Tigera: Beyond L4: Unlocking Layer 7 Traffic Management in Istio Ambient Mesh

You’ve successfully deployed Istio Ambient Mesh to secure pod-to-pod traffic with zero-trust mTLS—but now you need to layer in sophisticated Layer 7 controls.

In this demo we show how you get L7 traffic management without reverting to sidecar injection. You will see how Waypoint Proxies are deployed per-namespace or per-service to handle advanced routing, while the ztunnel continues to manage mTLS at the node level. The result is a clean separation of concerns: L4 security everywhere by default, L7 intelligence exactly where you need it.

• Waypoint Proxy Deployment: See how to deploy Waypoint Proxies to enable L7 processing for specific namespaces and services—without touching application pods or injecting sidecars.
• Header-Based Routing and Traffic Splitting: Configure HTTPRoute resources to route requests based on headers, paths, and weights—the same L7 controls you had with sidecars, now running through Waypoint Proxies.
• Request-Level Load Balancing: Move beyond connection-level distribution to per-request load balancing across service backends, improving throughput for long-lived connections like gRPC streams.
• L4 + L7 Observability: Correlate ztunnel connection data with Waypoint request metrics for complete visibility into Ambient Mesh traffic.

Join us to see how Istio Ambient Mesh delivers the full power of L7 traffic management—without the operational cost of sidecars.