Container Service for Kubernetes:Comparison among NGINX Ingresses, ALB Ingresses, and MSE Ingresses

Type

Scenario

Nginx Ingress

• Your cluster requires highly customized gateways.

• Your cluster performs canary releases and blue-green deployments for cloud-native applications.

ALB Ingress

• Your cluster requires fully managed and O&M-free gateways.

• Your cluster requires high-performance auto scaling for Internet applications at Layer 7.

• Your cluster requires multi-level high availability in the service level agreement (SLA) that is up to 99.995%.

• Your cluster performs canary releases and blue-green deployments for cloud-native applications.

• Your cluster uses a single ALB instance to manage traffic for multiple cloud services.

• Your cluster requires disaster recovery in multiple scenarios, such as hybrid cloud and cross-region cloud scenarios.

• Your cluster requires high QPS and a large number of concurrent connections.

MSE Ingress

• Your cluster requires fully managed and O&M-free gateways.

• Your cluster requires centralized management of north-south traffic and east-west traffic, microservices gateways, and end-to-end canary releases.

• Your cluster uses a gateway that is shared among multiple clusters, multiple PaaS platforms, and multiple Elastic Compute Service (ECS) instances.

• Your cluster requires internal communication within hybrid clouds, multiple data centers, and multiple business domains.

• Your cluster requires authentication, flexible configuration, and enhanced security protection.

• Your cluster requires high QPS and high concurrency.

Item

Nginx Ingress

ALB Ingress

MSE Ingress

Service positioning

• Provides traffic management and advanced routing features at Layer 7.

• A cluster component that can be customized based on your business requirements.

• Provides traffic management and advanced routing features at Layer 7.

• Runs at the application layer, provides deep integration with containers, and supports different release policies, such as canary release, A/B testing, blue-green deployment, and traffic distribution by ratio.

• Provides ultra-large capacities and supports auto scaling and automated O&M.

• Supports integration with multiple cloud services, such as Web Application Firewall (WAF), Function Compute, PrivateLink, and transit routers (TRs).

• Integrates multiple network services to facilitate traffic routing across hybrid clouds, regions, and data centers.

• Serves as traditional traffic gateways, microservices gateways, and security gateways. You can use features such as hardware acceleration, WAF local protection, and the plug-in marketplace to build high-performance, highly-scalable, and easy-to-integrate cloud-native gateways that support hot updates.

• Provides traffic management and advanced routing features at Layer 7. Supports multiple service discovery modes and service canary release policies. The service canary release policies include canary release, A/B testing, blue-green deployment, and traffic distribution based on a custom traffic percentage.

• Targets application-layer load balancing scenarios, and are deeply integrated with container services. MSE Ingresses are directly connected to the IP addresses of pods to forward requests.

Service architecture

Provides extended features based on NGINX and Lua.

• Developed based on the Apsara Cloud Network Management platform.

• Developed based on the CyberStar platform and supports auto scaling.

• Developed based on the open source project Higress. Control planes are built based on Istiod and Envoy. For more information about Higress, visit Higress.

• Exclusive to individual users.

Basic routing

• Supports routing based on content and source IP addresses.

• Supports HTTP rewrites, redirects, overwrites, throttling, cross-origin resource sharing (CORS), and session persistence.

• Supports inbound and outbound forwarding rules. Outbound forwarding rules can be configured by adding Snippet configurations.

• Supports longest path matching for forwarding rules. When multiple paths are matched, the longest path is used.

• Supports routing based on content and source IP addresses.

• Supports HTTP rewrites, redirects, overwrites, throttling, CORS, and session persistence.

• Supports inbound and outbound forwarding rules.

• Requests are matched against forwarding rules in descending order of rule priority. When multiple paths are matched, the path whose forwarding rule number is the smallest has the highest priority for matching.

• Supports load balancing modes such as standard polling, least connections, and consistent hashing based on source IP addresses and URLs.

• Supports content-based routing.

• Supports features such as HTTP header rewrites, redirects, rewrites, throttling, CORS, timeouts, and retries.

• Supports load balancing modes such as standard polling, random, least connections, consistent hashing, and prefetching. In prefetching mode, the traffic that is forwarded to a backend server within the specified time window increases at a steady rate.

• Supports thousands of Ingress rules.

Protocol

• Supports HTTP and HTTPS.

• Supports WebSocket, WSS, and gRPC.

• Supports HTTP and HTTPS.

