Alibaba Service Mesh (ASM) supports two data plane modes: Sidecar mode and Ambient mode. This topic describes how to select the appropriate data plane mode for your needs.
Sidecar mode
In Sidecar mode, each pod in the cluster is injected with an Envoy proxy that processes all traffic entering and exiting the pod.
ASM has been built on the Sidecar mode since its initial release. Over multiple versions, the Sidecar mode has been refined and has incorporated extensive user feedback, resulting in a highly mature and stable solution.
Traffic route
In Sidecar mode, a typical traffic route is shown in the following figure:
Ambient mode
Ambient mode was introduced by the Istio community in 2022 to address the inherent limitations of Sidecar mode. Application pods no longer have Envoy proxies. Instead, Layer 4 and Layer 7 capabilities are implemented through node-level Ztunnel and independently deployed Waypoint. Starting from ASM 1.25, ASM's Ambient mode is production-ready for single-cluster scenarios.
Function introduction
The Layer 4 proxy, called Ztunnel, is developed in Rust language and is designed to handle Layer 3 and Layer 4 traffic, such as mTLS, identity verification, Layer 4 authorization, and observability. It is deployed as a Daemonset, with pods on the same node sharing one Ztunnel. All traffic entering and exiting these pods is processed by Ztunnel.
The Layer 7 proxy, called Waypoint, is implemented based on Envoy and deployed as a Deployment, independent of business applications. Its upgrade and installation do not require any changes to business pods. You can choose to enable Waypoint proxy for specific services or pods, and multiple services or pods can reuse the same Waypoint proxy. After enabling the Waypoint proxy, all requests to the service or pod are first forwarded to this Waypoint proxy, and various Layer 7 functions you configure are executed on the Waypoint.
Not requiring Sidecar injection is an important feature of Ambient mode, which lowers the usage and maintenance threshold of the mesh. You only need to add an Ambient-enabling mark to a specific namespace to immediately obtain mTLS and Layer 4 observability capabilities. If you need more advanced Layer 7 capabilities, you can selectively deploy Waypoint for specific applications or the namespace.
Traffic route
The traffic path in Ambient mode is shown below:
Feature comparison
Feature | Sidecar mode | Ambient mode |
Traffic management | Complete Istio feature set. | Complete Istio feature set (requires Waypoint to be enabled). |
Security | Complete Istio feature set. | Complete Istio feature set: mTLS and Layer 4 security are supported by default. Layer 7 authorization requires Waypoint to be enabled. |
Observability | Complete Istio feature set. | Complete Istio feature set: Layer 4 observability is supported by default. Layer 7 observability requires Waypoint to be enabled. |
Startup method | Add auto-injection label to the namespace and restart all pods to add Sidecar. | Add label to the namespace. No need to restart pods. |
Upgrade method | Supports in-place upgrade and canary upgrade. Requires restarting all business pods to inject the new version of Sidecar. | Supports in-place upgrade. Data plane components are upgraded along with the control plane. No need to restart business pods. |
Lifecycle management | Proxy is managed by application developers. | Platform administrators manage proxies. Application developers do not need to be aware of the proxy's existence. |
Resource utilization | Each pod has a Layer 7 proxy, making it difficult to achieve high resource utilization. | Waypoint proxy can independently adjust resources and scale. Even an entire namespace or cluster can use the same Waypoint. This enables higher resource utilization. |
Average resource cost | Large | Small |
Average latency (based on Istio community data) | 0.63ms~0.88ms | Without Waypoint: 0.16ms~0.20ms With Waypoint: 0.40ms~0.50ms |
Layer 7 parsing frequency | Twice (client Sidecar and server Sidecar) | Without Waypoint: 0 times With Waypoint: 1 time |
Large-scale scenario support | Requires fine-tuning of the configuration scope for each Sidecar to reduce configuration volume. | No customization required. Only necessary configurations are delivered by default. |
"Server First" protocol support | Requires explicit configuration. | Supported by default. |
Kubernetes Job support | Due to binding with pod lifecycle, the situation is more complex. | Transparent support. |
Security model | Strongest: each workload has its own key. | Strong: each Ztunnel only has workload keys for that node. |
Can compromised pods access mesh keys | Yes. | No. |
Ambient mode adopts an architecture that separates Layer 4 and Layer 7, and supports selectively enabling Layer 7 capabilities. This design lets you avoid the processing cost of Layer 7 when Layer 7 functionality is not needed.
Currently, mixing Sidecar and Ambient modes is not production-ready. If you want to use both Sidecar and Ambient modes in the same mesh, pods between the two modes cannot call each other.
Ambient mode does not currently support managing multiple clusters simultaneously.
About Ambient mode Layer 4 and Layer 7 capability
Layer 7 traffic processing has much higher overhead than Layer 4. If a service's requirements can be met with Layer 4 functionality alone, you can completely bypass Waypoint for that service's traffic, which can significantly reduce mesh resource usage and improve performance. The following describes the common Layer 4 and Layer 7 capabilities of Ambient.
Dimension | Layer 4 capabilities | Layer 7 capabilities |
Security |
|
|
Observability |
|
|
Routing | TCP connection-level load balancing, circuit breaking, rate limiting, timeout, and retry. |
|
Extensibility | N/A | Wasmplugin |