Overview
As support for Nginx Ingress ends, users must migrate to a new gateway solution. Alibaba Cloud's Cloud-native API Gateway is a unified product that integrates a traffic gateway, microservice gateway, and security gateway. It provides a smooth migration path and feature upgrades for Nginx Ingress users.
Cloud-native API Gateway supports two core configuration modes to meet different management needs and use cases:
Listen to Kubernetes Ingress (Ingress mode): The gateway runs as an APIG Ingress Controller. It is compatible with Kubernetes Ingress resources and annotations supported by APIG Ingress. This mode is suitable for teams that want to continue using native Kubernetes workflows, such as GitOps.
Configure APIs in the console (API management mode): You can configure the gateway through the Alibaba Cloud Management Console or OpenAPI. This mode provides full API lifecycle management, advanced security policy configuration, and API operation capabilities. It is suitable for scenarios that require centralized governance and fine-grained control.
This document compares the features, advantages, and scenarios of the two modes to help you choose the best configuration.
Mode one: Listen to K8s Ingress (Ingress mode)
In this mode, the Cloud-native API Gateway is deployed as a Kubernetes cluster's Ingress Controller to manage the cluster's north-south traffic.
Core advantages
Smooth migration: Offers a path to migrate a self-managed Nginx Ingress to Cloud-native API Gateway. This process minimizes migration costs and the risk of business disruption for Nginx Ingress users.
Maintain Kubernetes-native workflows: Fully compatible with Kubernetes Ingress resources and annotations. Teams can continue to use existing workflows, such as kubectl apply and GitOps, to manage routing rules.
Enhanced features: Builds on Nginx Ingress compatibility by providing more powerful administration capabilities, such as global rate limiting.
Scenarios
This mode is ideal for migrating existing Nginx Ingress users. It is also suitable for teams that are Kubernetes-centric and rely on GitOps to manage application releases. Development and operations teams can use this mode to quickly implement cluster traffic routing and basic administration.
Feature details
For a complete list of Ingress capabilities supported by the APIG Ingress Controller, see Annotations supported by APIG Ingress and Advanced usage of APIG Ingress.
High compatibility with Nginx Ingress annotations
APIG Ingress, the Ingress Controller for Cloud-native API Gateway, supports most Nginx Ingress annotations. It supports 51 annotations, which cover 90% of user scenarios. You can migrate existing Kubernetes Ingress YAML files without major changes.
Examples of key compatible annotations:
Feature category | Compatible Nginx annotations (nginx.ingress.kubernetes.io/) |
Routing and rewrite | rewrite-target use-regex upstream-vhost |
Traffic splitting | canary canary-by-header canary-weight |
Security and cross-domain | enable-cors cors-allow-methods ssl-redirect force-ssl-redirect |
Timeout and retry | proxy-next-upstream proxy-next-upstream-tries |
IP access control | whitelist-source-range |
Feature enhancements (Higress annotations)
This mode is not only compatible with Nginx but also provides advanced features that Nginx Ingress lacks. These features are available through annotations with the higress.ingress.kubernetes.io/ prefix and include the following:
Traffic warmup. Nginx issue: This feature is not available.
APIG Ingress solution: Provides the native higress.ingress.kubernetes.io/warmup annotation. This ensures that when a new node comes online, traffic gradually increases over a specified warmup window. This process allows the new node to warm up completely.
Global rate limiting. Nginx issue: The nginx.ingress.kubernetes.io/limit-rps annotation implements per-pod rate limiting. The total limit is the limit value multiplied by the number of pods, which is difficult to control precisely.
APIG Ingress solution: The higress.ingress.kubernetes.io/rate-limit annotation provides global rate limiting across all gateway instances. This lets you precisely control the total queries per second (QPS).
Global concurrency control. Nginx issue: Lacks a simple and effective way to control global concurrency.
APIG Ingress solution: The higress.ingress.kubernetes.io/concurrency-limit annotation provides a global concurrency limit. This protects backend services from sudden traffic spikes.
Traffic mirroring. Nginx issue: Lacks traffic mirroring capabilities. Requires writing Lua scripts.
APIG Ingress solution: Provides the native higress.ingress.kubernetes.io/mirror-target-service annotation. This lets you easily replicate traffic to a test service for shadow testing in a production environment.
Configure APIs in the console (API Management pattern)
In this mode, Cloud-native API Gateway acts as a centralized API management platform. You can define and manage APIs through the Alibaba Cloud Management Console, or using an API or Terraform. This mode upgrades your capabilities from simple route forwarding to full API administration.
Core advantages
Centralized administration: Allows platform teams, architects, or security teams to manage all APIs from a unified view and enforce security, compliance, and traffic policies.
Full lifecycle management: Supports the complete API lifecycle, from design, development, and testing to publishing and unpublishing. This includes version control, release auditing, and one-click rollbacks.
Advanced security capabilities: Natively integrates complex authentication mechanisms, such as OpenID Connect (OIDC), JWT, and custom authentication and authorization.
API operations and ecosystem: Supports consumer management, subscription relationships, and call quotas for APIs. This enables the API economy.
Scenarios
This mode is ideal for enterprises that need fine-grained, centralized administration of APIs. It is also suitable for businesses with high requirements for API security and identity authentication, teams that need to manage API versions, perform phased releases, and conduct audits, and scenarios where you build an open platform and need to manage third-party developers (consumers) and their call quotas.
Feature details
Complete API lifecycle management
This mode supports full lifecycle management for APIs, from design, development, and testing to publishing and unpublishing. This includes:
Version control: Supports multiple API versions, such as v1 and v2, to be online at the same time. You can also manage their publishing status.
Publishing and rollbacks: Provides a history of API publications and supports one-click rollbacks to any previous version.
Advanced enterprise-grade security
This mode provides security capabilities far beyond the Ingress mode. It separates complex authentication logic from backend services. Features include the following:
Rich authentication and authorization: Natively supports JWT and OIDC. It can also integrate with Alibaba Cloud IDaaS.
Multilayer defense: Deeply integrates with Web Application Firewall (WAF). Supports mutual authentication (mTLS), IP blacklists and whitelists, and custom security plugins.
Powerful extensibility
Plugin marketplace: Offers a rich selection of official plugins covering authentication, security, traffic, and more. It also supports uploading custom plugins.
Hot updates: The gateway supports hot updates for plugins and configurations without restarting instances. This ensures high availability (HA) for your business.
API operations and multi-source service discovery
API ecosystem: Provides a consumer management feature. You can manage API call quotas and subscription rules.
Multi-source discovery: Backend services are not limited to Kubernetes clusters. The gateway can also discover services from multiple sources, such as Nacos, Function Compute (FC), and fixed addresses or domain names.
Mode comparison summary
Dimension | Mode One: K8s Ingress mode | Mode Two: Console API mode |
Core positioning | K8s Ingress Controller, traffic routing | Unified API management platform |
Configuration method | K8s YAML | Alibaba Cloud Management Console / API / Terraform |
Management workflow | GitOps / kubectl apply | UI/API-driven |
Nginx migration | Provides a one-click migration tool. | Requires redefining APIs and configuring policies |
API lifecycle | None. Bound to the K8s resource lifecycle | Complete. Supports design, development, testing, publishing, versioning, and unpublishing |
Extensibility | Limited. Restricted by supported annotations | High. Rich plugin marketplace + hot updates for custom plugins |
Service discovery | K8s-native. Automatically discovers K8s services | Multi-source. Supports K8s (ACK), Nacos, FC, fixed addresses, and more |
API operations | None | Complete. Supports consumer management, subscriptions, and quota management |
How to choose: Recommended migration and evolution paths
Scenario one: Smooth migration
Target users: Teams that prioritize migration speed and want to maintain their existing Kubernetes workflows.
Recommended solution: Use Mode One: Kubernetes Ingress mode.
