What's a Zero-Trust Tunnel? Exploring Security and Simpler Operations with Istio Ambient Mesh

Authors:   Jim Barton, Marino Wijay


One of the most common drivers for service mesh adoption is security compliance. Large enterprises in heavily regulated industries or the public sector must adopt practices like a zero-trust security posture both inside and at the edge of its application networks. Service mesh platforms like CNCF's Istio project are growing in popularity as a vehicle for meeting these challenges. In September 2022, Google and Solo.io announced the release of Istio Ambient Mesh to the community. Ambient offers a revolutionary data-plane architecture that allows service mesh users to ditch sidecars. It delivers an enhanced security posture while slashing operational complexity and enabling incremental mesh adoption, all while reducing cost and computational overhead within a service mesh. This talk will review the new sidecar-less architectural option available with Ambient. We'll discuss the two new complementary layers: a zero-trust tunnel (ztunnel) that secures Layer 4 connectivity, and a waypoint proxy that delivers Layer 7 security policies and behaviors. A demonstration will illustrate how these new components work together in practice.