ACK managed clusters and ACK Serverless clusters support three Ingress types for exposing container services and managing traffic routing:
Nginx Ingress -- Based on the open-source Ingress NGINX Controller. Self-managed with no SLA guarantee. Best for teams that need full control over Nginx configuration and Lua extensions.
ALB Ingress -- Alibaba Cloud proprietary cloud-native gateway, compatible with Nginx Ingress. Fully managed with an SLA of up to 99.995%. Supports SSL hardware acceleration, automatic scaling, and up to 1 million QPS per instance. For more information, see ALB Ingress management.
MSE Ingress -- Enterprise edition of the open-source Higress project, compatible with Nginx Ingress. Fully managed. Combines Ingress gateways, microservice gateways, and security gateways. Supports multiple service discovery methods, authentication and authorization, Wasm/Lua plug-in extensions, and up to 1 million QPS per instance.
Quick decision guide
| Scenario | Recommended | Reason |
|---|---|---|
| Standard web application, high availability required | ALB Ingress | SLA up to 99.995%, auto scaling, fully managed |
| Microservices with Nacos or ZooKeeper service discovery | MSE Ingress | Multi-protocol service discovery, HTTP-to-Dubbo conversion |
| Gateway requiring custom Lua extensions | Nginx Ingress | Full control over Nginx configuration and plug-ins |
| API gateway at up to 1 million QPS | ALB Ingress or MSE Ingress | Cloud-hosted infrastructure with hardware acceleration |
| Canary release with multi-version traffic splitting | MSE Ingress | Tag-based routing, canary release with MSE service administration |
| Hybrid cloud or cross-region disaster recovery | ALB Ingress | Multi-cloud-service mounting, transit router integration |
| Shared gateway across clusters, PaaS, and ECS | MSE Ingress | Multi-backend discovery (K8s, DNS, fixed IP, Nacos) |
| Minimal operations overhead | ALB Ingress or MSE Ingress | Fully managed gateway and components |
When to use each type
Nginx Ingress
Highly customized gateway requiring fine-grained Nginx configuration.
Canary release and blue-green deployment for cloud-native applications.
ALB Ingress
Fully managed gateway and components, no manual operations.
High-performance auto scaling for Layer 7 Internet applications.
Multi-level high availability with an SLA of up to 99.995%.
Canary release and blue-green deployment for cloud-native applications.
Multiple cloud services mixed mounting, sharing a single ALB instance.
Disaster recovery across hybrid cloud and cross-region scenarios.
Up to 1 million QPS and tens of millions of concurrent connections.
MSE Ingress
Fully managed gateway, no manual operations.
Microservices patterns: service discovery with Nacos and ZooKeeper, throttling with Sentinel, HTTP-to-Dubbo protocol conversion, and OpenTelemetry integration.
North-south traffic: backend service discovery supports Nacos, Kubernetes, DNS, and fixed IP.
East-west traffic: internal communication across hybrid clouds, multiple data centers, and multiple business domains, with Service Mesh integration.
Shared gateway instance across multiple container clusters, PaaS platforms, and ECS services.
Authentication and authorization with flexible security controls.
Up to 90% higher TPS than open-source Nginx Ingress at 30-40% CPU utilization.
Traffic flow
The following diagrams show the traffic path from the request domain www.example.net/app to the target container services.
Nginx Ingress
The Nginx Ingress Controller integrates the control plane and data plane in each Pod. Each Pod contains a Controller process (control plane) and Nginx processes (data plane), handling both configuration and request traffic.
ALB Ingress
The ALB Ingress Controller dynamically updates the ALB instance based on changes in Ingress resources and AlbConfig resources obtained through the API Server. The ALB Ingress Controller is a managed component that serves as the control plane only. User traffic forwarding is handled by the ALB instance.
MSE Ingress
The MSE Ingress Controller monitors MseIngressConfig resources in the cluster and coordinates MSE cloud-native gateway instances to implement the traffic management rules defined in Ingress resources. The MSE Ingress Controller manages MSE cloud-native gateway instances and configurations as the control plane only. Routing and forwarding of user traffic are handled by the MSE cloud-native gateway instance.
Feature comparison
Architecture
| Item | Nginx Ingress | ALB Ingress | MSE Ingress |
|---|---|---|---|
| Foundation | Nginx with Lua plug-in extensions | Cloud Network Management platform, CyberStar platform with auto scaling | Open-source Higress project with Istiod as the control plane and Envoy as the data plane |
| Hosting model | In-cluster (user-managed) | Cloud-hosted (managed component) | Cloud-hosted (exclusively available to users) |
| Control plane and data plane | Integrated in each Pod | Separated: controller (control plane) + ALB instance (data plane) | Separated: controller (control plane) + MSE cloud-native gateway (data plane). Connects directly to backend pod IPs for request forwarding. |
Routing and protocols
| Item | Nginx Ingress | ALB Ingress | MSE Ingress |
|---|---|---|---|
| Routing basis | Content and source IP | Content and source IP | Content |
| HTTP features | Rewrites, redirects, overwrites, throttling, CORS, session persistence | Rewrites, redirects, overwrites, throttling, CORS, session persistence | Rewrites, redirects, overwrites, throttling, CORS, timeout, retry |
| Forwarding rules | Inbound and outbound (outbound via Snippet); longest path matching | Inbound and outbound; priority-based matching (smaller number = higher priority) | Supports thousands of routing rules |
| Load balancing | N/A (default Nginx algorithms) | Round-robin, least connections, consistent hashing (source IP, URL parameters) | Round-robin, random, minimum connections, consistent hashing, prefetch (gradual traffic warm-up) |
| Protocols | HTTP, HTTPS, WebSocket, WSS, gRPC | HTTP, HTTPS, HTTP/3, WebSocket, WSS, gRPC | HTTP, HTTPS, HTTP/3, WebSocket, gRPC |
| Protocol conversion | N/A | N/A | HTTP/HTTPS to Dubbo |
Configuration and operations
| Item | Nginx Ingress | ALB Ingress | MSE Ingress |
|---|---|---|---|
| Configuration changes | Non-backend endpoint changes require process reload (disrupts persistent connections). Endpoint changes are hot-updated via Lua. Lua plug-in changes require reload. | Hot updates for all configurations. OpenAPI for real-time changes. | Hot updates for configurations, certificates, and plug-ins. List-Watch mechanism for immediate effect. |
| Operations model | Manual. Scaling through Horizontal Pod Autoscaling (HPA). Customizable computing resources for tuning. | Fully managed gateway and components. Automatic scaling for traffic surges. | Fully managed gateway, no manual operations. |
| Component management | Manage Nginx Ingress Controller components | Manage ALB Ingress Controller components | Manage MSE Ingress Controller components |
Performance
| Item | Nginx Ingress | ALB Ingress | MSE Ingress |
|---|---|---|---|
| Throughput | Depends on manual tuning (system and Nginx parameters, pod replicas, resource allocation). See Nginx Ingress Controller usage recommendations. | Up to 1 million QPS per instance. Tens of millions of concurrent connections per instance. | Up to 90% higher TPS than open-source Nginx Ingress at 30-40% CPU utilization. |
| SSL/TLS acceleration | N/A | SSL hardware acceleration by default | Hardware acceleration enhances HTTPS performance by approximately 80% |
Security
| Item | Nginx Ingress | ALB Ingress | MSE Ingress |
|---|---|---|---|
| Encryption | HTTPS | End-to-end HTTPS, SNI for multiple certificates, RSA and ECC certificates, TLS 1.3, TLS cipher suites | End-to-end HTTPS, SNI for multiple certificates, configurable TLS versions |
| Authentication | Basic Auth, OAuth | TLS-based authentication | Basic Auth, OAuth, JWT, OIDC; Alibaba Cloud IDaaS integration; custom authentication methods |
| Protection | Blacklisting and whitelisting | WAF integration; DDoS protection via Alibaba Cloud Anti-DDoS; blacklisting and whitelisting | Route-level WAF protection; route-level blacklisting and whitelisting |
Observability
| Item | Nginx Ingress | ALB Ingress | MSE Ingress |
|---|---|---|---|
| Logging | Access log collection | Access log collection via Log Service | Access log collection via Log Service and Alibaba Cloud Prometheus |
| Monitoring | Prometheus monitoring and alerting | Metric collection via CloudMonitor; alert configuration via CloudMonitor | Monitoring and alerting via Alibaba Cloud Prometheus |
| Tracing | N/A | Tracing Analysis and SkyWalking | Tracing Analysis and SkyWalking |
Service administration
| Item | Nginx Ingress | ALB Ingress | MSE Ingress |
|---|---|---|---|
| Service discovery | Kubernetes clusters | Kubernetes clusters | Kubernetes, Nacos, ZooKeeper, EDAS, SAE, DNS, and fixed IPs |
| Release strategies | Canary release, blue-green deployment | Canary release, blue-green deployment | Multi-version canary release, tag-based routing, canary release with MSE service administration |
| Traffic control | Throttling | Throttling | Sentinel-based throttling, circuit breaking, and service degradation |
| Testing | N/A | N/A | Service mocking |
Extensibility and integration
| Item | Nginx Ingress | ALB Ingress | MSE Ingress |
|---|---|---|---|
| Extension mechanism | Lua | AScript | Wasm plug-ins (multi-language development), Lua |
| Cloud-native integration | Manual component management; integrates with ACK or ACK Serverless. See Ingress management. | Integrates with WAF, Function Compute, PrivateLink, and transit routers; managed components with ACK or ACK Serverless | User-side components with ACK or ACK Serverless; supports core Nginx Ingress annotation conversion. See Annotations supported by MSE Ingress. |
Billing
| Item | Nginx Ingress | ALB Ingress | MSE Ingress |
|---|---|---|---|
| Infrastructure cost | CLB instance fees | ALB instance fees | MSE instance fees + CLB instance fees |
| Controller overhead | Resource overhead for nginx-ingress-controller starts at 0.2 vCPU and 200 MiB memory | The alb-ingress-controller is a managed component with no resource overhead | Resource overhead for ack-mse-ingress-controller |
| Compute cost | Billing depends on actual resource usage and ECS node fees. See ECS billing overview. | N/A (managed) | Billing depends on actual resource usage and ECS node fees. See ECS billing overview. |