Ambient Mesh website screenshot

Ambient Mesh

Ambient Mesh is a sidecar-less service mesh architecture built on Istio that simplifies microservices communication, enhances zero-trust security, and improves observability without requiring sidecar proxy injection. It uses a shared per-node proxy (ztunnel) for zero-trust security and optional waypoint proxies for advanced Layer 7 policies, enabling seamless migration from sidecar-based meshes with zero downtime.

1 APIs 7 Features
Service MeshIstioKubernetesZero TrustObservabilityTraffic ManagementMicroservices

APIs

Ambient Mesh

Ambient Mesh provides a sidecar-less service mesh via the Kubernetes Gateway API and Istio ambient mode. It exposes configuration APIs for traffic management, security policies,...

Pricing Plans

Rate Limits

Ambient Mesh Rate Limits

5 limits

RATE LIMITS

FinOps

Features

Sidecar-Less Architecture

Operates at the platform layer without sidecar proxy injection, reducing resource overhead and operational complexity while maintaining full service mesh capabilities.

Zero-Trust Security

SPIFFE-based workload identity with automatic mutual TLS encryption between workloads, certificate management, and zero-trust network policies enforced by ztunnel.

Traffic Management

Advanced traffic routing, load balancing, traffic splitting, mirroring, blue-green deployments, and gateway management via Kubernetes Gateway API HTTPRoute resources.

Resilience

Zone-aware load balancing, circuit breaking, outlier detection, fault injection, timeouts, and retry budgets for high-availability workloads.

Observability

Distributed tracing, performance metrics via Prometheus, Kiali observability console, and HTTP observability for traffic visualization and security verification.

Zero-Downtime Migration

Free migration tooling for upgrading from sidecar-based architectures with automated workload analysis and risk mitigation for waypoint proxy requirements.

Waypoint Proxies

Optional per-namespace or per-workload Layer 7 proxies that provide advanced policy enforcement without requiring per-pod sidecar containers.

Use Cases

Microservices Security

Enforce mutual TLS and zero-trust policies across microservices without modifying application code or injecting sidecar proxies.

Traffic Management

Implement advanced traffic routing, A/B testing, canary deployments, and traffic mirroring across Kubernetes workloads.

Istio Migration

Migrate existing Istio sidecar-based deployments to ambient mode with zero downtime using the free migration tooling.

Kubernetes Observability

Gain full visibility into service-to-service communication with metrics, tracing, and traffic visualization via Kiali and Prometheus.

Multi-Cluster Networking

Extend ambient mesh policies and security across multiple Kubernetes clusters for hybrid and multi-cloud architectures.

Integrations

Istio

Ambient Mesh is built on Istio ambient mode, using its control plane and CRDs for configuration.

Kubernetes Gateway API

Uses the standard Kubernetes Gateway API with HTTPRoute, Gateway, and GRPCRoute resources for traffic management.

Prometheus

Integrates with Prometheus for metrics collection and monitoring of mesh traffic and performance.

Kiali

Integrates with Kiali for service mesh observability, traffic visualization, and security verification.

Gloo Mesh

Solo.io's Gloo Mesh provides enterprise-grade ambient mesh management for scaling across enterprise workloads.

OpenShift

Red Hat OpenShift Service Mesh 3.x supports Istio ambient mode for OpenShift deployments.

Resources

🔗
Website
Website
🔗
Documentation
Documentation
🚀
GettingStarted
GettingStarted
📰
Blog
Blog
👥
GitHubOrganization
GitHubOrganization
👥
GitHubRepository
GitHubRepository

