Differences in features, architecture, and performance among Nginx Ingress, ALB Ingress, and MSE Ingress - Container Service for Kubernetes

Both ACK managed cluster and ACK Serverless cluster support the use of Nginx Ingress, ALB Ingress, and MSE Ingress for exposing container services and managing routing. Nginx Ingress requires self-maintenance, whereas ALB Ingress and MSE Ingress provide fully managed gateways. This topic compares the differences in features, architecture, and performance among Nginx Ingress, ALB Ingress, and MSE Ingress in various scenarios and workflows to assist in selecting the suitable Ingress type.

Background information

Nginx Ingress: A Layer 7 traffic management solution with advanced routing features, based on the open-source community Ingress NGINX Controller. It is fully compatible with the upstream community and supports extensibility. This component is maintained by the user, with no SLA guarantee, and allows for extensive customization.
ALB Ingress: Alibaba Cloud's proprietary cloud-native Ingress gateway, compatible with Nginx Ingress, features a fully managed integrated design, supports SSL hardware acceleration, and offers automatic elasticity, low latency, and complex business routing capabilities. A single ALB instance can handle up to 1 million QPS, providing robust Ingress traffic management features. For more information about the ALB Ingress cloud-native gateway, see ALB Ingress management.
MSE Ingress: Alibaba Cloud's open-source Higress enterprise edition, compatible with Nginx Ingress, is ideal for microservices scenarios. It supports multiple service discovery methods, authentication, and authorization, along with multi-language plug-in extensions. Key capabilities include canary release, prefetch, and throttling. A single MSE cloud-native gateway instance can handle up to 1 million QPS, offering advanced Ingress traffic management features.

Scenarios

Type	Typical scenarios
Nginx Ingress	Highly customized gateway. Canary release and blue-green deployment for cloud-native applications.
ALB Ingress	Fully managed gateway and components, free of O&M. High-performance auto scaling for Internet applications at Layer 7. Multi-level high availability with an SLA of up to 99.995%. Canary release and blue-green deployment for cloud-native applications. Multiple cloud services mixed mounting, sharing a single ALB instance. Disaster recovery in multiple scenarios such as hybrid cloud and cross-region on the cloud. Ultra-high QPS and many concurrent connections.
MSE Ingress	Fully managed gateway, free of O&M. Microservices model, service discovery with Nacos and ZooKeeper, throttling with Sentinel, HTTP to Dubbo protocol transformation, and integration with OpenTelemetry. North-south traffic scenarios, backend service discovery supports multiple modes such as traditional registration centers like Nacos, K8s, DNS, and fixed IP. East-west traffic scenarios, supporting internal communication within hybrid clouds, multiple data centers, and multiple business domains, and can be seamlessly integrated with Service Mesh systems. Sharing a gateway instance among multiple container clusters, PaaS platforms, and ECS services. Internal communication within hybrid clouds, multiple data centers, and multiple business domains. High security protection requirements with flexible authentication and authorization settings. Ultra-high traffic and high concurrency business.

Workflow diagram

Examine the differences in working methods among Nginx Ingress, ALB Ingress, and MSE Ingress through a workflow diagram, illustrating the process from the request domain name www.example.net/app to the forwarding and accessing of specific container services.

Nginx Ingress

The Nginx Ingress Controller integrates both the control plane and the data plane. Each Nginx Ingress Controller Pod contains a Controller process (control plane) and Nginx-related processes (data plane), handling both configuration traffic and user request traffic.

ALB Ingress

The ALB Ingress Controller dynamically updates the ALB instance based on changes in Ingress resources and AlbConfig resources obtained through the API Server. Unlike the Nginx Ingress Controller, the ALB Ingress Controller is a managed component that serves as the control plane for the ALB instance and does not directly handle user request traffic. User traffic forwarding is implemented by the ALB instance.

