How Alibaba Cloud's ASM Implements the Sidecarless Ambient Service Mesh

Classic Sidecar Service Mesh

Traditional meshes separate control plane (configuration, policy) and data plane (traffic enforcement). An injector adds a sidecar container to each pod, sharing the network namespace, allowing iptables to redirect application traffic to the sidecar proxy for routing, load‑balancing, fault injection, authentication, etc.

Ambient Mode Overview

Istio introduced Ambient (Sept 2022) as a sidecar‑less model that splits sidecar functionality into a Layer‑4 (L4) proxy called ztunnel and a Layer‑7 (L7) proxy called Waypoint . Alibaba Cloud Service Mesh (ASM) is the first managed mesh that supports Ambient.

L4 Proxy – ztunnel

Deployed as a DaemonSet on every node.

Uses CNI to add pod IPs to an ipset and installs iptables rules that mark outbound packets (0x100) and route them to the istio‑out interface.

Listens on port 15001, encrypts traffic with mTLS, forwards it to the destination node’s ztunnel, and collects TCP metrics.

L7 Proxy – Waypoint

Envoy‑based proxy deployed per service (via the Kubernetes Gateway API).

Listens on port 15008 and applies L7 policies such as circuit breaking, traffic shaping, retries, fault injection, and RBAC.

Scales independently of the workload; can be run in ASM‑managed pools or on user‑provided serverless nodes.

Traffic Flow in Ambient

When a pod starts, the CNI plugin adds its IP to an ipset.

Outbound packets are captured by iptables, marked 0x100, and sent to istio‑out.

ztunnel receives the packet on port 15001, encrypts it with mTLS, and forwards it to the target node.

On the destination node, inbound rules route the packet to istio‑in, which tunnels it back to the target ztunnel.

ztunnel decrypts and delivers the packet to the destination pod.

If the destination pod has a Waypoint enabled, the L4 proxy forwards the traffic via an HBONE tunnel to Waypoint’s listener on port 15008, where L7 filters are applied before reaching the application.

Serverless Control‑Plane Components

ASM serverless‑ifies parts of the control plane, providing automatic elastic scaling and on‑demand usage. Image caching reduces pod startup latency.

Managed Waypoint Deployment

Users declare Waypoint proxies with the standard Kubernetes Gateway API. The Waypoint Proxy Controller watches Gateway resources and creates, updates, or deletes Waypoint workloads accordingly.

Benefits of ASM Ambient

Up to 60% reduction in resource consumption compared with classic sidecar deployments.

Approximately 50% fewer operational tasks due to managed lifecycle and error‑checking.

Latency reductions of around 40% in scenarios where L7 processing is offloaded.

ASM provides a unified control‑plane API that configures sidecar, Ambient L4, and L7 proxies, supports OpenAPI and standard Kubernetes APIs, and integrates with CI/CD, multi‑cluster networking, and AI service management (e.g., KServe).