Sources

apis.yml Raw ↑
aid: ambient-mesh
name: Ambient Mesh
description: Ambient Mesh is a sidecar-less service mesh architecture built on Istio that simplifies microservices communication,
  enhances zero-trust security, and improves observability without requiring sidecar proxy injection. It uses a shared per-node
  proxy (ztunnel) for zero-trust security and optional waypoint proxies for advanced Layer 7 policies, enabling seamless migration
  from sidecar-based meshes with zero downtime.
type: Index
image: https://kinlane-images.s3.amazonaws.com/shared/apis-json/apis-json-logo.jpg
tags:
- Service Mesh
- Istio
- Kubernetes
- Zero Trust
- Observability
- Traffic Management
- Microservices
url: https://raw.githubusercontent.com/api-evangelist/ambient-mesh/refs/heads/main/apis.yml
created: '2026-04-19'
modified: '2026-04-19'
specificationVersion: '0.19'
apis:
- aid: ambient-mesh:ambient-mesh
  name: Ambient Mesh
  description: Ambient Mesh provides a sidecar-less service mesh via the Kubernetes Gateway API and Istio ambient mode. It
    exposes configuration APIs for traffic management, security policies, resilience settings, and observability through standard
    Kubernetes CRDs including HTTPRoute, Gateway, AuthorizationPolicy, and WaypointProxy resources.
  humanURL: https://ambientmesh.io/
  baseURL: https://ambientmesh.io
  tags:
  - Service Mesh
  - Kubernetes
  - Istio
  - Zero Trust
  properties:
  - type: Documentation
    url: https://ambientmesh.io/docs/
  - type: GettingStarted
    url: https://ambientmesh.io/docs/quickstart/
  - type: APIReference
    url: https://ambientmesh.io/docs/
common:
- type: Website
  url: https://ambientmesh.io/
- type: Documentation
  url: https://ambientmesh.io/docs/
- type: GettingStarted
  url: https://ambientmesh.io/docs/quickstart/
- type: Blog
  url: https://ambientmesh.io/blog/
- type: GitHubOrganization
  url: https://github.com/istio
- type: GitHubRepository
  url: https://github.com/istio/istio
- type: Features
  data:
  - name: Sidecar-Less Architecture
    description: Operates at the platform layer without sidecar proxy injection, reducing resource overhead and operational
      complexity while maintaining full service mesh capabilities.
  - name: Zero-Trust Security
    description: SPIFFE-based workload identity with automatic mutual TLS encryption between workloads, certificate management,
      and zero-trust network policies enforced by ztunnel.
  - name: Traffic Management
    description: Advanced traffic routing, load balancing, traffic splitting, mirroring, blue-green deployments, and gateway
      management via Kubernetes Gateway API HTTPRoute resources.
  - name: Resilience
    description: Zone-aware load balancing, circuit breaking, outlier detection, fault injection, timeouts, and retry budgets
      for high-availability workloads.
  - name: Observability
    description: Distributed tracing, performance metrics via Prometheus, Kiali observability console, and HTTP observability
      for traffic visualization and security verification.
  - name: Zero-Downtime Migration
    description: Free migration tooling for upgrading from sidecar-based architectures with automated workload analysis and
      risk mitigation for waypoint proxy requirements.
  - name: Waypoint Proxies
    description: Optional per-namespace or per-workload Layer 7 proxies that provide advanced policy enforcement without requiring
      per-pod sidecar containers.
- type: UseCases
  data:
  - name: Microservices Security
    description: Enforce mutual TLS and zero-trust policies across microservices without modifying application code or injecting
      sidecar proxies.
  - name: Traffic Management
    description: Implement advanced traffic routing, A/B testing, canary deployments, and traffic mirroring across Kubernetes
      workloads.
  - name: Istio Migration
    description: Migrate existing Istio sidecar-based deployments to ambient mode with zero downtime using the free migration
      tooling.
  - name: Kubernetes Observability
    description: Gain full visibility into service-to-service communication with metrics, tracing, and traffic visualization
      via Kiali and Prometheus.
  - name: Multi-Cluster Networking
    description: Extend ambient mesh policies and security across multiple Kubernetes clusters for hybrid and multi-cloud
      architectures.
- type: Integrations
  data:
  - name: Istio
    description: Ambient Mesh is built on Istio ambient mode, using its control plane and CRDs for configuration.
  - name: Kubernetes Gateway API
    description: Uses the standard Kubernetes Gateway API with HTTPRoute, Gateway, and GRPCRoute resources for traffic management.
  - name: Prometheus
    description: Integrates with Prometheus for metrics collection and monitoring of mesh traffic and performance.
  - name: Kiali
    description: Integrates with Kiali for service mesh observability, traffic visualization, and security verification.
  - name: Gloo Mesh
    description: Solo.io's Gloo Mesh provides enterprise-grade ambient mesh management for scaling across enterprise workloads.
  - name: OpenShift
    description: Red Hat OpenShift Service Mesh 3.x supports Istio ambient mode for OpenShift deployments.
maintainers:
- FN: Kin Lane
  email: kin@apievangelist.com