability | Complete Istio feature set | Complete Istio feature set: Ambient mode provides L4 telemetry. L7 observability is achieved using Waypoint |
| Extensibility | Complete Istio feature set | Through WebAssembly (Waypoint required) |
| Circuit breaking and rate limiting | Supported | Supported (Waypoint required) |
| Add workloads to the mesh | Add a label to the namespace and restart all Pods to inject the Sidecar | Add a label to the namespace with no need to restart Pods |
| Incremental deployment | Binary: Whether the Sidecar has been injected | Progressive: L4 is always enabled, and L7 can be added through configuration |
| Lifecycle management | Proxies are managed by application developers | Platform administrator |
| Resource utilization | Waste: The worst-case scenario for each Pod must be considered, and the maximum CPU and memory resources must be configured | Waypoint proxies can autoscale like any other Kubernetes (K8s) Deployment. |
| Workloads with multiple replicas can use the same waypoint instead of each replica having its own sidecar | ||
| Average resource cost | Large | Small |
| Average latency (p90/p99) | 0.63ms-0.88ms | Ambient: 0.16ms-0.20ms |
| waypoint: 0.40ms-0.50ms | ||
| L7 processing steps | Two steps (Source and Target Sidecar) | One step (Target waypoint) |
| Large-scale configuration | The amount of configuration needs to be reduced through the Sidecar CR | Only deliver the required configurations, making it more suitable for large-scale scenarios |
| Support the "server-first" protocol | Requires explicit configuration | Yes |
| Support for K8s Job | Complicated due to the long lifespan of Sidecar | Transparent support |
| Security model | Strongest: Each workload has its own key | Strong: Each node proxy only has the keys of the workloads on that node |
| Intruded application pods | ||
| Access to the mesh key | Supported | Not supported |
| Multi-cluster supported | Support for multiple cluster modes | Currently, multi-cluster is not supported and is being evolved |
In ASM 1.25, the core capabilities of Ambient mode have been stabilized and have been well adapted to the Alibaba Cloud Container Service environment. We look forward to your adoption and feedback.
You can refer to this document to experience Ambient mode in ACK clusters:
https://www.alibabacloud.com/help/en/asm/ambient/getting-started/
How to Use Istio Service Mesh on ACK Clusters Through Compute Nest
222 posts | 33 followers
FollowAlibaba Cloud Native Community - December 18, 2023
Alibaba Container Service - August 16, 2024
Alibaba Container Service - September 18, 2025
Alibaba Cloud Native Community - December 11, 2023
Alibaba Cloud Native Community - December 11, 2023
Alibaba Cloud Native Community - December 15, 2023
222 posts | 33 followers
Follow
Container Service for Kubernetes
Alibaba Cloud Container Service for Kubernetes is a fully managed cloud container management service that supports native Kubernetes and integrates with other Alibaba Cloud products.
Learn More
ACK One
Provides a control plane to allow users to manage Kubernetes clusters that run based on different infrastructure resources
Learn More
Cloud-Native Applications Management Solution
Accelerate and secure the development, deployment, and management of containerized applications cost-effectively.
Learn More
Container Registry
A secure image hosting platform providing containerized image lifecycle management
Learn MoreMore Posts by Alibaba Container Service
