Announcing Tetrate Agent Router Service: Intelligent routing for GenAI developers

Learn more

Config and Upgrades Without the Overhead: Understanding Waypoints in Ambient Mode

Istio’s ambient mode drops sidecars for simpler Layer 4 operations. Waypoints restore key Layer 7 features like routing and JWT without the sidecar burden.

Tetrate
Config%20and%20Upgrades%20Without%20the%20Overhead:%20Understanding%20Waypoints%20in%20Ambient%20Mode

In our ongoing series on Istio’s ambient mode, we have explored how this new data plane architecture changes where and how service mesh capabilities are delivered, starting with observability and multi-cluster support. In this post, we are focusing on a component unique to ambient: waypoints, and how they change the experience of configuring and upgrading Layer 7 capabilities within the mesh.

Istio’s traditional sidecar model offers powerful Layer 7 features: granular routing, detailed observability, and fine-tuned security. But it comes at a cost. Every pod brings along its own Envoy proxy. That means every configuration change must ripple through dozens or hundreds of workloads, and every proxy upgrade is tied to application restarts. As service counts grow, so does operational complexity.

Ambient mode introduces a simpler path. By default, Ambient handles Layer 4 capabilities like mTLS and basic policy enforcement using ztunnels, without injecting sidecars. This dramatically reduces the number of proxies in the system, simplifies upgrades, and cuts down on resource consumption.

However, going fully ambient means trading away some L7 features. You lose HTTP-level routing, JWT validation, and detailed telemetry unless you reintroduce them. That’s where waypoints come in.

A Middle Ground Between Sidecars and Simplicity

Waypoints are standalone proxies that reintroduce L7 functionality in Ambient Mesh. Unlike sidecars, which are tightly coupled to individual pods (the smallest deployable unit in Kubernetes), waypoints are deployed independently and typically scoped to a namespace or service account. A namespace is a higher-level grouping that can contain many pods and services, so a single waypoint can enforce routing policies, authentication rules, and telemetry collection for multiple workloads at once, rather than per workload.

For many platform teams, this model is enough. A single waypoint can often satisfy the routing, security, and observability needs of an entire namespace, service group, or application team. Instead of injecting complexity everywhere, you apply it only where it’s needed.

This is the core benefit of Ambient with Waypoints: you opt into L7 controls selectively, avoiding the sprawl and overhead of sidecars across every pod.

Operational Simplicity Without Losing Control

Ambient with Waypoints simplifies how teams manage policies across the mesh. Instead of pushing routing and security config to every pod, you define policy once and apply it to the waypoint. That update affects a single component, not an entire fleet of proxies. This reduces the chance of drift, speeds up iteration, and minimizes the blast radius of configuration changes.

Because waypoints are decoupled from workloads, upgrades become easier. You can update the proxy independently, without restarting applications or coordinating with service owners. This flexibility helps platform teams move faster while preserving service stability.

It’s not about whether, it’s about when & where

The question is when to use waypoints, sidecars, and/or both, not whether to use them.

Waypoints are ideal when:

  • You need L7 capabilities like routing, observability, or request-level authentication, but you don’t require the per-pod isolation or customization that sidecars provide. In these cases, waypoints can deliver the same features at lower operational cost, since a single waypoint can serve multiple workloads instead of running a proxy for each pod
  • You do not need per-pod customization or isolation, such as when individual workloads require unique routing rules, custom authentication methods, or tailored traffic shaping for testing or compliance purposes
  • You want to reduce operational overhead by managing a small number of shared waypoints instead of maintaining thousands of individual sidecars

Sidecars still make sense when:

  • You need maximum granularity, such as per-pod security enforcement
  • Your workloads require custom proxy behavior or advanced traffic shaping
  • You operate in highly regulated environments where isolation is critical

Ambient mode gives you the flexibility to choose. You can run L4-only where simplicity is enough, layer in waypoints for teams that need more control, and reserve sidecars for services that require maximum isolation, fine-grained traffic control, or strict compliance guarantees.

Aligning Mesh Architecture to Service Criticality

Because Ambient and sidecar modes can coexist across the mesh, with the mix determined on a per-cluster basis, organizations can align their architecture to match service importance:

  • Mission-critical services can remain on sidecars, where fine-grained control and isolation are needed
  • Important, but less sensitive workloads can run on Ambient with Waypoints, gaining L7 functionality without full sidecar overhead
  • All other services can run in pure Ambient mode, minimizing complexity while still gaining secure connectivity

This model helps platform teams simplify operations without sacrificing control. Instead of forcing every team to conform to one model, you give them the right tools for the right job.

What’s Next

In our next post, we will take a closer look at how teams are designing mixed-mode deployments across clusters. We will explore common architectures, how to maintain consistent policy across Ambient and sidecar clusters, and what to consider when evolving toward a hybrid mesh model.

If you’re beginning to plan your migration path or want to align mesh design with service criticality, this next post will help you decide how and where to apply each mode most effectively.

Ready to Assess Your Istio Strategy?

Try the advisor now! Get personalized recommendations for your environment:

Start Your Assessment Now →   |   Contact Us to Get Started →

Tetrate
Product background Product background for tablets
New to service mesh?

Get up to speed with free online courses at Tetrate Academy and quickly learn Istio and Envoy.

Learn more
Using Kubernetes?

Tetrate Enterprise Gateway for Envoy (TEG) is the easiest way to get started with Envoy Gateway for production use cases. Get the power of Envoy Proxy in an easy-to-consume package managed via the Kubernetes Gateway API.

Learn more
Getting started with Istio?

Tetrate Istio Subscription (TIS) is the most reliable path to production, providing a complete solution for running Istio and Envoy securely in mission-critical environments. It includes:

  • Tetrate Istio Distro – A 100% upstream distribution of Istio and Envoy.
  • Compliance-ready – FIPS-verified and FedRAMP-ready for high-security needs.
  • Enterprise-grade support – The ONLY enterprise support for 100% upstream Istio, ensuring no vendor lock-in.
    • Learn more
    Need global visibility for Istio?

    TIS+ is a hosted Day 2 operations solution for Istio designed to streamline workflows for platform and support teams. It offers:

  • A global service dashboard
  • Multi-cluster visibility
  • Service topology visualization
  • Workspace-based access control
    • Learn more
    Decorative CTA background pattern background background
    Tetrate logo in the CTA section Tetrate logo in the CTA section for mobile

    Ready to enhance your
    network
    with more
    intelligence?