← Lessons

quiz vs the machine

Platinum1820

System Design

Ambient Mesh and Sidecarless

Splitting mesh functions into shared layers to cut the per pod cost of sidecars.

6 min read · advanced · beat Platinum to climb

The Sidecar Tax

Sidecars work, but every pod runs its own proxy, adding memory, CPU, and a latency hop. At fleet scale that overhead is large, and upgrading sidecars means restarting every pod. Ambient mesh removes the per pod sidecar.

Two Layers Instead

Ambient splits mesh work into two layers.

  • A secure overlay layer, often a per node component, handles mutual TLS and basic identity for all pods on that node. This is sometimes called the ztunnel.
  • A layer seven proxy is added only for workloads that need richer features like routing rules and retries. It runs as a shared waypoint proxy, not one per pod.

Pay For What You Use

The result is a tiered model. Simple workloads get encryption and identity cheaply from the node layer. Only services that need advanced traffic management pay for an L7 proxy, and they share it.

Trade Offs

Ambient lowers cost and eases upgrades since there is no sidecar to restart per pod. The cost is a more complex data path and a younger, less battle tested model than classic sidecars. Teams weigh the savings against operational maturity.

Key idea

Ambient mesh drops per pod sidecars for a shared node level secure layer plus optional shared L7 waypoint proxies, so workloads pay only for the mesh features they actually use.

Check yourself

Answer to earn rating on the learn ladder.

1. What does ambient mesh remove compared to the classic model?

2. When does an ambient workload use an L7 waypoint proxy?

3. What is a trade off of ambient mesh?