Background
Cloud-native API Gateway is the upgraded version of cloud-native gateway. It combines the capabilities of a traffic gateway, microservices gateway, and security gateway with full lifecycle API management. This topic describes how to migrate from cloud-native gateway to Cloud-native API Gateway.
Pre-migration checklist
Before you begin, complete the following:
Understand the features and benefits of Cloud-native API Gateway.
Assess the capacity of your current cloud-native gateway instance.
Confirm your backend service types are supported for migration.
Plan your test environment and procedures.
Prepare a rollback plan for potential issues during the migration.
Ensure your team is familiar with Cloud-native API Gateway operations.
Migration process
Migration steps
Instance creation
When you create a Cloud-native API Gateway instance, note the following:
For details about creating a Cloud-native API Gateway instance, see Create a gateway instance.
To determine the instance specification, see the Capacity description for Cloud-native API Gateway. To assess the capacity of your current cloud-native gateway instance, see Evaluate the capacity of a standard instance.
When you create the Cloud-native API Gateway instance, ensure that its Virtual Private Cloud (VPC) is the same as the one used by the cloud-native gateway instance. This ensures that the Cloud-native API Gateway can access backend services.
Verification checkpoints:
The instance is created and running.
The instance specification meets your business requirements.
The VPC is configured correctly and can access backend services.
Rule migration
Routing management
Domain names
Unlike in cloud-native gateway, domain names in Cloud-native API Gateway are public resources that do not belong to a specific instance. You bind a domain name to the corresponding gateway instance when you publish an API.
Cloud-native API Gateway supports all the domain management features of cloud-native gateway. To create a domain name for use in Cloud-native API Gateway, see Create a domain name. Similar to cloud-native gateway, adding a domain name in Cloud-native API Gateway does not automatically perform domain name registration or DNS resolution. You must register the domain name and configure its DNS resolution to point to the instance endpoint.
Sources and services
Similar to cloud-native gateway, sources and services in Cloud-native API Gateway are managed within an instance. Use the following tables to determine whether your backend services can be migrated to Cloud-native API Gateway.
To manage sources in Cloud-native API Gateway, see Manage service sources.
To manage services in Cloud-native API Gateway, see Services.
Table 1. Source support comparison
Source type | Cloud-native API Gateway | cloud-native gateway | Notes |
Container Service | Supported | Supported | |
MSE Nacos | Supported | Supported | |
MSE ZooKeeper | Not supported | Supported | |
SAE built-in registry | Not supported | Supported | |
EDAS built-in registry | Not supported | Supported | |
SAE Kubernetes Service | Not supported | Supported | Cloud-native API Gateway does not require you to create an SAE Kubernetes Service source. You can add the service directly. |
Table 2. Service support comparison
Service type | Cloud-native API Gateway | cloud-native gateway | Notes |
Container Service | Supported | Supported | |
MSE Nacos | Supported | Supported | |
MSE ZooKeeper | Not supported | Supported | |
SAE built-in registry | Not supported | Supported | |
EDAS built-in registry | Not supported | Supported | |
SAE Kubernetes Service | Supported | Supported | Cloud-native API Gateway does not require you to create an SAE Kubernetes Service source. |
Fixed address | Supported | Supported | |
DNS domain | Supported | Supported | |
Function Compute (FC) | Supported | Supported | Cloud-native API Gateway supports Function Compute 3.0, while cloud-native gateway supports Function Compute 2.0. |
CloudFlow | Supported | Not supported |
Routes
APIs are first-class citizens in Cloud-native API Gateway. In Cloud-native API Gateway, routes from cloud-native gateway are implemented as APIs, primarily HTTP APIs and REST APIs:
HTTP API
HTTP APIs are route-centric interfaces based on the HTTP protocol. They are suitable for scenarios such as Kubernetes Ingress, microservice architectures, and AI (SSE) to quickly expose services externally.
If you do not need fine-grained API-level management, you can configure routes to define which backend service handles a specific request. Route paths are often coarser-grained than API operations, such as /user/*. This allows for rapid configuration of access paths and simplifies inter-system interactions. HTTP APIs are primarily for developer or operations teams. Routes provide flexibility, simplify call logic between systems, and make it easier to split business logic across services.
REST API
REST APIs are resource-oriented interfaces based on the HTTP protocol. They use standard HTTP methods, such as GET and POST, to operate on resources. They are suitable for scenarios such as API-first development, cross-team collaboration, and fine-grained API management.
API-first: A software development methodology that emphasizes starting with API design when developing an application. This approach encourages developers to define system boundaries and interactions between services by first defining and creating APIs, before building the backend services that implement them.
Fine-grained API management: This approach is ideal when you expose APIs to partners, integrate internal and external systems, or support collaboration. In these scenarios, service providers must expose specific operations, apply traffic policies at the operation level, and provide consumers with complete API documentation.
REST APIs are primarily for business-centric development teams. They promote cross-team collaboration, enhance system flexibility, and drive rapid business iteration and agile development.
Based on your business needs, choose whether to migrate your routes to HTTP APIs or REST APIs. You can also flexibly split the routes from your cloud-native gateway into multiple APIs, using HTTP APIs for some and REST APIs for others, to manage them independently.
To migrate to an HTTP API, see Create an HTTP API. To configure policies for the HTTP API, see Routing policies.
To migrate to a REST API, see Create a REST API and add an operation. To configure policies for the REST API, see Configure policies and plugins.
Verification checkpoints:
Domains are created and resolved correctly.
Sources and services are configured and can access backend services.
Routes are configured successfully, and requests are correctly forwarded to backend services.
Security management
Blacklist and whitelist
Cloud-native API Gateway offers the same blacklist and whitelist capabilities as cloud-native gateway, with rules applicable at the global, domain, and route levels. In addition, Cloud-native API Gateway offers a global Layer 4 blacklist and whitelist, which allows you to directly reject connections from specified IP addresses, further conserving gateway resources.
After migrating your routing management configurations, you can migrate the blacklist and whitelist. For specific instructions, see Configure an IP address blacklist or whitelist for a gateway.
Global authentication and authorization
Cloud-native API Gateway is compatible with the main authentication and authorization types of cloud-native gateway. See the table below for support status and migration procedures.
Table 3. Global authentication and authorization support comparison
Authentication and authorization type | Cloud-native API Gateway | cloud-native gateway | Migration procedure |
JWT | Supported | Supported | |
OIDC | Supported | Supported | |
IDaaS | Not supported | Supported | - |
Custom authentication service | Supported | Supported |
Consumer authentication
In Cloud-native API Gateway, consumers exist independently of gateway instances. You only need to configure consumer information once to reuse it for authorization across different gateway instances and APIs. As a key part of API management, Cloud-native API Gateway enhances consumer management with support for more authentication methods, including API Key, JWT, and HMAC.
To manage consumers, see Manage consumers. After creating consumers, refer to Authorization management to configure their accessible API scope.
Verification checkpoints:
Blacklist and whitelist rules are effective and correctly block or allow specified IP addresses.
Global authentication and authorization is configured correctly, and authentication works as expected.
Consumers are created successfully, and their authorization scopes are configured correctly.
Plugin migration
Cloud-native API Gateway is fully compatible with the plugin system of cloud-native gateway, including custom plugins (Wasm and Lua). You can easily migrate plugin configuration rules from cloud-native gateway to Cloud-native API Gateway.
Unlike in cloud-native gateway, plugins in Cloud-native API Gateway exist independently of gateway instances. Before you can use a plugin on a gateway, you must install it on the gateway instance. For instructions on installing and uninstalling plugins, see Manage plugins. After installation, you can configure plugin rules in the API and operation list.
Official plugins
Cloud-native API Gateway is compatible with most of the official plugins from cloud-native gateway. Use the following table to determine if the official plugins you are using can be migrated to Cloud-native API Gateway.
Table 4. Official plugin support comparison
Cloud-native gateway plugin | Support status | Corresponding plugin |
key-auth | Supported | Key authentication |
basic-auth | Supported | Basic authentication |
hmac-auth | Supported | HMAC authentication |
jwt-auth | Supported | JWT authentication |
edas-service-auth | Not supported | - |
oauth | Supported | OAuth2 authentication |
jwt-logout | Supported | jwt-logout |
opa | Supported | OPA |
ext-auth | Supported | External authentication |
key-rate-limit | Supported | Key-based rate limiting |
traffic-tag | Supported | traffic-tag |
http-real-ip | Supported | http-real-ip |
hsts | Supported | hsts |
canary-header | Supported | canary-header |
request-validation | Supported | Request validation |
cluster-key-rate-limit | Supported | Key-based cluster rate limiting |
try-path | Not supported | - |
custom-response | Supported | Custom response |
http2-misdirect | Not supported | - |
transformer | Supported | Request/Response transformation |
de-graphql | Supported | DeGraphQL |
frontend-gray | Supported | Frontend canary release |
cache-control | Supported | Browser cache control |
response-cache | Supported | General response cache |
request-block | Supported | Request blocking |
bot-detect | Supported | Bot traffic blocking |
waf | Supported | WAF protection |
cors | Supported | Cross-origin resource sharing |
ip-restriction | Supported | IP address restriction |
geo-ip | Not supported | - |
Custom plugins
Cloud-native API Gateway is fully compatible with the custom plugins of cloud-native gateway. To upload a custom Wasm plugin from your cloud-native gateway, see Upload a plugin. To migrate a custom Lua plugin, see Use a Lua plugin.
