Alibaba Cloud Service Mesh (ASM) supports two data plane modes: Sidecar mode and Ambient mode. Both deliver the full Istio feature set for traffic management, security, and observability, but they differ in architecture, resource overhead, and operational model.
Sidecar mode
In Sidecar mode, an Envoy proxy sidecar is injected into every pod and intercepts all inbound and outbound traffic.
ASM has supported Sidecar mode since its first release. After multiple iterations and extensive production use, it is the most mature and stable option.
Traffic path
The following figure shows a typical traffic path in Sidecar mode.
Ambient mode
The Istio community introduced Ambient mode in 2022 to address the inherent limitations of Sidecar mode. Instead of injecting a proxy into every pod, Ambient mode separates Layer 4 (L4) and Layer 7 (L7) processing into two independent components:
-
ztunnel -- A Rust-based L3/L4 proxy deployed as a DaemonSet. Pods on the same node share a single ztunnel instance. It handles mTLS encryption, identity verification, L4 authorization, and L4 observability for all traffic entering and leaving those pods.
-
Waypoint proxy -- An Envoy-based L7 proxy deployed as a Deployment, completely independent of application pods. Upgrading or installing a Waypoint proxy requires no changes to application pods.
Starting from ASM 1.25, Ambient mode is production-ready for single-cluster scenarios.
Get started with Ambient mode
-
Add an ambient-enabling label to a namespace to immediately get mTLS and L4 observability -- no sidecar injection, no pod restarts.
-
For L7 capabilities such as HTTP-based routing, L7 authorization, or distributed tracing, deploy a Waypoint proxy for specific services, pods, or the entire namespace.
Multiple services or pods can share the same Waypoint proxy. All requests to those services are routed through the Waypoint before reaching the application.
Traffic path
The following figure shows the traffic path in Ambient mode.
Feature comparison
|
Feature |
Sidecar mode |
Ambient mode |
|
Traffic management |
Complete Istio feature set |
Complete Istio feature set (requires Waypoint) |
|
Security |
Complete Istio feature set |
Complete Istio feature set: mTLS and L4 security by default; L7 authorization requires Waypoint |
|
Observability |
Complete Istio feature set |
Complete Istio feature set: L4 observability by default; L7 observability requires Waypoint |
|
Onboarding |
Add an auto-injection label to the namespace and restart all pods |
Add a label to the namespace; no pod restart needed |
|
Upgrades |
In-place and canary upgrade; requires restarting all pods to inject the new sidecar version |
In-place upgrade; data plane components upgrade with the control plane; no pod restart needed |
|
Lifecycle management |
Application developers manage the proxy |
Platform administrators manage the proxy; transparent to application developers |
|
Resource utilization |
Each pod runs an L7 proxy, making high utilization difficult |
Waypoint proxies scale independently; an entire namespace or cluster can share a single Waypoint |
|
Average resource cost |
High |
Low |
|
Average latency (Istio community data) |
0.63 ms -- 0.88 ms |
Without Waypoint: 0.16 ms -- 0.20 ms; with Waypoint: 0.40 ms -- 0.50 ms |
|
L7 parsing |
Twice (client sidecar + server sidecar) |
Without Waypoint: 0; with Waypoint: 1 |
|
Large-scale support |
Requires fine-tuning the configuration scope of each sidecar to reduce config volume |
No tuning required; only necessary configurations are delivered by default |
|
Server-first protocol support |
Requires explicit configuration |
Supported by default |
|
Kubernetes Job support |
Complex, because the sidecar is bound to the pod lifecycle |
Transparent support |
|
Security model |
Strongest: each workload holds its own key |
Strong: each ztunnel holds keys only for workloads on its node |
|
Can compromised pods access mesh keys? |
Yes |
No |
-
The L4/L7 separation in Ambient mode lets you skip L7 processing overhead entirely when L7 capabilities are not needed.
-
Mixing Sidecar mode and Ambient mode in the same mesh is not production-ready. Pods in different modes cannot communicate with each other.
-
Ambient mode does not currently support multi-cluster management.
Ambient mode L4 and L7 capabilities
L7 traffic processing has significantly higher overhead than L4. If a service only needs L4 capabilities, skip the Waypoint proxy for that service to reduce resource consumption and improve performance.
|
Dimension |
L4 capabilities (ztunnel) |
L7 capabilities (Waypoint) |
|
Security |
mTLS encryption, ServiceAccount-based authorization, IP-based authorization |
HTTP metadata-based authorization (method, path), JWT authentication, JWT-based authorization, OPA-based authorization |
|
Observability |
Source/destination IP and port, bytes sent/received |
Tracing Analysis, full HTTP request recording (method, path, host, status code) |
|
Routing |
TCP connection-level load balancing, circuit breaking, rate limiting, timeout, retry |
HTTP request-level load balancing, circuit breaking, rate limiting, timeout, retry, fault injection, traffic mirroring |
|
Extensibility |
N/A |
WasmPlugin |