• The API Platform for AI.

      Explore More
      Platform Runtimes
      Kong Gateway
      • Kong Cloud Gateways
      • Kong Ingress Controller
      • Kong Operator
      • Kong Gateway Plugins
      Kong AI Gateway
      Kong Event Gateway
      Kong Mesh
      Platform Core Services
      • Gateway Manager
      • Mesh Manager
      • Service Catalog
      Platform Applications
      • Developer Portal
      • API and AI Analytics
      • API Products
      Development Tools
      Kong Insomnia
      • API Design
      • API Testing and Debugging
      Self-Hosted API Management
      Kong Gateway Enterprise
      Kong Open Source Projects
      • Kong Gateway OSS
      • Kuma
      • Kong Insomnia OSS
      • Kong Community
      Get Started
      • Sign Up for Kong Konnect
      • Documentation
    • Featured
      Open Banking SolutionsMobile Application API DevelopmentBuild a Developer PlatformAPI SecurityAPI GovernanceKafka Event StreamingAI GovernanceAPI Productization
      Industry
      Financial ServicesHealthcareHigher EducationInsuranceManufacturingRetailSoftware & TechnologyTransportation
      Use Case
      API Gateway for IstioBuild on KubernetesDecentralized Load BalancingMonolith to MicroservicesObservabilityPower OpenAI ApplicationsService Mesh ConnectivityZero Trust SecuritySee all Solutions
      Demo

      Learn how to innovate faster while maintaining the highest security standards and customer trust

      Register Now
  • Customers
    • Documentation
      Kong KonnectKong GatewayKong MeshKong AI GatewayKong InsomniaPlugin Hub
      Explore
      BlogLearning CentereBooksReportsDemosCase StudiesVideos
      Events
      API SummitWebinarsUser CallsWorkshopsMeetupsSee All Events
      For Developers
      Get StartedCommunityCertificationTraining
    • Company
      About UsWhy Kong?CareersPress RoomInvestorsContact Us
      Partner
      Kong Partner Program
      Security
      Trust and Compliance
      Support
      Enterprise Support PortalProfessional ServicesDocumentation
      Press Release

      Kong Expands with New Headquarters in Downtown San Francisco

      Read More
  • Pricing
  • Login
  • Get a Demo
  • Start for Free
Blog
  • Engineering
  • Enterprise
  • Learning Center
  • Kong News
  • Product Releases
    • API Gateway
    • Service Mesh
    • Insomnia
    • Kubernetes
    • API Security
    • AI Gateway
  • Home
  • Blog
  • Enterprise
  • Is Ambient Mesh the Future of Service Mesh?
Enterprise
June 30, 2025
4 min read

Is Ambient Mesh the Future of Service Mesh?

Umair Waheed
Product Marketing, Runtimes, Kong

A Practical Look at When (and When Not) to Use Ambient Mesh

The word on the street is that Ambient Mesh is the obvious evolution of service mesh technology — leaner, simpler, and less resource-intensive. But while Ambient Mesh is an exciting development, the reality is more nuanced. It is more than likely that a sidecar-based mesh is still a better fit for your workload and organization.

In this post, we compare Ambient Mesh and traditional sidecar-based meshes across security, observability, traffic efficiency, maturity, and operational cost, so you can make an informed decision.

Resource cost vs. operational agility

One of the most widely discussed benefits of Ambient Mesh is its potential to reduce resource usage by eliminating sidecars from every pod. Without a sidecar proxy running alongside each workload, clusters can achieve significant savings in CPU and memory — especially in high-density environments where many small services are co-located on a node. L4 traffic, in particular, benefits from this approach, as it is handled efficiently by a single ztunnel daemon running on each node. This shared proxy manages mutual TLS and routing for all pods, reducing redundancy and centralizing responsibility for low-level traffic handling.

