Istio — How It Works

Ambient Mode data path, ztunnel L4 processing, waypoint L7 routing, and mTLS flow.

Ambient Mode Data Path

sequenceDiagram
    participant PodA as Pod A
    participant ZT_A as ztunnel (Node A)
    participant ZT_B as ztunnel (Node B)
    participant WP as Waypoint Proxy (optional L7)
    participant PodB as Pod B

    PodA->>ZT_A: TCP connect (intercepted via iptables)
    ZT_A->>ZT_A: mTLS handshake (SPIFFE identity)
    ZT_A->>ZT_A: L4 AuthorizationPolicy check
    alt L7 policy needed
        ZT_A->>WP: Forward via HBONE tunnel
        WP->>WP: HTTP routing, retries, L7 policy
        WP->>ZT_B: Forward to destination node
    else L4 only
        ZT_A->>ZT_B: Direct HBONE tunnel
    end
    ZT_B->>PodB: Deliver to destination pod

mTLS Identity (SPIFFE)

flowchart LR
    Istiod_C["istiod\n(Citadel CA)"] -->|"sign cert"| ZT["ztunnel /\nEnvoy sidecar"]
    ZT -->|"present SPIFFE\nSVID"| Peer["Peer ztunnel"]
    Peer -->|"verify cert\nchain"| Trust["Trust Bundle\n(root CA)"]

    style Istiod_C fill:#5f6caf,color:#fff

SPIFFE ID Format

spiffe://cluster.local/ns/<namespace>/sa/<service-account>

Sources

• Istio Ambient Architecture
• Ztunnel