content/en/docs/ambient/usage/l7-features/index.md
By adding a waypoint proxy to your traffic flow you can enable more of Istio's features. Waypoints are configured using the {{< gloss "gateway api" >}}Kubernetes Gateway API{{< /gloss >}}.
{{< warning >}} Usage of VirtualService with the ambient data plane mode is considered Alpha. Mixing with Gateway API configuration is not supported, and will lead to undefined behavior. {{< /warning >}}
{{< warning >}}
EnvoyFilter is Istio's break-glass API for advanced configuration of Envoy proxies. Please note that EnvoyFilter is not currently supported for any existing Istio version with waypoint proxies. While it may be possible to use EnvoyFilter with waypoints in limited scenarios, its use is not supported, and is actively discouraged by the maintainers. The alpha API may break in future releases as it evolves. We expect official support will be provided at a later date.
{{< /warning >}}
The Gateway API defines the relationship between objects (such as routes and gateways) in terms of attachment.
The tables below show the type of attachment that is configured for each object.
With a waypoint proxy deployed, you can use the following traffic route types:
| Name | Feature Status | Attachment |
|---|---|---|
HTTPRoute | Beta | parentRefs |
TLSRoute | Alpha | parentRefs |
TCPRoute | Alpha | parentRefs |
Refer to the traffic management documentation to see the range of features that can be implemented using these routes.
Without a waypoint installed, you can only use Layer 4 security policies. By adding a waypoint, you gain access to the following policies:
| Name | Feature Status | Attachment |
|---|---|---|
AuthorizationPolicy (including L7 features) | Beta | targetRefs |
RequestAuthentication | Beta | targetRefs |
In ambient mode, authorization policies can either be targeted (for ztunnel enforcement) or attached (for waypoint enforcement). For an authorization policy to be attached to a waypoint it must have a targetRef which refers to the waypoint, or a Service which uses that waypoint.
The ztunnel cannot enforce L7 policies. If a policy with rules matching L7 attributes is targeted with a workload selector (rather than attached with a targetRef), such that it is enforced by a ztunnel, it will fail safe by becoming a DENY policy.
See the L4 policy guide for more information, including when to attach policies to waypoints for TCP-only use cases.
The full set of Istio traffic metrics are exported by a waypoint proxy.
As the waypoint proxy is a deployment of {{< gloss >}}Envoy{{< /gloss >}}, some of the extension mechanisms that are available for Envoy in {{< gloss "sidecar">}}sidecar mode{{< /gloss >}} are also available to waypoint proxies.
| Name | Feature Status | Attachment |
|---|---|---|
WasmPlugin † | Alpha | targetRefs |
† Read more on how to extend waypoints with WebAssembly plugins.
Extension configurations are considered policy by the Gateway API definition.
A route or policy can be scoped to apply to all traffic traversing a waypoint proxy, or only specific services.
To attach a route or a policy to the entire waypoint — so that it applies to all traffic enrolled to use it — set Gateway as the parentRefs or targetRefs value, depending on the type.
To scope an AuthorizationPolicy policy to apply to the waypoint named default for the default namespace:
{{< text yaml >}} apiVersion: security.istio.io/v1 kind: AuthorizationPolicy metadata: name: view-only namespace: default spec: targetRefs:
You can also attach a route to one or more specific services within the waypoint. Set Service as the parentRefs or targetRefs value, as appropriate.
To apply the reviews HTTPRoute to the reviews service in the default namespace:
{{< text yaml >}} apiVersion: gateway.networking.k8s.io/v1 kind: HTTPRoute metadata: name: reviews namespace: default spec: parentRefs: