Container Service for Kubernetes (ACK) and ACK Serverless support three Ingress types: NGINX Ingress, Application Load Balancer (ALB) Ingress, and Microservices Engine (MSE) Ingress. The key differentiator is the management model — NGINX Ingress requires manual O&M, while ALB Ingress and MSE Ingress are fully managed and O&M-free. Use the comparisons below to choose the right Ingress for your workload.
When to use each Ingress type
Choose NGINX Ingress when you need deep gateway customization or full control over the gateway configuration. Common use cases:
Highly customized gateway behavior not available in managed offerings
Canary releases and blue-green deployments for cloud-native applications
Choose ALB Ingress when you need a fully managed, high-performance gateway for Internet-facing Layer 7 traffic. Common use cases:
Fully managed gateways with no O&M burden
High-performance auto scaling for Internet applications at Layer 7
Canary releases and blue-green deployments for cloud-native applications
High QPS and a large number of concurrent connections
Choose MSE Ingress when you need unified traffic management across microservices, multiple clusters, or hybrid environments, or when you need advanced authentication and end-to-end canary releases. Common use cases:
Centralized management of north-south and east-west traffic, microservices gateways, and end-to-end canary releases
Shared gateway across multiple clusters, multiple PaaS platforms, and multiple Elastic Compute Service (ECS) instances
Internal communication within hybrid clouds, multiple data centers, and multiple business domains
Authentication, flexible configuration, and enhanced security protection
High QPS and high concurrency
Feature comparison
| Category | NGINX Ingress | ALB Ingress | MSE Ingress |
|---|---|---|---|
| Service positioning | Layer 7 traffic management and advanced routing. A cluster component you can customize based on your business requirements. | Layer 7 traffic management and advanced routing. Deeply integrated with containers and supports canary release, A/B testing, blue-green deployment, and traffic distribution by ratio. Provides ultra-large capacities with auto scaling and automated O&M. Integrates with Web Application Firewall (WAF), Function Compute, PrivateLink, and transit routers. | Serves as a traditional traffic gateway, microservices gateway, and security gateway. Supports hardware acceleration, WAF local protection, and the WebAssembly plug-in marketplace to build high-performance, scalable, cloud-native gateways with hot updates. Layer 7 traffic management with multiple service discovery modes and canary release policies (canary release, A/B testing, blue-green deployment, and custom traffic percentage). Directly connects to pod IP addresses to forward requests. |
| Architecture | Extended from NGINX and Lua. | Based on the Cloud Network Management platform and the CyberStar platform, which supports auto scaling. | Based on the open source project Higress. Control planes are built on Istiod and Envoy. Exclusive to individual users. |
| Basic routing | Content-based routing. HTTP rewrites, redirects, overwrites, throttling, and session persistence. | Content-based routing and routing by source IP address. HTTP rewrites, redirects, overwrites, throttling, cross-origin resource sharing (CORS), and session persistence. Inbound and outbound forwarding rules. | Content-based routing. HTTP header rewrites, redirects, rewrites, throttling, CORS, timeouts, and retries. Load balancing modes: round-robin (RR), random, minimum connections, consistent hashing, and prefetching. Supports thousands of Ingress rules. |
| Protocol | HTTP, HTTPS, QUIC (Quick UDP Internet Connections), WebSocket, WSS, and gRPC. | HTTP, HTTPS, QUIC, WebSocket, WSS, and gRPC. | HTTP, HTTPS, HTTP 3.0, WebSocket, and gRPC. Supports conversion from HTTP/HTTPS to Dubbo. |
| Configuration change | Certificate changes reload processes and may interrupt persistent connections — a consideration for workloads with long-lived connections such as WebSocket or gRPC. Non-certificate configuration changes use Lua-based hot updates. Lua plug-in configuration changes also reload processes. | Configuration changes via API operations, which is more efficient than the List-Watch mechanism. | Hot updates for configurations, certificates, and plug-ins. The List-Watch mechanism syncs configuration changes in real time. |
| Authentication | Basic Auth and OAuth. | TLS-based authentication. | Basic Auth, OAuth, JWT, and OpenID Connect (OIDC). Integrates with Alibaba Cloud IDaaS. Supports custom authentication. |
| Performance | Requires manual tuning of system and NGINX parameters. Requires proper pod replica count and resource configurations. | Supports one million QPS and tens of millions of connections per instance. Uses SSL hardware acceleration. | At 30%–40% CPU utilization, TPS is approximately 90% higher than open source NGINX Ingress. HTTPS performance improves by approximately 80% after hardware acceleration is enabled. |
| Observability | Collect access logs. Configure Prometheus monitoring. | Collect access logs via Log Service. Collect metrics via CloudMonitor. Configure alerting based on CloudMonitor. | Collect access logs via Log Service and Managed Service for Prometheus. Configure monitoring and alerting based on Managed Service for Prometheus. Supports Tracing Analysis and SkyWalking. |
| O&M | Manual O&M. Supports Horizontal Pod Autoscaler (HPA)-based scaling. Specify computing resource specifications for optimization. | Fully managed and O&M-free. Auto scaling and automated configuration with ultra-large capacities. Handles traffic spikes automatically. | Fully managed and O&M-free. |
| Security | HTTPS. Blacklists and whitelists. | End-to-end HTTPS, Server Name Indication (SNI) for multiple certificates, Rivest-Shamir-Adleman (RSA) and elliptic-curve cryptography (ECC) certificates, TLS 1.3, and TLS cipher suites. WAF. Anti-DDoS. Blacklists and whitelists. | End-to-end HTTPS encryption, SNI for multiple certificates, and custom TLS versions. WAF. Blacklists and whitelists. |
| Service governance | Service discovery in Kubernetes clusters. Canary releases. Throttling for high availability. | Service discovery in Kubernetes clusters. Canary releases. Throttling for high availability. | Service discovery based on Kubernetes, Nacos, ZooKeeper, Enterprise Distributed Application Service (EDAS), Serverless App Engine (SAE), DNS, and static IP addresses. Canary releases for more than two application versions, tag-based routing, and end-to-end canary releases based on MSE service governance. Integrated with Sentinel for throttling, circuit breaking, and degradation. Service mocking. |
| Extended features | Lua for configuring extended features. | AScript for configuring extended features. For more information, see AScript overview. | WebAssembly plug-in supporting multiple programming languages. Lua for configuring extended features. |
| Cloud-native support | Supports NGINX Service Mesh. A manually maintained component available in ACK clusters and ACK Serverless clusters. | Supports WAF, Function Compute, PrivateLink, and transit routers. A managed component available in ACK clusters and ACK Serverless clusters. | A user-side component available in ACK clusters and ACK Serverless clusters. Supports seamless integration with the key annotations of NGINX Ingresses. For more information, see Annotations supported by MSE Ingress gateways. |