Cloud-native API Gateway also provides an online IDE for writing plugins. If you need to develop a new plugin, see Use WebIDE to develop a plugin to quickly develop prototypes in the Cloud-native API Gateway console.
Verification checkpoints:
Official plugins are installed and configured correctly, and they work as expected.
Custom plugins are uploaded successfully and work as expected.
Plugin rules are configured correctly and take effect as expected.
Observability migration
Tracing
Cloud-native API Gateway integrates with Managed Service for OpenTelemetry to support tracing and is fully compatible with all tracing protocols from cloud-native gateway. To configure it on Cloud-native API Gateway, see Enable Tracing Analysis for a gateway.
Logs
Similar to cloud-native gateway, Cloud-native API Gateway also supports log shipping. To configure it, see Enable log shipping for a gateway. This allows you to ship gateway access logs to a specified Log Service project under your account.
Alerts
Cloud-native API Gateway integrates with CloudMonitor to support alerting capabilities. To create the alerts you need in Cloud-native API Gateway, see Create an alert rule.
Verification checkpoints:
Tracing is configured correctly and can trace requests as expected.
Log shipping is configured correctly, and logs are successfully shipped to Log Service.
Alert rules are configured correctly and trigger alerts as expected.
Parameter configuration migration
Cloud-native API Gateway is compatible with most of the parameters of cloud-native gateway, and the parameter names are identical. To adjust the parameters of your Cloud-native API Gateway instance, see Modify gateway parameters.
The following parameters are not supported by Cloud-native API Gateway:
EnableXffTrustedCidrs
PreserveExternalRequestID
LiteMetrics
EnableK8sSourceWorkloadFilter
Verification checkpoints:
Parameters are configured correctly, and the gateway performance meets expectations.
Unsupported parameters have been identified and their impact has been assessed.
Functionality verification
After migrating all rules, verify the functionality. We recommend the following verification methods:
Use a test domain name
Add a test domain name in Cloud-native API Gateway, configure its DNS record as a CNAME to the instance endpoint, and bind it to the API that you want to test. Then, use the test domain name to run your tests.
Configure the hosts file
Modify the hosts file on your test machine to resolve the domain name bound to the gateway to the instance endpoint. This allows you to use the production domain name directly on the test machine for testing.
Traffic migration
After verifying all functionality, begin migrating traffic. Use a strict canary release to ensure that you can quickly roll back traffic to the original cloud-native gateway instance if issues occur.
Gradually migrate your production traffic to Cloud-native API Gateway by modifying the DNS resolution weights of your production domain. If you use Alibaba Cloud DNS to configure the DNS for your production domain, see Configure weights to perform a weighted DNS migration. If you use another DNS product, refer to its documentation for configuring weights.
The overall migration process is as follows:
On the Endpoints page of the Cloud-native API Gateway instance, obtain the endpoint domain of the gateway instance.
Configure DNS weights for your production domain. We strongly recommend starting with a weight of 1% and then gradually increasing it.
Monitor your services to verify normal operation. Use the observability features of Cloud-native API Gateway, such as service monitoring and access logs, to aid in your assessment.
If your services operate as expected, gradually increase the weight of Cloud-native API Gateway in the DNS resolution until all traffic is migrated. If your services do not operate as expected, perform a rollback by adjusting the DNS weights.
Rollback plan
During the migration, you must perform an immediate rollback if you encounter any of the following situations:
Significant increase in service response time.
Error rate exceeds the threshold.
Functional anomalies or data inconsistencies occur.
Abnormal gateway performance metrics (such as CPU, memory, and network).
Rollback steps:
Immediately change the DNS weight of the Cloud-native API Gateway to 0%.
Shift all traffic back to the original cloud-native gateway instance.
Monitor service recovery and confirm that the anomalies have disappeared.
Analyze the root cause. After resolving the issue, restart the canary release.
Rollback considerations:
DNS propagation is affected by the Time to Live (TTL) setting. Set a small TTL value, such as 60 seconds, in advance.
Closely monitor business metrics during the rollback process.
Record the reason for the rollback and the observed issues for future analysis.