However, this resource efficiency at the data plane level comes with new operational trade-offs. L7 traffic, which includes HTTP routing, authorization policies, and retries, must still pass through centralized Waypoint proxies. These Waypoints are deployed per namespace or service account, and they introduce an extra hop in the traffic path. They also bring back the need for proxy capacity planning — but now in a centralized, shared form. You must monitor, colocate, and autoscale these components carefully to avoid bottlenecks. The shared nature of these proxies increases the potential blast radius of configuration errors or capacity shortfalls, especially when multiple workloads rely on a single Waypoint instance.

By contrast, sidecar-based meshes incur a higher total resource footprint because each pod runs its own Envoy proxy. But this model brings advantages that go beyond performance. Each workload scales independently, with no need to centrally manage proxy pools. Isolation is naturally achieved, telemetry is workload-specific, and policies can be applied, tested, and rolled out at the level of individual services. 

Operationally, the sidecar model offers a more deterministic and modular system, where failures and configuration changes are scoped to a single pod, not an entire node or namespace.

Ultimately, the cost equation is not just about CPU and memory. It’s about predictability, visibility, and the ability to troubleshoot and operate at scale. For environments where operational simplicity, compliance, or team autonomy are critical, the higher resource use of sidecars often translates into lower operational risk and overhead in the long run.

Ambient Mesh vs. Service Mesh: When to use each model

Choose Ambient Mesh if:

  • You mostly need L4 security (mTLS) and basic policies
  • You're running high-density clusters and infrastructure cost reduction is your highest priority
  • You're working in single-zone Kubernetes environments
  • You’re supporting non-regulated or lower-tier environments
  • You have one team managing both platform and services (shared proxy components)

Choose sidecar-based mesh if:

  • You require fine-grained security, observability, and policy enforcement
  • You operate in multi-zone, hybrid, or regulated environments
  • You support multiple teams with self-service mesh configuration
  • You run L7-heavy or latency-sensitive workloads
  • You prioritize isolation and operational predictability over theoretical efficiency

Final thoughts

Ambient Mesh seems, on the face of it, like a compelling evolution of service mesh design promising reduced resource usage and simpler onboarding for lightweight, L4-dominant applications. But that simplicity comes at the cost of operational complexity, L7 capability gaps, and reduced isolation. In many engineering tasks and disciplines simplicity often wins out over pure efficiency, and it’s no different with service mesh. The “neater” sidecar-based approach is easier to reason about, easier to deploy, and is easier to operate – particularly with Kong Mesh, built with enterprises and platform teams in mind. 

At Kong we have taken a deliberate wait-and-see approach to investing in the sidecar-less ambient mesh approach. It’s still an early-stage technology, and even the proponents of Ambient Mesh like Istio aren’t recommending it yet for mission-critical environments, only for single-cluster environments.  A recent blog post from Tetrate, a commercial distributor of Istio, presents similar arguments.

For almost all enterprise production environments — particularly those with diverse services, high compliance needs, or multiple teams — sidecar-based service meshes are still the right approach and provide the clarity, control, and maturity our customers can count on.

Here’s some more reading material on Kong Mesh:

  • What is a Service Mesh?
  • Kong Service Mesh customer stories
  • Kong: The power of integrating API Gateways and Service Mesh

Mesh your services together effortlessly with Kong

Learn MoreGet a Demo
Topics:Service Mesh
Powering the API world

Increase developer productivity, security, and performance at scale with the unified platform for API management, service mesh, and ingress controller.

Sign up for Kong newsletter

Platform
Kong KonnectKong GatewayKong AI GatewayKong InsomniaDeveloper PortalGateway ManagerCloud GatewayGet a Demo
Explore More
Open Banking API SolutionsAPI Governance SolutionsIstio API Gateway IntegrationKubernetes API ManagementAPI Gateway: Build vs BuyKong vs PostmanKong vs MuleSoftKong vs Apigee
Documentation
Kong Konnect DocsKong Gateway DocsKong Mesh DocsKong AI GatewayKong Insomnia DocsKong Plugin Hub
Open Source
Kong GatewayKumaInsomniaKong Community
Company
About KongCustomersCareersPressEventsContactPricing
  • Terms•
  • Privacy•
  • Trust and Compliance
  • © Kong Inc. 2025