• Supports HTTP3.0, WebSocket, WSS, and gRPC.

• Supports HTTP and HTTPS.

• Supports HTTP 3.0, WebSocket, and gRPC.

• Supports conversion from HTTP/HTTPS to Dubbo.

Configuration change

• Reloading is required when you update non-backend endpoints. This affects persistent connections.

• Endpoint configuration changes are applied by using Lua hot updates.

• Processes are reloaded when you change the configuration of the Lua plug-in.

• Supports hot updates of configurations

• Calls API operations to apply configurations changes in real time.

• Supports hot updates of configurations, certificates, and plug-ins.

• The List-Watch mechanism is used to update configurations in real time.

Authentication

• Supports Basic Auth-based authentication.

• Supports the OAuth protocol.

Supports TLS-based authentication.

• Supports authentication based on Basic Auth, OAuth, JWT, and OIDC.

• Supports integration with Alibaba Cloud IDaaS.

• Supports custom authentication.

Performance

• Requires manual tuning to optimize system parameters and NGINX parameters.

• Requires proper configurations on the number of replicated pods and the amount of resources. For more information, see Usage notes of the NGINX Ingress controller.

• Support one million QPS per instance.

• Supports tens of millions of connections per instance.

• Uses SSL hardware for acceleration.

• When the CPU utilization is 30% to 40%, the transactions per second (TPS) of MSE Ingresses is about 90% higher than the TPS of open source NGINX Ingresses.

• Improves the performance of HTTPS by about 80% after hardware acceleration is enabled.

Observability

• Allows you to collect access logs.

• Allows you to configure monitoring and alerting by using Managed Service for Prometheus (Prometheus).

• Allows you to collect access logs by using Simple Log Service.

• Allows you to collect metrics by using CloudMonitor.

• Allows you to configure alerting based on CloudMonitor.

• Supports Tracing Analysis and SkyWalking.

• Allows you to collect access logs by using Simple Log Service and Prometheus.

• Allows you to configure monitoring and alerting by using Prometheus.

• Supports Tracing Analysis and SkyWalking.

O&M

• Requires manual O&M

• Allows you to configure Horizontal Pod Autoscaler (HPA)-based scaling

• Allows you to specify computing resource specifications for optimization.

• Fully managed and O&M-free.

• Supports auto scaling and automated configuration and provides ultra-large capacities.

• Supports auto scaling to handle traffic peaks,

Fully managed and O&M-free.

Security

• Supports HTTPS.

• Supports blacklists and whitelists.

• Supports end-to-end data transfer over HTTPS, server Name Indication (SNI) for multiple certificates, Rivest-Shamir-Adleman (RSA) and elliptic-curve cryptography (ECC) certificates, TLS 1.3, and TLS cipher suites.

• Supports WAF.

• Supports Anti-DDoS.

• Supports blacklists and whitelists.

• Supports end-to-end encryption for data transfer over HTTPS, Server Name Indication (SNI) for multiple certificates, and custom TLS versions.

• Supports WAF.

• Supports blacklists and whitelists.

Service governance

• Supports service discovery in ACK clusters.

• Supports canary releases.

• Supports traffic throttling for high availability.

• Supports service discovery in ACK clusters.

• Supports canary releases.

• Supports traffic throttling for high availability.

• Supports service discovery based on Kubernetes, Nacos, ZooKeeper, Enterprise Distributed Application Service (EDAS), Serverless App Engine (SAE), DNS, and static IP addresses.

• Allows you to use canary releases to release more than two application versions, supports tag-based routing, and supports end-to-end canary releases based on MSE service governance.

• MSE Ingresses are integrated with Sentinel to support throttling, circuit breaking, and degradation.

• Service testing supports service mocking.

Scalability

Supports Lua for configuring extended features.

Supports AScript, which can be used to configure extended features. For more information, see AScript overview.

• Uses the WebAssembly plug-in to support multiple programming languages.

• Supports Lua for configuring extended features.

Cloud-native support

A component that requires manual maintenance and can be used in ACK clusters and ACK Serverless clusters. For more information, see Ingress overview.

• Supports multiple cloud services, such as WAF, Function Compute, PrivateLink, and TRs.

• A managed component that can be used in ACK clusters and ACK Serverless clusters.

A user-side component that can be used in ACK clusters and ACK Serverless clusters and supports seamless integration with the key annotations of NGINX Ingresses. For more information about the annotations supported by MSE Ingresses, see Annotations supported by MSE Ingress gateways.