Interview › Istio & Service Mesh
What is the difference between ztunnel and a waypoint proxy in ambient mode?
Istio & Service Mesh · Basic level
Answer
ztunnel is the node-level secure overlay component in ambient mode, while a waypoint proxy is an optional L7 Envoy proxy for a service, namespace, or security boundary. ztunnel handles L4 identity, mTLS, and routing; waypoints handle HTTP-aware features such as L7 routing and authorization.
Technical explanation
ztunnel is deployed per node and captures traffic for ambient workloads without modifying every pod.
Waypoint proxies are used when traffic needs L7 decisions based on HTTP path, method, headers, JWT claims, or advanced authorization.
This split lets teams avoid a sidecar everywhere while still enabling deeper policy where needed.
Hands-on example
Example decision:
Service A only needs encrypted service-to-service traffic: use ambient ztunnel only.
Service B needs path-based allow/deny and HTTPRoute traffic splitting: attach a waypoint to that service or namespace.
Check components:
$ kubectl get ds -n istio-system ztunnel
$ kubectl get gateway -A | grep waypoint
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Istio & Service Mesh interview questions
- What is Istio, and what are the core capabilities it provides?
- What is the difference between the Istio control plane and data plane?
- What is istiod, and what does it do?
- What is Envoy, and what role does it play in Istio?
- What is the sidecar pattern, and how does Istio inject the proxy?
- How does automatic sidecar injection work (namespace label, webhook)?
- What is the Istio ambient (sidecarless) mode, and how does it differ from sidecar mode?
- What problem does Istio solve that Kubernetes Services alone do not?