Comparison between NGINX Ingress gateways and MSE Ingress gateways - Microservices Engine

Container Service for Kubernetes (ACK) clusters or ACK Serverless clusters can use NGINX Ingress gateways or Microservices Engine (MSE) Ingress gateways as Ingress gateways. The features and use scenarios of NGINX Ingress gateways and MSE Ingress gateways are different. This topic compares NGINX Ingress gateways and MSE Ingress gateways in multiple dimensions, such as product positioning, product architecture, performance, and basic routing. The comparison helps you quickly understand the differences between the two types of Ingress gateways and select appropriate Ingress gateways.

Gateway comparison

Comparison item	NGINX Ingress gateway	MSE Ingress gateway
Product positioning	Layer-7 traffic processing capabilities are supported and various advanced routing features are provided. Self-managed components can be highly customized based on your requirements.	Traditional traffic gateways, microservices gateways, and security gateways are integrated into MSE Ingress gateways. You can use features such as hardware acceleration, web application firewall (WAF) local protection, and WebAssembly plug-in marketplace to build low-cost, high-performance, high-scalability, and high-integration gateway middleware. Multiple service discovery modes and service canary release policies are supported. The service canary release policies include canary release, A/B test, blue-green deployment, and traffic distribution based on a custom traffic percentage. HTTP and HTTPS Layer-7 traffic processing capabilities are supported and various advanced routing features are provided. MSE Ingress gateways are suitable for application-layer load balancing scenarios, and are deeply integrated with container services. MSE Ingress gateways are directly connected to the IP addresses of pods to forward requests.
Product architecture	NGINX Ingress gateways can be used together with the Lua plug-in. The number of replicas and the limits on the amount of resources can be manually configured.	Istiod can be used together with Envoy. Each user can use their dedicated instances.
Performance	Manual operations are required for performance optimization. If you use Lua scripts, you can perform rolling updates for some configurations. If a large number of Lua scripts are used, system performance is significantly affected.	HTTPS performance is improved by about 80% after hardware acceleration is enabled. Compared with self-managed NGINX Ingress gateways, the performance of MSE Ingress gateways is improved by about 40% based on the OS version and internal optimization. When the CPU utilization is 30% to 40%, the transactions per second (TPS) of MSE Ingress gateways is about 90% higher than the TPS of open source NGINX Ingress gateways.
Basic routing	Content-based routing is supported. Features such as HTTP header rewrites, redirects, rewrites, and throttling are supported.	Content-based routing is supported. Features such as HTTP header rewrites, redirects, rewrites, throttling, cross-origin resource sharing (CORS), timeouts, and retries are supported. Load balancing policies include the standard polling mode, random mode, load balancing based on the minimum number of requests, consistent hashing, and service prefetching. If you use service prefetching, traffic that is forwarded to a backend machine in a specified time window gradually and smoothly increases.
O&M	User-side component maintenance is supported. A Horizontal Pod Autoscaler (HPA) can be configured to perform scaling. Specifications tuning must be configured.	Fully managed O&M is supported. An HPA can be configured to perform scaling. This feature is under development.
Cloud-native integration	User-side components can be used together with container services such as Alibaba Cloud ACK or ACK Serverless.	User-side components can be used together with container services such as Alibaba Cloud ACK or ACK Serverless. Seamless conversions of NGINX Ingress annotations are supported.
Typical scenarios	Gateways are highly customized. Canary releases or blue-green deployments are used for cloud-native applications.	In north-south traffic processing scenarios, backend service discovery supports multiple methods. For example, you can use the traditional registry Nacos, Kubernetes, DNS, or fixed IP addresses to discover backend services. In east-west traffic processing scenarios, internal interoperability among hybrid clouds, multiple data centers, or multiple service domains is supported. MSE Ingress gateways can be seamlessly integrated with service mesh systems.
Support for mainstream protocols	HTTP is supported. HTTPS is supported.	HTTP is supported. HTTPS is supported.
Protocol conversion	Not supported.	HTTP can be converted into Dubbo. HTTPS can be converted into Dubbo.
Ingresses	Ingresses are supported.	Ingresses are supported. Automatic conversions of NGINX Ingress annotations are supported. For more information
Configuration updates	Reloading is required when you update certificates. This affects long-lived connections. The Lua plug-in is used to perform rolling updates for configuration updates, except for certificate updates. Reloading is required when you perform updates for the Lua plug-in.	Rolling updates of configurations are supported. Rolling updates of certificates are supported. The List-Watch mechanism is used to support quasi-real-time configuration updates. Rolling updates of the WebAssembly plug-in are supported.
Service governance	Kubernetes-based service discovery is supported. Service canary releases are supported. Throttling is supported for high availability of services.	Services can be discovered by using Kubernetes, Nacos, Eureka, DNS, or fixed IP addresses. Service canary releases and tag-based routing are supported. MSE Ingress gateways are integrated with Application High Availability Service (AHAS) to support throttling, circuit breaking, and degradation. Service testing supports service mocking.
Security	HTTPS is supported. Blacklists and whitelists are supported.	MSE Ingress gateways are integrated with Certificate Management Service to support HTTPS. MSE Ingress gateways are integrated with Alibaba Cloud WAF to support WAF protection. Blacklists and whitelists are supported. MSE Ingress gateways are integrated with Certificate Management Service.
Authentication	BasicAuth. OAuth.	BasicAuth. OAuth. JWT. OIDC. IDaaS. Custom authentication.
Scalability	Lua scripts are supported.	The WebAssembly plug-in can be used to write code in multiple languages. The Lua plug-in is under development.
Observability	Access logs are provided. Prometheus is supported.	MSE Ingress gateways are integrated with Log Service or Application Real-Time Monitoring Service (ARMS) to provide access logs. MSE Ingress gateways are integrated with ARMS Prometheus to provide metrics. MSE Ingress gateways are integrated with Tracing Analysis to provide tracing data. MSE Ingress gateways are integrated with ARMS Prometheus to provide alerts.
Ecosystem integration	NGINX Ingress gateways are integrated with NGINX Service Mesh.	MSE Ingress gateways are integrated with Istio service mesh (De facto standard).

Summary

NGINX Ingress gateways are Kubernetes Ingress gateways that are built based on open source NGINX. NGINX is widely used, and NGINX Ingress gateways have become the default Kubernetes Ingress gateways, which provide basic capabilities, such as the capabilities related to security, routing, and observability. NGINX Ingress gateways are suitable for scenarios in which your service traffic and the requirements for security, scalability, and stability are low and manual O&M is allowed for gateways.
MSE Ingress gateways are high-performance, high-scalability, and high-integration Ingress gateways that are built based on cloud-native gateways of MSE. MSE Ingress gateways provide features such as hardware acceleration, WAF local protection, and WebAssembly plug-in marketplace to help you develop managed gateway middleware. The middleware offers advantages of low costs, high performance, high scalability, and high integration. MSE Ingress gateways support multiple service discovery modes and multiple service canary release policies. In terms of observability, MSE Ingress gateways have end-to-end full-stack capabilities to provide access logs, tracing data, metrics, and alerts. If your service traffic and the requirements for security, scalability, and stability are high, we recommend that you use MSE Ingress gateways as Ingress gateways.