| Service positioning | - Provides traffic management and advanced routing features at Layer 7.
- A cluster component that can be customized based on your business requirements.
| - Provides traffic management and advanced routing features at Layer 7.
- Runs at the application layer, provides deep integration with containers, and supports different release policies, such as canary release, A/B testing, blue-green deployment, and traffic distribution by ratio.
- Provides ultra-large capacities and supports auto scaling and automated O&M.
- Supports integration with multiple cloud services, such as Web Application Firewall (WAF), Function Compute, PrivateLink, and transit routers.
| - MSE Ingresses can serve as traditional traffic gateways, microservices gateways, and security gateways. You can use features such as hardware acceleration, WAF local protection, and the WebAssembly plug-in marketplace to build high-performance, highly-scalable, and easy-to-integrate cloud-native gateways that support hot updates.
- Provides traffic management and advanced routing features at Layer 7. Multiple service discovery modes and service canary release policies are supported. The service canary release policies include canary release, A/B testing, blue-green deployment, and traffic distribution based on a custom traffic percentage.
- MSE Ingresses are suitable for application-layer load balancing scenarios, and are deeply integrated with container services. MSE Ingresses are directly connected to the IP addresses of pods to forward requests.
|
| Architecture | Provides extended features based on NGINX and Lua. | - Developed based on the Cloud Network Management platform.
- Developed based on the CyberStar platform and supports auto scaling.
| - Developed based on the open source project Higress. Control planes are built based on Istiod and Envoy. For more information about Higress, see Higress.
- Exclusive to individual users.
|
| Basic routing | - Supports content-based routing.
- Supports HTTP rewrites, redirects, overwrites, throttling, and session persistence.
| - Supports routing based on content and source IP addresses.
- Supports HTTP rewrites, redirects, overwrites, throttling, cross-origin resource sharing (CORS), and session persistence
- Supports inbound and outbound forwarding rules.
| - Supports content-based routing.
- Supports features such as HTTP header rewrites, redirects, rewrites, throttling, CORS, timeouts, and retries.
- Supports load balancing modes such as round-robin (RR), random, minimum number of connections, consistent hashing, and prefetching. In prefetching mode, the traffic that is forwarded to a backend server within a specified time window increases at a steady rate.
- Supports thousands of Ingress rules.
|
| Protocol | Supports HTTP and HTTPS. | - Supports HTTP and HTTPS.
- Supports Quick UDP Internet Connections (QUIC), WebSocket, WSS, and gRPC.
| - Supports HTTP and HTTPS.
- Supports HTTP 3.0, WebSocket, and gRPC.
- Supports conversion from HTTP/HTTPS to Dubbo.
|
| Configuration change | - Processes are reloaded when you change the certificate. This may interrupt persistent connections.
- Configuration changes other than certificate changes are performed by using hot updates based on Lua.
- Processes are reloaded when you change the configuration of the Lua plug-in.
| Allows you to change the configuration by calling API operations. This method is more efficient than using the list-watch mechanism to modify the configuration. | - Supports hot updates of configurations, certificates, and plug-ins.
- The List-Watch mechanism is used to update configurations in real time.
|
| Authentication | - Supports Basic Auth-based authentication.
- Supports the OAuth protocol.
| Supports TLS-based authentication. | - Supports authentication based on Basic Auth, OAuth, JWT, and OIDC.
- Supports integration with Alibaba Cloud IDaaS.
- Supports custom authentication.
|
| Performance | - Requires manual tuning to optimize system parameters and NGINX parameters.
- Requires proper configurations on the number of replicated pods and the amount of resources.
| - Supports one million QPS per instance.
- Supports tens of millions of connections per instance.
- Uses SSL hardware for acceleration.
| - When the CPU utilization is 30% to 40%, the transactions per second (TPS) of MSE Ingresses is about 90% higher than the TPS of open source NGINX Ingresses.
- Improves the performance of HTTPS by about 80% after hardware acceleration is enabled.
|
| Observability | - Allows you to collect access logs.
- Allows you to configure Prometheus monitoring.
| - Allows you to collect access logs by using Log Service.
- Allows you to collect metrics by using CloudMonitor.
- Allows you to configure alerting based on CloudMonitor.
| - Allows you to collect access logs by using Log Service and Application Real-time Monitoring Service (ARMS) Prometheus.
- Allows you to configure monitoring and alerting based on ARMS Prometheus.
- Supports Tracing Analysis and SkyWalking.
|
| O&M | - Supports manual O&M for the component.
- Allows you to configure Horizontal Pod Autoscaler (HPA)-based scaling.
- Allows you to specify computing resource specifications for optimization.
| - Fully managed and O&M-free.
- Supports auto scaling and automated configuration and provides ultra-large capacities.
- Supports auto scaling for handling traffic spikes.
| Fully managed and O&M-free. |
| Security | - Supports HTTPS.
- Supports blacklists and whitelists.
| - Supports end-to-end data transfer over HTTPS, Server Name Indication (SNI) for multiple certificates, Rivest-Shamir-Adleman (RSA) and elliptic-curve cryptography (ECC) certificates, TLS 1.3, and TLS cipher suites.
- Supports WAF.
- Supports Anti-DDoS.
- Supports blacklists and whitelists.
| - Supports end-to-end encryption for data transfer over HTTPS, Server Name Indication (SNI) for multiple certificates, and custom TLS versions.
- Supports WAF.
- Supports blacklists and whitelists.
|
| Service governance | - Supports service discovery in Kubernetes clusters.
- Supports canary releases.
- Supports traffic throttling for high availability.
| - Supports service discovery in Kubernetes clusters.
- Supports canary releases.
- Supports traffic throttling for high availability.
| - Supports service discovery based on Kubernetes, Nacos, ZooKeeper, Enterprise Distributed Application Service (EDAS), Serverless App Engine (SAE), DNS, and static IP addresses.
- Allows you to use canary releases to release more than two application versions, supports tag-based routing, and supports end-to-end canary releases based on MSE service governance.
- MSE Ingresses are integrated with Application High Availability Service (AHAS) to support throttling, circuit breaking, and degradation.
- Service testing supports service mocking.
|
| Extended features | Supports Lua for configuring extended features. | Supports AScript, which can be used to configure extended features. For more information, see AScript overview. | - Uses the WebAssembly plug-in to support multiple programming languages.
- Supports Lua for configuring extended features.
|
| Cloud-native support | - Supports NGINX Service Mesh.
- A component that requires manual maintenance and can be used in ACK clusters and ASK clusters.
| - Supports multiple cloud services, such as WAF, Function Compute, PrivateLink, and transit routers.
- A managed component that can be used in Container Service for Kubernetes (ACK) clusters and serverless Kubernetes (ASK) clusters.
| A user-side component that can be used in ACK clusters and ASK clusters and supports seamless integration with the key annotations of NGINX Ingresses. For more information about the annotations supported by MSE Ingresses, see Annotations supported by cloud-native gateways. |