How Istio's "Ambient Mode" Transparent Proxy—tproxy—Works Under the Hood

Istio’s new “ambient mode” is?an experimental, “sidecar-less” deployment model for Istio. Instead of a sidecar proxy in front of every workload, ambient mode uses?tproxy?and?HTTP Based Overlay Network Environment (HBONE)?as key technologies for transparent traffic intercepting and routing that we covered in our recent article on?transparent traffic intercepting and routing in the L4 network of Istio Ambient Mesh. In this article, we’ll take a closer look at?tproxy?and how it’s used.

What Is a Proxy For?

Proxies have a wide range of uses on the Internet, such as:

• Request caching:?to speed up network response, acting similarly to a CDN.
• Traffic filtering: used for network supervision, blocking or allowing access to specific hosts and websites.
• Traffic forwarding:?used for load balancing or as a network relay.
• Traffic management:?fine-grained management of traffic to and from the proxy, such as publishing to different backends by percentage, timeout and retry settings, circuit breaking, etc.
• Security auditing:?logging and limiting client requests for billing or auditing purposes.

Proxy Types

There are a number of ways to classify proxies based on how they’re used. You can see two categories based on the location of the proxy:

• Forward proxies?(like shadowsocks) run on the client side and send requests to the server on behalf of the client.
• Reverse proxies?(often in the form of a web server) accept Internet or external requests on behalf of the server and route them to the corresponding backends.

Proxies may be located on the same node as the client or server or on a different node. We can classify them as?transparent?or?non-transparent?based on whether the client or server can see them. Figure 2 (below) shows the process of a client (A) sending a request to a server (C) through a proxy (B).

Continue reading on Tetrate blog