Comparison between NGINX Ingress gateways and MSE Ingress gateways - Microservices Engine

In Container Service for Kubernetes (ACK) managed clusters, ACK Serverless clusters, or ACS clusters, NGINX Ingress gateways and Microservices Engine (MSE) Ingress gateways can be used as ingress gateways. However, the features and use scenarios of NGINX Ingress gateways and MSE Ingress gateways are different. This topic compares NGINX Ingress gateways and MSE Ingress gateways in multiple dimensions, such as product positioning, product architecture, performance, and basic routing. The comparison helps you quickly understand the differences between the two types of gateways and select appropriate ingress gateways.

Gateway comparison

Comparison item	NGINX Ingress gateway	MSE Ingress gateway
Product positioning	Layer-7 traffic processing capabilities are supported and various advanced routing features are provided. Self-managed components can be highly customized based on your requirements.	Traditional traffic gateways, microservices gateways, and security gateways are integrated into MSE Ingress gateways. You can use features such as hardware acceleration, web application firewall (WAF) local protection, and WebAssembly plug-in marketplace to build low-cost, high-performance, high-scalability, and high-integration gateway middleware. Multiple service discovery modes and service canary release policies are supported. The service canary release policies include canary release, A/B test, blue-green deployment, and traffic distribution based on a custom traffic percentage. HTTP and HTTPS Layer-7 traffic processing capabilities are supported and various advanced routing features are provided. MSE Ingress gateways are suitable for application-layer load scenarios, and are deeply integrated with container services. MSE Ingress gateways are directly connected to the IP addresses of pods to forward requests.
Product architecture	NGINX Ingress gateways can be used together with the Lua plug-in. The number of replicas and the limits on the amount of resources can be manually configured.	Istiod + Envoy Each user can use their dedicated instances.
Performance	Manual operations are required for performance optimization. If you use Lua scripts, you can perform rolling updates for specific configurations. If a large number of Lua scripts are used, system performance is significantly affected.	HTTPS performance is improved by about 80% after hardware acceleration is enabled. Compared with self-managed NGINX Ingress gateways, the performance of MSE Ingress gateways is improved by about 40% based on the OS version and internal optimization. When the CPU utilization is 30% to 40%, the transactions per second (TPS) of MSE Ingress gateways is about 90% higher than the TPS of open source NGINX Ingress gateways.
Basic routing	Content-based routing is supported. Features such as HTTP header rewrites, redirects, rewrites, and throttling are supported.	Content-based routing is supported. Features such as HTTP header rewrites, redirects, rewrites, throttling, cross-origin resource sharing (CORS), timeouts, and retries are supported. Standard round-robin loading balancing, random load balancing, load balancing based on least requests, and load balancing based on consistent hashing are supported. Prefetching is also supported. If you use service prefetching, traffic that is forwarded to a backend machine in a specified time window gradually and smoothly increases.
O&M	User-side component maintenance is supported. A Horizontal Pod Autoscaler (HPA) can be configured to perform scaling. Specifications tuning must be configured.	Fully managed O&M is supported. An HPA can be configured to perform scaling. This feature is under development.
Cloud-native integration	User-side components can be used together with container clusters such as Alibaba Cloud ACK managed clusters, ACK Serverless clusters, or ACS clusters.	User-side components can be used together with container clusters such as Alibaba Cloud ACK managed clusters, ACK Serverless clusters, or ACS clusters. Seamless conversions of NGINX Ingress annotations are supported.
Typical scenarios	Gateways are highly customized. Canary releases or blue-green deployments are used for cloud-native applications.	In north-south traffic processing scenarios, backend service discovery supports multiple methods. For example, you can use the traditional registry Nacos, Kubernetes, DNS, or fixed IP addresses to discover backend services. In east-west traffic processing scenarios, internal interoperability among hybrid clouds, multiple data centers, or multiple service domains is supported. MSE Ingress gateways can be seamlessly integrated with service mesh systems.
Support for mainstream protocols	HTTP HTTPS	HTTP HTTPS
Protocol conversion	Not supported	HTTP can be converted into Dubbo. HTTPS can be converted into Dubbo.
Ingress support	Ingresses are supported.	Ingresses are supported. Automatic conversions of NGINX Ingress annotations are supported. For more information, see Annotations supported by MSE Ingress gateways.
Configuration updates	Reloading is required when you update certificates. This negatively affects persistent connections. The Lua plug-in is used to perform rolling updates for configuration updates, except for certificate updates. Reloading is required when you perform updates for the Lua plug-in.	Rolling updates of configurations are supported. Rolling updates of certificates are supported. The List-Watch mechanism is used to support quasi-real-time configuration updates. Rolling updates of the WebAssembly plug-in are supported.
Service governance	Kubernetes-based service discovery is supported. Service canary releases are supported. Throttling is supported for high availability of services.	Services can be discovered by using Kubernetes, Nacos, Eureka, DNS, or fixed IP addresses. Service canary releases and tag-based routing are supported. MSE Ingress gateways are integrated with Application High Availability Service to support throttling, circuit breaking, and degradation. Service testing supports service mocking.
Security	HTTPS Blacklists and whitelists are supported.	MSE Ingress gateways are integrated with Certificate Management Service to support HTTPS. MSE Ingress gateways are integrated with Alibaba Cloud WAF to support WAF protection. Blacklists and whitelists are supported. MSE Ingress gateways are integrated with Certificate Management Service.
Authentication	BasicAuth OAuth	BasicAuth OAuth JWT OIDC IDaas Custom authentication
Scalability	Lua scripts are supported.	The WebAssembly plug-in can be used to write code in multiple programming languages. The Lua plug-in is under development.
Observability	Access logs Prometheus	MSE Ingress gateways are integrated with Log Service and Application Real-Time Monitoring Service (ARMS) to provide access logs. MSE Ingress gateways are integrated with ARMS and Prometheus to provide alerts. MSE Ingress gateways are integrated with Tracing Analysis to provide tracing data. MSE Ingress gateways are integrated with ARMS and Prometheus to provide alerts.
Ecosystem integration	Nginx Service Mesh	MSE Ingress gateways are integrated with Istio service mesh (De facto standard).

Summary

NGINX Ingress gateways are Kubernetes Ingress gateways that are built based on open source NGINX gateways. NGINX Ingress gateways are widely used and have become the default Kubernetes Ingress gateways. NGINX Ingress gateways provide basic capabilities, such as the capabilities related to security, routing, and observability. NGINX Ingress gateways are more suitable for scenarios in which your service traffic and the requirements for security, scalability, and stability are low and manual O&M of gateways is allowed.
MSE Ingress gateways are high-performance, high-scalability, and high-integration ingress gateways that are built based on cloud-native gateways of MSE. MSE Ingress gateways provide features such as hardware acceleration, WAF local protection, and WebAssembly plug-in marketplace to help you build managed gateway middleware. The middleware offers the advantages of low costs, high performance, high scalability, and high integration. MSE Ingress gateways support multiple service discovery modes and multiple service canary release policies. In terms of observability, MSE Ingress gateways have end-to-end full-stack capabilities to provide access logs, tracing data, metrics, and alerts. If your service traffic and the requirements for security, scalability, and stability are high, we recommend that you use MSE Ingress gateways as ingress gateways.