Tigera: Sidecarless mTLS: Scaling Zero Trust with Istio Ambient Mesh and ztunnel

Transitioning to Zero Trust shouldn’t mean paying a massive “sidecar tax” in CPU and memory. Istio Ambient Mesh changes the game by moving encryption to a lightweight, node-level ztunnel, providing transparent mTLS without touching your applications.

Join us as we explore the mechanics of the HBONE protocol and demonstrate the power of a “sidecar-less” architecture. We conclude by showing how Calico’s unified platform combines this infrastructure-level encryption with Calico network policy to create a robust, defense-in-depth security model that scales.

What you will learn:

• The Architecture of Ambient Mesh: How the separation of Layer 4 and Layer 7 processing reduces complexity and overhead.
• Inside ztunnel: How node-level proxies manage unique X.509 certificates for individual pods to maintain identity-based security.
• HBONE & The Transport Layer: The mechanics of tunneling TCP traffic through encrypted mTLS connections.
• Enforcing Zero Trust: How to use Calico GlobalNetworkPolicy alongside Ambient Mesh to control and secure all cluster traffic.
• Operational Gains: Best practices for enabling cluster-wide mTLS incrementally without modifying existing deployments.