Item | Nginx Ingress | ALB Ingress | MSE Ingress |
Service positioning | | Provides traffic management and advanced routing features at Layer 7. Runs at the application layer, provides deep integration with containers, and supports different release policies, such as canary release, A/B testing, blue-green deployment, and traffic distribution by ratio. Provides ultra-large capacities and supports auto scaling and automated O&M. Supports integration with multiple cloud services, such as Web Application Firewall (WAF), Function Compute, PrivateLink, and transit routers (TRs). Integrates multiple network services to facilitate traffic routing across hybrid clouds, regions, and data centers.
| Serves as traditional traffic gateways, microservices gateways, and security gateways. You can use features such as hardware acceleration, WAF local protection, and the plug-in marketplace to build high-performance, highly-scalable, and easy-to-integrate cloud-native gateways that support hot updates. Provides traffic management and advanced routing features at Layer 7. Supports multiple service discovery modes and service canary release policies. The service canary release policies include canary release, A/B testing, blue-green deployment, and traffic distribution based on a custom traffic percentage. Targets application-layer load balancing scenarios, and are deeply integrated with container services. MSE Ingresses are directly connected to the IP addresses of pods to forward requests.
|
Service architecture | Provides extended features based on NGINX and Lua. | | Developed based on the open source project Higress. Control planes are built based on Istiod and Envoy. For more information about Higress, visit Higress. Exclusive to individual users.
|
Basic routing | Supports routing based on content and source IP addresses. Supports HTTP rewrites, redirects, overwrites, throttling, cross-origin resource sharing (CORS), and session persistence. Supports inbound and outbound forwarding rules. Outbound forwarding rules can be configured by adding Snippet configurations. Supports longest path matching for forwarding rules. When multiple paths are matched, the longest path is used.
| Supports routing based on content and source IP addresses. Supports HTTP rewrites, redirects, overwrites, throttling, CORS, and session persistence. Supports inbound and outbound forwarding rules. Requests are matched against forwarding rules in descending order of rule priority. When multiple paths are matched, the path whose forwarding rule number is the smallest has the highest priority for matching. Supports load balancing modes such as standard polling, least connections, and consistent hashing based on source IP addresses and URLs.
| Supports content-based routing. Supports features such as HTTP header rewrites, redirects, rewrites, throttling, CORS, timeouts, and retries. Supports load balancing modes such as standard polling, random, least connections, consistent hashing, and prefetching. In prefetching mode, the traffic that is forwarded to a backend server within the specified time window increases at a steady rate. Supports thousands of Ingress rules.
|
Protocol | | | Supports HTTP and HTTPS. Supports HTTP 3.0, WebSocket, and gRPC. Supports conversion from HTTP/HTTPS to Dubbo.
|
Configuration change | Reloading is required when you update non-backend endpoints. This affects persistent connections. Endpoint configuration changes are applied by using Lua hot updates. Processes are reloaded when you change the configuration of the Lua plug-in.
| | Supports hot updates of configurations, certificates, and plug-ins. The List-Watch mechanism is used to update configurations in real time.
|
Authentication | | Supports TLS-based authentication. | Supports authentication based on Basic Auth, OAuth, JWT, and OIDC. Supports integration with Alibaba Cloud IDaaS. Supports custom authentication.
|
Performance | Requires manual tuning to optimize system parameters and NGINX parameters. Requires proper configurations on the number of replicated pods and the amount of resources. For more information, see Usage notes of the NGINX Ingress controller.
| Support one million QPS per instance. Supports tens of millions of connections per instance. Uses SSL hardware for acceleration.
| When the CPU utilization is 30% to 40%, the transactions per second (TPS) of MSE Ingresses is about 90% higher than the TPS of open source NGINX Ingresses. Improves the performance of HTTPS by about 80% after hardware acceleration is enabled.
|
Observability | | Allows you to collect access logs by using Simple Log Service. Allows you to collect metrics by using CloudMonitor. Allows you to configure alerting based on CloudMonitor. Supports Tracing Analysis and SkyWalking.
| Allows you to collect access logs by using Simple Log Service and Prometheus. Allows you to configure monitoring and alerting by using Prometheus. Supports Tracing Analysis and SkyWalking.
|
O&M | | Fully managed and O&M-free. Supports auto scaling and automated configuration and provides ultra-large capacities. Supports auto scaling to handle traffic peaks,
| Fully managed and O&M-free. |
Security | | Supports end-to-end data transfer over HTTPS, server Name Indication (SNI) for multiple certificates, Rivest-Shamir-Adleman (RSA) and elliptic-curve cryptography (ECC) certificates, TLS 1.3, and TLS cipher suites. Supports WAF. Supports Anti-DDoS. Supports blacklists and whitelists.
| Supports end-to-end encryption for data transfer over HTTPS, Server Name Indication (SNI) for multiple certificates, and custom TLS versions. Supports WAF. Supports blacklists and whitelists.
|
Service governance | Supports service discovery in ACK clusters. Supports canary releases. Supports traffic throttling for high availability.
| Supports service discovery in ACK clusters. Supports canary releases. Supports traffic throttling for high availability.
| Supports service discovery based on Kubernetes, Nacos, ZooKeeper, Enterprise Distributed Application Service (EDAS), Serverless App Engine (SAE), DNS, and static IP addresses. Allows you to use canary releases to release more than two application versions, supports tag-based routing, and supports end-to-end canary releases based on MSE service governance. MSE Ingresses are integrated with Sentinel to support throttling, circuit breaking, and degradation. Service testing supports service mocking.
|
Scalability | Supports Lua for configuring extended features. | Supports AScript, which can be used to configure extended features. For more information, see AScript overview. | |
Cloud-native support | A component that requires manual maintenance and can be used in ACK clusters and ACK Serverless clusters. For more information, see Ingress overview. | Supports multiple cloud services, such as WAF, Function Compute, PrivateLink, and TRs. A managed component that can be used in ACK clusters and ACK Serverless clusters.
| A user-side component that can be used in ACK clusters and ACK Serverless clusters and supports seamless integration with the key annotations of NGINX Ingresses. For more information about the annotations supported by MSE Ingresses, see Annotations supported by MSE Ingress gateways. |