Waypoint is an optional Layer 7 proxy in Ambient mode. If your application requires Layer 7 features, you can configure labels to specify that traffic sent to the application is first forwarded to the corresponding Waypoint. You can deploy multiple Waypoints in a cluster and flexibly select the appropriate Waypoint for your service. You can even use Waypoints across namespaces. This topic describes how to specify the effective range of a Waypoint.
Before proceeding, determine whether you need Layer 7 capabilities based on Description of Layer 4 and Layer 7 capabilities in Ambient mode.
Prerequisites
The Gateway API component of version 1.2.1 or later is installed in the cluster.
Deploy a Waypoint proxy
Create waypoint.yaml.
apiVersion: gateway.networking.k8s.io/v1 kind: Gateway metadata: name: waypoint namespace: default spec: gatewayClassName: istio-waypoint listeners: - allowedRoutes: namespaces: from: Same name: mesh port: 15008 protocol: HBONEDeploy the Waypoint.
kubectl apply -f waypoint.yaml
Configure traffic to pass through Waypoint
After you deploy a Waypoint, no traffic passes through it by default. You need to explicitly configure which traffic should use this Waypoint.
ASM currently supports configuration at the namespace and Service levels.
Configure all Services in a namespace to use a specified Waypoint
If you want all Service traffic in a namespace to be proxied by a specific Waypoint, you need to add the label istio.io/use-waypoint: ${Waypoint Name} to the namespace. For example, in Configure Layer 7 authorization policies, all Services in the default namespace are configured to use the Waypoint named waypoint.
Configure a specified Service to use a specified Waypoint
ASM also supports enabling Waypoint for a specific Service. If you do not need all Service traffic in a namespace to pass through a Waypoint, you only need to add the label istio.io/use-waypoint: ${Waypoint Name} to the Service. The following example configures the reviews service to use reviews-svc-waypoint:
kubectl label service reviews istio.io/use-waypoint=reviews-svc-waypointVerify whether traffic passes through Waypoint by checking logs
After traffic passes through a Waypoint, the Waypoint outputs access logs by default. You can check the logs on the Waypoint for confirmation.
Take the Waypoint in the Getting started example as an example to check the corresponding access logs.
kubectl logs deployments/waypoint | tail -1Expected results:
{"bytes_received":"0","bytes_sent":"358","downstream_local_address":"192.168.221.86:9080","downstream_remote_address":"10.0.108.250:39354","duration":"1","istio_policy_status":"-","method":"GET","path":"/reviews/0","protocol":"HTTP/1.1","request_id":"c83f18ee-672e-4e2e-9f02-9ee544f1c15f","requested_server_name":"-","response_code":"200","response_flags":"-","route_name":"route","start_time":"2025-06-16T08:58:43.339Z","trace_id":"-","upstream_cluster":"inbound-vip|9080|http|reviews-v1.default.svc.cluster.local;","upstream_host":"envoy://connect_originate/10.0.109.98:9080","upstream_local_address":"envoy://internal_client_address/","upstream_service_time":"1","upstream_response_time":"1","upstream_transport_failure_reason":"-","user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.X.X Safari/537.36","x_forwarded_for":"-","authority_for":"reviews:9080"}