Kubernetes clusters require an ingress gateway to route external traffic to backend services, but choosing the wrong gateway can lead to performance bottlenecks, operational burden, or security gaps. In Container Service for Kubernetes (ACK) managed clusters, ACK Serverless clusters, and Container Compute Service (ACS) clusters, you can use either NGINX Ingress gateways or Microservices Engine (MSE) Ingress gateways. This comparison covers architecture, performance, routing, security, observability, and other dimensions to help you select the right gateway.
Quick decision guide
Choose NGINX Ingress if:
Your traffic volume is low and your security, scalability, and stability requirements are low.
You need a highly customizable, self-managed gateway.
Choose MSE Ingress if:
Your traffic volume is high and you need strong security, scalability, and stability guarantees.
You want fully managed operations with no gateway maintenance overhead.
You need multiple service discovery methods (Kubernetes, Nacos, Eureka, DNS, fixed IP addresses).
You need integrated Web Application Firewall (WAF) protection and advanced authentication (JWT, OIDC, IDaaS, custom authentication).
You need end-to-end observability with access logs, distributed tracing, metrics, and alerts.
Architecture
| Aspect | NGINX Ingress | MSE Ingress |
|---|---|---|
| Engine | NGINX with Lua plug-in | Istiod + Envoy |
| Tenancy | Self-managed components | Dedicated instances per user |
| Resource management | Manual replica count and resource limit configuration | Fully managed |
| Traffic forwarding | -- | Directly connected to pod IP addresses for request forwarding |
Performance
| Metric | NGINX Ingress | MSE Ingress |
|---|---|---|
| Optimization | Manual tuning required | Optimized at the OS level with internal improvements |
| HTTPS acceleration | Not available | ~80% HTTPS performance improvement with hardware acceleration |
| Throughput vs. open source NGINX | Baseline | ~40% higher based on OS and internal optimization |
| TPS at 30%--40% CPU utilization | Baseline | ~90% higher than open source NGINX Ingress |
| Plug-in impact | Heavy Lua script usage significantly degrades performance | -- |
Routing and load balancing
| Capability | NGINX Ingress | MSE Ingress |
|---|---|---|
| Content-based routing | Yes | Yes |
| HTTP header rewrites | Yes | Yes |
| Redirects and URL rewrites | Yes | Yes |
| Throttling | Yes | Yes |
| Cross-origin resource sharing (CORS) | -- | Yes |
| Timeouts and retries | -- | Yes |
| Load balancing algorithms | -- | Round-robin, random, least-requests, consistent hashing |
| Traffic warm-up (prefetching) | No | Yes. Traffic to new backend pods ramps up gradually over a configurable time window. |
Configuration updates
| Behavior | NGINX Ingress | MSE Ingress |
|---|---|---|
| Configuration changes | Rolling updates via Lua plug-in (except certificates) | Rolling updates supported |
| Certificate updates | Requires reload, which disrupts persistent connections | Rolling updates supported |
| Plug-in updates | Requires reload | Rolling updates for WebAssembly plug-ins |
| Update mechanism | Reload-based | List-Watch for near-real-time configuration propagation |
Service discovery and governance
| Capability | NGINX Ingress | MSE Ingress |
|---|---|---|
| Service discovery | Kubernetes only | Kubernetes, Nacos, Eureka, DNS, fixed IP addresses |
| Canary releases | Yes | Yes |
| Tag-based routing | No | Yes |
| Traffic distribution by percentage | No | Yes (canary release, A/B test, blue-green deployment) |
| Throttling | Yes | Yes |
| Circuit breaking and degradation | No | Yes, integrated with Application High Availability Service (AHAS) |
| Service mocking | No | Yes |
Security
| Capability | NGINX Ingress | MSE Ingress |
|---|---|---|
| HTTPS | Yes | Yes, integrated with Certificate Management Service |
| WAF protection | No | Yes, integrated with Alibaba Cloud WAF |
| IP-based access control (blacklists and whitelists) | Yes | Yes |
Authentication
| Method | NGINX Ingress | MSE Ingress |
|---|---|---|
| BasicAuth | Yes | Yes |
| OAuth | Yes | Yes |
| JWT | No | Yes |
| OIDC | No | Yes |
| IDaaS | No | Yes |
| Custom authentication | No | Yes |
Operations and maintenance
| Aspect | NGINX Ingress | MSE Ingress |
|---|---|---|
| Management model | Self-managed | Fully managed |
| Scaling | Horizontal Pod Autoscaler (HPA) | HPA (under development) |
| Specifications tuning | Manual configuration required | -- |
Protocols and conversion
| Capability | NGINX Ingress | MSE Ingress |
|---|---|---|
| HTTP | Yes | Yes |
| HTTPS | Yes | Yes |
| HTTP-to-Dubbo conversion | No | Yes |
| HTTPS-to-Dubbo conversion | No | Yes |
Ingress and cloud-native integration
| Capability | NGINX Ingress | MSE Ingress |
|---|---|---|
| Kubernetes Ingress resources | Yes | Yes |
| NGINX Ingress annotation conversion | N/A | Automatic conversion supported. For details, see Annotations supported by MSE Ingress gateways. |
| Supported cluster types | ACK managed clusters, ACK Serverless clusters, ACS clusters | ACK managed clusters, ACK Serverless clusters, ACS clusters |
Extensibility
| Approach | NGINX Ingress | MSE Ingress |
|---|---|---|
| Plug-in language | Lua | WebAssembly (supports multiple programming languages) |
| Lua plug-in | Yes | Under development |
Observability
| Capability | NGINX Ingress | MSE Ingress |
|---|---|---|
| Access logs | Yes | Yes, integrated with Simple Log Service (SLS) and Application Real-Time Monitoring Service (ARMS) |
| Metrics and alerts | Prometheus | Integrated with ARMS and Managed Service for Prometheus |
| Distributed tracing | No | Yes, integrated with Managed Service for OpenTelemetry |
Ecosystem
| Integration | NGINX Ingress | MSE Ingress |
|---|---|---|
| Service mesh | Nginx Service Mesh | Istio service mesh (de facto standard) |
Typical use cases
NGINX Ingress gateways are built on open source NGINX and serve as the default Kubernetes Ingress gateway. They are best suited for:
Workloads that require highly customized gateway configurations.
Environments with lower traffic volumes where self-managed operations are acceptable.
Teams with existing NGINX expertise who want direct control over the gateway.
Cloud-native applications that use canary releases or blue-green deployments.
MSE Ingress gateways are built on cloud-native gateways from MSE and combine traffic gateway, microservices gateway, and security gateway capabilities into a single managed platform. They are best suited for:
High-traffic production environments that require strong security, scalability, and stability.
Architectures that use multiple service discovery methods or need protocol conversion (HTTP/HTTPS to Dubbo).
North-south traffic scenarios with backend service discovery through Nacos, Kubernetes, DNS, or fixed IP addresses.
East-west traffic scenarios that require hybrid cloud, multi-data-center, or multi-service-domain interoperability with seamless service mesh integration.