I’m reading more about the ambient mesh and it looks really great, although one that is bugging me is why the waypoint proxy is not a daemonset. Why does ztunnel connect to an external pod outside the instance?
I primarily see below issues with it.
- istiod could always have downtimes and still have very minimal impact to the actual traffic up to some duration. but with waypoint proxy it becomes a very critical component in the architecture, isn’t it better to reduce the risk by simply using it as a daemon set
- cross az transfer costs would be very high
- even without cross az transfer, network bandwidth as a resource is getting wasted just for L7 policy
Very much interested to learn more about the reasoning behind this 
Thanks