MSE Ingress

The MSE Ingress Controller monitors MseIngressConfig resources in the cluster and coordinates MSE cloud-native gateway instances to implement traffic management rules specified in the Ingress resource description. Unlike the Nginx Ingress Controller, the MSE Ingress Controller manages MSE cloud-native gateway instances and configurations as the control plane and does not directly handle user request traffic. The routing and forwarding of user traffic are implemented by the MSE cloud-native gateway instance.

Features

Comparison Item	Nginx Ingress	ALB Ingress	MSE Ingress
Service Scope	Manages Layer 7 traffic and offers advanced routing capabilities. Highly customizable standalone component.	Manages Layer 7 traffic and offers advanced routing capabilities. Tailored for application-layer load scenarios, deeply integrated with container services, and supports multiple service canary release strategies, including canary release, A/B testing, blue-green deployment, and custom traffic distribution. Supports large capacity, automatic scaling, and maintenance-free operation. Integrates with various cloud services such as WAF, FC, PrivateLink, and TR. Supports integration with multiple network products to achieve hybrid mounting, cross-region mounting, and local IDC mounting.	Merges traditional, microservices, and security gateways, leveraging hardware acceleration, WAF local protection, and a plug-in marketplace to create a high-performance, scalable, and easily integrated cloud-native gateway with support for hot updates. Provides Layer 7 traffic management and advanced routing features. Supports multiple service discovery methods and service canary release strategies, including canary release, A/B testing, blue-green deployment, and custom traffic distribution. Designed for application-layer load scenarios, deeply integrated with container services, and connects directly to backend pod IPs for request forwarding.
Architecture	Built on Nginx with Lua plug-in extensions.	Constructed on the Cloud Network Management platform. Developed on the CyberStar platform with auto-scaling capabilities.	Based on the open-source Higress project, with Istiod as the control plane and Envoy as the data plane. For more information about the Higress project, see Higress project. Exclusively available to users.
Basic Routing	Routes based on content and source IP. Supports HTTP rewrites, redirects, overwrites, throttling, CORS, and session persistence. Handles inbound and outbound forwarding rules, with outbound rules configurable via extended Snippet. Matches forwarding rules based on the longest path, prioritizing the longest match when multiple paths are found.	Routes based on content and source IP. Supports HTTP rewrites, redirects, overwrites, throttling, CORS, and session persistence. Handles inbound and outbound forwarding rules. Matches forwarding rules from high to low priority, with smaller rule numbers taking precedence. Supports standard load balancing methods such as round-robin, least connections, and consistent hashing based on source IP and URL parameters.	Routes based on content. Supports HTTP rewrites, redirects, overwrites, throttling, CORS, timeout, and retry. Offers standard load balancing methods such as round-robin, random, minimum connections, consistent hashing, and prefetching, with prefetching allowing for a gradual traffic increase to a backend within a specified time window. Supports thousands of routing rules.
Supported Protocols	Supports HTTP and HTTPS. Supports WebSocket, WSS, and gRPC.	Supports HTTP and HTTPS. Supports HTTP 3.0, WebSocket, WSS, and gRPC.	Supports HTTP and HTTPS. Supports HTTP 3.0, WebSocket, and gRPC. Facilitates HTTP/HTTPS to Dubbo protocol conversion.
Configuration Change	Non-backend endpoint changes necessitate process reloading, disrupting persistent connections. Endpoint changes are dynamically applied using Lua for hot updates. Lua plug-in changes require process reloading.	Enables hot updates for configurations. Utilizes OpenAPI for real-time configuration changes.	Supports hot updates for configurations, certificates, and plug-ins. Employs List-Watch mechanism for immediate configuration change effects.
Authentication	Supports Basic Auth. Supports OAuth.	Supports TLS-based authentication.	Supports Basic Auth, OAuth, JWT, and OIDC authentication. Integrates with Alibaba Cloud IDaaS. Enables custom authentication methods.