Steps:
Use the official migration tool to migrate your Nginx Ingress configuration to Cloud-native API Gateway.
Review the migration report and handle any incompatible annotations. You can submit a ticket for assistance.
(Optional) Replace the original configuration with
higress.ingress.kubernetes.io/annotations to enable advanced features, such as global rate limiting.
Scenario two: New service architecture
Target users: Enterprises building a new API platform or those with high requirements for security and administration.
Recommended solution: Use the API management mode.
Steps:
In the console, you can define APIs and configure security policies, such as OIDC or JWT, and rate limiting policies.
You can use the gateway's service discovery feature to point the API backend to services in an ACK cluster or other service sources.
Scenario three: Progressive evolution (recommended strategy)
Target users: Most organizations that need to migrate existing services and also want to gradually improve their administration capabilities.
Recommended solution: Start with Mode One and progressively evolve to Mode Two.
Steps:
Migration: First, use Mode One (Ingress) to complete a smooth migration of all Nginx Ingress configurations. This step quickly resolves the Nginx end-of-life (EOL) issue.
Administration: Identify the core APIs in your organization, such as external-facing APIs, high-security APIs, or APIs that require fine-grained management.
Evolution: Progressively onboard the core APIs to Mode Two (Console). In the console, you can configure advanced policies for these APIs, such as JWT authentication, WAF protection, and consumer quotas. Other non-core APIs can continue to run in Mode One.
Route priority explanation:
For routes with the same domain name and path, APIs created in the console have a higher priority than routes synced from an Ingress. Therefore, during migration, you can configure routes one by one in the console. If you find an issue, you can immediately revert to the Ingress mode by deleting the console configuration.
Route priority is controlled at the individual route level, not for the entire domain. This means you can use the new console configuration for some paths under the same domain name, while other paths continue to use the Ingress configuration. You should migrate only Ingress routes with identical matching conditions step by step. Proceed path by path to avoid migrating all routes for an entire domain at once.
Example:
Scenario: You have a domain name, example.com, and need to progressively migrate from an Ingress configuration to a console configuration.
1. Initial state (Ingress configuration only)
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: my-ingress
spec:
rules:
- host: example.com
http:
paths:
- path: /api
pathType: Prefix
backend:
service:
name: api-service-v1
port:
number: 8080
- path: /web
pathType: Prefix
backend:
service:
name: web-service-v1
port:
number: 80At this point, the API Gateway automatically generates the following routes:
/api → api-service-v1:8080
/web → web-service-v1:80
2. During migration (configure the /api path in the console)
In the console, you can create a route for example.com and configure the /api path to point to the new service version, api-service-v2:8080.
The actual order of the merged routes is now:
1. /api → api-service-v2:8080 (Console configuration, matched first)
2. /api → api-service-v1:8080 (Ingress configuration, not matched)
3. /web → web-service-v1:80 (Ingress configuration, takes effect)Result:
Accessing example.com/api/* → Routes to api-service-v2 (console configuration takes effect)
Accessing example.com/web/* → Routes to web-service-v1 (Ingress configuration takes effect)
3. Find an issue and roll back quickly
If you find that api-service-v2 is abnormal, you can simply delete the /api route configuration in the console.
The route order after deletion is:
1. /api → api-service-v1:8080 (Ingress configuration, restored immediately)
2. /web → web-service-v1:80 (Ingress configuration)Result: Traffic immediately rolls back to api-service-v1, which is configured in the Ingress. You do not need to modify the Ingress or restart any services.
4. Complete migration (configure all paths in the console)
After you configure the /web path in the console:
1. /api → api-service-v2:8080 (Console configuration)
2. /web → web-service-v2:80 (Console configuration)
3. /api → api-service-v1:8080 (Ingress configuration, not matched)
4. /web → web-service-v1:80 (Ingress configuration, not matched)At this point, all traffic is controlled by the console configuration. You can safely delete the corresponding Ingress configuration.