The launch of the next iteration of Istio called the "Ambient Mesh," aims to revolutionize the service mesh landscape. I’ll try to break down the key points I’ve discovered in more detail:
Traditional Service Meshes and Challenges
Service meshes like Istio traditionally use the sidecar pattern, where a proxy (sidecar) is deployed alongside each application pod to intercept and manage traffic.
This approach has issues such as higher costs due to multiple proxies, slower startup times, and complex upgrades requiring application restarts.
Introduction to Istio Ambient Mesh
The Ambient Mesh is a new approach that uses one proxy per node, rather than per application.
This decouples the data plane from individual applications, simplifying upgrades and reducing resource overhead.
The architecture involves Waypoint proxies for Layer 7 (L7) features and standard proxies for Layer 4 (L4) functions.
Standard proxies → Layer 4 (L4) functions
Waypoint proxies → Layer 7 (L7) features
This refers to how traffic handling and processing are divided between different types of proxies based on the OSI networking model.
In summary, the Istio Ambient Mesh architecture intelligently divides the responsibilities of proxying and managing network traffic. It employs standard proxies for essential transport-level tasks (Layer 4 functions) like authentication and authorization, while using more advanced Waypoint proxies for application-specific features (Layer 7 features) like routing and retries. This division ensures efficient and effective traffic handling across different layers of the OSI networking model.
For More Details:
Layer 4 Functions
Layer 4 of the OSI model deals with transport-level protocols, primarily focusing on the transportation of data between source and destination. The "standard proxies for Layer 4 functions" mentioned in the line refer to the proxies responsible for handling traffic at this transport layer. These proxies are primarily concerned with handling TCP (Transmission Control Protocol) traffic, which is used for establishing reliable connections between two devices and ensuring data integrity during transmission. In the context of the Ambient Mesh, these standard proxies are responsible for tasks like mutual TLS (mTLS) authentication and Layer 4 authorization, which involve verifying the identity of communicating parties and controlling access to resources based on transport-level attributes.Layer 7 Features
Layer 7 of the OSI model is the application layer, which deals with the specifics of the applications and services being accessed over the network. The "Waypoint proxies for Layer 7 (L7) features" mentioned in the line refer to proxies that handle traffic at this higher application layer. These proxies are designed to understand the content of the data being transmitted and can perform more advanced functions specific to the applications being used. In the context of the Ambient Mesh, these Waypoint proxies are responsible for handling tasks like request routing, automatic retries, and other advanced application-layer features. For example, if you have specific requirements for routing requests to different versions of an application or services, these L7-aware Waypoint proxies would manage that functionality.
Benefits of Ambient Mesh:
Upgrading the data plane becomes simpler by rolling out a demon set.
Faster pod startup times as there are no sidecar proxies.
L4 proxies (Z tunnels) handle TCP traffic, focusing on mTLS authentication and authorization.
L7 traffic is handled by Waypoint proxies, allowing for features like request routing and automatic retries.
Waypoint proxies can scale independently, optimizing costs.
Addressing Concerns
Concerns about increased request latencies with Waypoint proxies are countered by the Istio team, emphasizing that networking improvements have reduced latencies significantly.
The extra hop in L7 processing is the major bottleneck, and Waypoint proxies can scale effectively.
The extra processing that happens at the higher application level (Layer 7) of the network can slow things down, like a traffic jam. However, the Waypoint proxies are designed to handle this processing efficiently, so they can help prevent the slowdown and can handle more work without causing major traffic jams.
Security Considerations
Splitting TCP and HTTP processing offers security benefits. That is treating different types of data separately (TCP and HTTP) can make things more secure, like having different locks for different types of mail.
Trying Out Ambient Mesh
under construction
Conclusion
In summary, the Istio Ambient Mesh introduces a novel approach to service meshes by decoupling the data plane from individual applications, simplifying upgrades and enhancing performance.
References:
Istio: https://istio.io/v1.15/blog/2022/introducing-ambient-mesh/