Performance	Dependent on manual tuning, including system and Nginx parameters. Requires careful configuration of pod replicas and resource allocation. For more details, see Nginx Ingress Controller usage recommendations.	Handles up to 1 million QPS per instance. Supports tens of millions of concurrent connections per instance. Utilizes SSL hardware acceleration by default.	Offers up to 90% higher TPS than open-source Nginx Ingress at 30-40% CPU utilization. Hardware acceleration enhances HTTPS performance by approximately 80%.
Observability	Enables access log collection. Facilitates monitoring and alerting configuration with Prometheus.	Allows access log collection via Log Service. Supports metric collection through CloudMonitor. Enables alert configuration with CloudMonitor. Integrates tracing capabilities with TracingAnalysis and SkyWalking.	Enables the collection of access logs by integrating Log Service and Alibaba Cloud Prometheus. You can set up monitoring and alerts with Alibaba Cloud Prometheus. Integrates tracing capabilities with TracingAnalysis and SkyWalking.
O&M Capabilities	Requires manual operations and maintenance. Supports scaling based on Horizontal Pod Autoscaling (HPA). Allows specification of computing resources for performance optimization.	Provides a fully managed gateway and components, eliminating O&M tasks. Supports automatic scaling and configuration, offering large capacities. Automatically scales to manage traffic surges.	Offers a fully managed gateway, free from O&M responsibilities.
Security	Supports HTTPS protocol. Enables blacklisting and whitelisting.	Facilitates end-to-end HTTPS data transfer, SNI for multiple certificates, RSA and ECC certificates, TLS 1.3, and TLS cipher suites. Integrates WAF for protection. Includes DDoS protection through the Alibaba Cloud Anti-DDoS service. Enables blacklisting and whitelisting.	Supports end-to-end HTTPS data transfer, SNI for multiple certificates, and configurable TLS versions. Offers route-level WAF protection. Enables route-level blacklisting and whitelisting.
Billing	CLB instance: CLB billing. Resource overhead for nginx-ingress-controller starts at 0.2 vCPU and 200 MiB memory. Note Billing details depend on actual resource usage and ECS node fees. For more information, see ECS billing overview.	ALB instance: ALB billing overview. The alb-ingress-controller is a managed component without resource overhead.	MSE instance: MSE cloud-native gateway billing overview. CLB instance: CLB billing. Resource overhead for ack-mse-ingress-controller. Note Billing details depend on actual resource usage and ECS node fees. For more information, see ECS billing overview.
Component Management	For more information, see Manage Nginx Ingress Controller components.	For more information, see Manage ALB Ingress Controller components.	For more information, see Manage MSE Ingress Controller components.
Service Administration	Provides service discovery within Kubernetes clusters. Supports both canary releases and blue-green deployments to facilitate phased rollouts of services. Provides throttling to ensure service high availability.	Enables service discovery within Kubernetes clusters. Supports canary release and blue-green deployment for service updates. Enables throttling to ensure service availability.	Supports service discovery across Kubernetes, Nacos, ZooKeeper, EDAS, SAE, DNS, and fixed IPs. Facilitates canary release for multiple versions, tag-based routing, and comprehensive canary release in conjunction with MSE service administration. Integrates Sentinel for throttling, circuit breaking, and service degradation within MSE service administration. Enables service mocking for testing purposes.
Extensibility	Supports Lua for extended feature configuration.	Supports AScript for extended feature configuration. For more details, see AScript overview.	Employs Wasm plug-ins for multi-language development. Supports Lua for extended feature configuration.
Cloud-native Integration	Requires manual component management and integrates with Alibaba Cloud ACK or ACK Serverless container services. For more information, see Ingress management.	Integrates with multiple cloud services such as WAF, FC, PrivateLink, and transit routers. Managed components work in tandem with Alibaba Cloud ACK or ACK Serverless container services.	User-side components integrate with Alibaba Cloud ACK or ACK Serverless container services, offering seamless conversion of core Nginx Ingress annotations. For more about supported annotations by MSE Ingress, see Annotations supported by MSE Ingress.

References

For more information on migrating from Nginx Ingress to other Ingress types or ASM gateways, see: