Alibaba Cloud Container Service (ACS) Knative supports three gateways for routing external traffic to Knative Serving services: ALB, ASM, and Kourier. Start with Kourier if you need a lightweight, self-managed option with minimal overhead. Choose ALB for fully managed, high-throughput workloads with automatic scaling. Choose ASM when you need a full service mesh with fine-grained traffic policies across multiple clusters.
Gateway overview
ALB: A fully managed gateway built on Alibaba Cloud ALB. Handles traffic management automatically with no operations and maintenance (O&M) required, and scales to handle up to 1 million queries per second (QPS) per instance.
ASM: A managed service mesh platform compatible with open source Istio. Provides unified traffic management across multiple Kubernetes clusters, including traffic shaping, mesh observability, and secure inter-service communication.
Kourier: A lightweight, open source gateway from the Knative community, implemented on top of Envoy. Provides essential routing and service discovery with minimal resource overhead — but requires manual scaling and performance tuning, and offers only limited configuration and extension options compared to ALB and ASM.
When to use each gateway
| Scenario | Recommended gateway |
|---|---|
| You want zero gateway O&M and automatic scaling | ALB |
| You need multi-cluster traffic management or a service mesh | ASM |
| You want a simple, lightweight gateway and are comfortable self-managing it | Kourier |
| You need QUIC protocol support | ALB |
| You need chaos engineering capabilities out of the box | ASM |
| You want the lowest resource footprint for a development or test cluster | Kourier |
Detailed comparison
Product positioning
ALB focuses on Layer 7 load balancing tightly integrated with container infrastructure. It supports canary releases, A/B testing, and blue-green deployments, and integrates with other Alibaba Cloud services including Web Application Firewall (WAF), Function Compute (FC), PrivateLink, and Transit Router (TR).
ASM provides a fully managed Istio-compatible service mesh. It simplifies service administration by handling traffic routing and splitting, securing inter-service communication, and exposing mesh observability — reducing the operational burden on both developers and O&M teams.
Kourier is the gateway implementation provided by the Knative community for accessing Knative Serving services. It covers essential routing and service discovery, with no additional traffic management capabilities.
Service architecture
| ALB | ASM | Kourier | |
|---|---|---|---|
| Architecture | Built on the Alibaba Cloud Apsara Cloud Network platform using the self-developed CyberStar platform | Managed Istio control plane; compatible with the Istio community | Based on Envoy |
| Multi-cluster support | No | Yes — a single ASM instance can serve multiple Kubernetes clusters or Elastic Container Instance (ECI) pods | No |
| Scaling | Automatic | Automatic (managed control plane) | Manual — configure replicas and resource limits yourself |
Routing capabilities
| ALB | ASM | Kourier | |
|---|---|---|---|
| Content-based routing | Yes | Yes | Yes |
| Source IP-based routing | Yes | No | No |
| HTTP header modification | Yes | Yes | Yes |
| Redirection and URL rewrite | Yes | No | No |
| Throttling | Yes | No | No |
| Cross-domain access | Yes | No | No |
| Session persistence | Yes | No | No |
| Request and response forwarding rules | Yes — supports rules for both requests and responses | No | No |
| Multi-cluster traffic routing | No | Yes | No |
| Fine-grained traffic management | No | Yes | No |
| Chaos engineering | No | Yes — available out of the box | No |
Operations and maintenance
ALB is fully managed and configuration-free. Processing capacity scales automatically with your traffic, supporting ultra-large capacity without any manual intervention.
ASM supports one-click installation, deployment, and upgrades. The control plane components are fully managed, so your team can stay focused on application development. ASM remains compatible with Istio community specifications.
Kourier requires self-management. Use Horizontal Pod Autoscaler (HPA) configurations to scale in or out, and proactively tune performance settings to match your workload. Kourier provides only limited configuration and extension options — if your workload grows or you need advanced traffic management, plan for a migration to ALB or ASM.
Performance
ALB: A single instance supports 1 million QPS and tens of millions of concurrent connections. SSL hardware acceleration is enabled by default.
ASM: Supports multi-region deployment with intelligent DNS routing that resolves domain names to the geographically closest instance, reducing latency for global clients. Access ASM gateway instances through Classic Load Balancer (CLB). The commercial edition supports TLS acceleration using Intel Multi-Buffer technology, improving QPS by 80% in tests.
Kourier: Performance depends entirely on manual tuning. There is no managed scaling layer — plan your replica count and resource limits based on expected traffic.
Protocol support
| Protocol | ALB | ASM | Kourier |
|---|---|---|---|
| HTTP | Yes | Yes | Yes |
| HTTPS | Yes | Yes, with dynamic certificate loading | Yes |
| QUIC | Yes | No | No |
| WebSocket | Yes | Yes, via ingress gateway | No |
| WSS (WebSocket Secure) | Yes | No | No |
| gRPC | Yes | Yes, via ingress gateway; supports protocol transcoding (HTTP/JSON to gRPC) | Yes |
Observability
ALB: Collects access logs and metrics. Integrates with Simple Log Service (SLS) for access logs and CloudMonitor for metrics, including alerting.
ASM: Provides mesh topology visualization for traffic analysis. Integrates with self-managed Prometheus, Application Real-Time Monitoring Service (ARMS), and SLS. Supports custom monitoring metrics and service-level objective (SLO) policies.
Kourier: Collects access logs only. No metrics integration or alerting support is built in — if you need deeper observability, choose ALB or ASM instead.