All Products
Search

This Product

    Container Service for Kubernetes:Choose a gateway for Knative

    Document Center

    Container Service for Kubernetes:Choose a gateway for Knative

    Last Updated:Mar 26, 2026

    ACK Knative supports three gateway types for ingesting and routing external traffic: Application Load Balancer (ALB), Service Mesh (ASM), and Kourier. This topic compares them across product positioning, service architecture, basic routing, operations and maintenance (O&M) capabilities, performance, supported protocols, and observability to help you select the right gateway.

    Choose a gateway

    Start with Kourier if you need a lightweight gateway for basic Knative Serving traffic. It requires manual tuning and self-managed components, but has no additional managed service dependency.

    Choose ALB if your workloads require high throughput (up to 1 million QPS), automatic scaling, or integration with other Alibaba Cloud services such as Web Application Firewall (WAF), Function Compute (FC), PrivateLink, and Transit Router (TR).

    Choose ASM if you already run a service mesh or need advanced multi-cluster traffic management, fine-grained routing, secure inter-service communication, or chaos engineering capabilities.

    Gateway overview

    • ALB: A fully managed gateway based on Alibaba Cloud ALB. Provides high-capacity traffic management with automatic scaling and no O&M overhead.

    • ASM: A managed, Istio-compatible platform for unified traffic management. Supports traffic shaping, mesh observability, and secure inter-service communication. Helps you manage services that run on heterogeneous computing infrastructure.

    • Kourier: A lightweight, open source gateway from the Knative community, built on Envoy. Provides essential routing and service discovery.

    Gateway comparison

    Type

    ALB

    ASM

    Kourier

    Product positioning

    • Layer 7 load balancing tightly integrated with container technology. Suitable for high-capacity workloads that require automatic scaling.

    • Supports application-layer protocols: HTTP, HTTPS, and QUIC.

    • Supports canary releases, A/B testing, and blue-green deployments. Integrates with WAF, FC, PrivateLink, and TR.

    A fully managed service mesh platform compatible with open source Istio. Manages traffic routing and splitting, ensures secure inter-service communication, and provides mesh observability. Reduces operational overhead for development and O&M teams.

    A lightweight Envoy-based gateway for Knative Serving. Provides essential routing and service discovery.

    Service architecture

    • Built on the Alibaba Cloud Apsara Cloud Network platform.

    • Based on the self-developed CyberStar platform with automatic scaling.

    • Fully managed Istio control plane, compatible with the Istio community.

    • A single ASM instance can support services across multiple Kubernetes clusters or services running on Elastic Container Instance (ECI) pods.

    • Based on Envoy.

    • Replica count and resource limits require manual configuration.

    Basic routing

    • Content-based and source IP-based routing.

    • HTTP header modification, redirection, rewrite, throttling, cross-domain access, and session persistence.

    • Forwarding rules for both requests and responses.

    • Custom traffic routing rules.

    • Multi-cluster routing across Kubernetes clusters.

    • Fine-grained traffic management.

    • Out-of-the-box chaos engineering capabilities.

    • Content-based routing.

    • HTTP header modification.

    O&M capabilities

    • Fully managed and configuration-free.

    • Automatic scaling; supports ultra-large capacity.

    • Processing capacity scales automatically with business traffic.

    • One-click installation, deployment, and upgrades.

    • Managed control plane components.

    • Lets you focus on business application development.

    • Compatible with Istio community specifications.

    • Self-managed components.

    • Scales via Horizontal Pod Autoscaler (HPA) configurations.

    • Requires proactive configuration for performance tuning.

    Performance

    • Single instance: up to 1 million QPS (queries per second).

    • Single instance: tens of millions of concurrent connections.

    • SSL hardware acceleration enabled by default.

    • Supports multi-region deployment with low-latency access via intelligent DNS parsing.

    • Access ASM gateway instances via Classic Load Balancer (CLB).

    • The commercial edition supports TLS acceleration using Intel's Multi-Buffer technology, improving QPS by 80% in tests.

    Performance depends on manual tuning. Higher load requires proactive HPA and resource configuration.

    Supported protocols

    HTTP, HTTPS, QUIC, WebSocket, WSS, and gRPC.

    • HTTPS with dynamic certificate loading.

    • gRPC access through the ingress gateway, including traffic switching between two gRPC service versions.

    • Protocol transcoding: access gRPC services using HTTP/JSON.

    • WebSocket access through the ingress gateway.

    HTTP, HTTPS, and gRPC.

    Observability

    • Log collection via access logs and metrics.

    • Simple Log Service (SLS) integration for access logs.

    • CloudMonitor integration for metrics.

    • Alerting via CloudMonitor.

    • Mesh topology visualization for traffic analysis.

    • Self-managed Prometheus integration.

    • Application Real-Time Monitoring Service (ARMS) integration.

    • SLS integration.

    • Custom monitoring metrics.

    • Service-level objective (SLO) policies.

    Log collection via access logs only.

    ALB is optimized for application-layer load balancing at scale. ASM provides full service mesh (Istio) capabilities for teams managing microservices. Kourier is the right choice for basic gateway needs.

    What's next

    To enable a gateway in Knative, see Use an ALB gateway, Use an ASM gateway, and Use a Kourier gateway.