All Products
Search
Document Center

Microservices Engine:Comparison between NGINX Ingress gateways and MSE Ingress gateways

Last Updated:Aug 27, 2024

In Container Service for Kubernetes (ACK) managed clusters, ACK Serverless clusters, or ACS clusters, NGINX Ingress gateways and Microservices Engine (MSE) Ingress gateways can be used as ingress gateways. However, the features and use scenarios of NGINX Ingress gateways and MSE Ingress gateways are different. This topic compares NGINX Ingress gateways and MSE Ingress gateways in multiple dimensions, such as product positioning, product architecture, performance, and basic routing. The comparison helps you quickly understand the differences between the two types of gateways and select appropriate ingress gateways.

Gateway comparison

Comparison item

NGINX Ingress gateway

MSE Ingress gateway

Product positioning

  • Layer-7 traffic processing capabilities are supported and various advanced routing features are provided.

  • Self-managed components can be highly customized based on your requirements.

  • Traditional traffic gateways, microservices gateways, and security gateways are integrated into MSE Ingress gateways. You can use features such as hardware acceleration, web application firewall (WAF) local protection, and WebAssembly plug-in marketplace to build low-cost, high-performance, high-scalability, and high-integration gateway middleware.

  • Multiple service discovery modes and service canary release policies are supported. The service canary release policies include canary release, A/B test, blue-green deployment, and traffic distribution based on a custom traffic percentage.

  • HTTP and HTTPS Layer-7 traffic processing capabilities are supported and various advanced routing features are provided.

  • MSE Ingress gateways are suitable for application-layer load scenarios, and are deeply integrated with container services. MSE Ingress gateways are directly connected to the IP addresses of pods to forward requests.

Product architecture

  • NGINX Ingress gateways can be used together with the Lua plug-in.

  • The number of replicas and the limits on the amount of resources can be manually configured.

  • Istiod + Envoy

  • Each user can use their dedicated instances.

Performance

  • Manual operations are required for performance optimization.

  • If you use Lua scripts, you can perform rolling updates for specific configurations. If a large number of Lua scripts are used, system performance is significantly affected.

  • HTTPS performance is improved by about 80% after hardware acceleration is enabled. Compared with self-managed NGINX Ingress gateways, the performance of MSE Ingress gateways is improved by about 40% based on the OS version and internal optimization.

  • When the CPU utilization is 30% to 40%, the transactions per second (TPS) of MSE Ingress gateways is about 90% higher than the TPS of open source NGINX Ingress gateways.

Basic routing

  • Content-based routing is supported.

  • Features such as HTTP header rewrites, redirects, rewrites, and throttling are supported.

  • Content-based routing is supported.

  • Features such as HTTP header rewrites, redirects, rewrites, throttling, cross-origin resource sharing (CORS), timeouts, and retries are supported.

  • Standard round-robin loading balancing, random load balancing, load balancing based on least requests, and load balancing based on consistent hashing are supported. Prefetching is also supported. If you use service prefetching, traffic that is forwarded to a backend machine in a specified time window gradually and smoothly increases.

O&M

  • User-side component maintenance is supported.

  • A Horizontal Pod Autoscaler (HPA) can be configured to perform scaling.

  • Specifications tuning must be configured.

  • Fully managed O&M is supported.

  • An HPA can be configured to perform scaling. This feature is under development.

Cloud-native integration

User-side components can be used together with container clusters such as Alibaba Cloud ACK managed clusters, ACK Serverless clusters, or ACS clusters.

User-side components can be used together with container clusters such as Alibaba Cloud ACK managed clusters, ACK Serverless clusters, or ACS clusters. Seamless conversions of NGINX Ingress annotations are supported.

Typical scenarios

  • Gateways are highly customized.

  • Canary releases or blue-green deployments are used for cloud-native applications.

  • In north-south traffic processing scenarios, backend service discovery supports multiple methods. For example, you can use the traditional registry Nacos, Kubernetes, DNS, or fixed IP addresses to discover backend services.

  • In east-west traffic processing scenarios, internal interoperability among hybrid clouds, multiple data centers, or multiple service domains is supported. MSE Ingress gateways can be seamlessly integrated with service mesh systems.

Support for mainstream protocols

  • HTTP

  • HTTPS

  • HTTP

  • HTTPS

Protocol conversion

Not supported

  • HTTP can be converted into Dubbo.

  • HTTPS can be converted into Dubbo.

Ingress support

Ingresses are supported.

Configuration updates

  • Reloading is required when you update certificates. This negatively affects persistent connections.

  • The Lua plug-in is used to perform rolling updates for configuration updates, except for certificate updates.

  • Reloading is required when you perform updates for the Lua plug-in.

  • Rolling updates of configurations are supported.

  • Rolling updates of certificates are supported.

  • The List-Watch mechanism is used to support quasi-real-time configuration updates.

  • Rolling updates of the WebAssembly plug-in are supported.

Service governance

  • Kubernetes-based service discovery is supported.

  • Service canary releases are supported.

  • Throttling is supported for high availability of services.

  • Services can be discovered by using Kubernetes, Nacos, Eureka, DNS, or fixed IP addresses.

  • Service canary releases and tag-based routing are supported.

  • MSE Ingress gateways are integrated with Application High Availability Service to support throttling, circuit breaking, and degradation.

  • Service testing supports service mocking.

Security

  • HTTPS

  • Blacklists and whitelists are supported.

  • MSE Ingress gateways are integrated with Certificate Management Service to support HTTPS.

  • MSE Ingress gateways are integrated with Alibaba Cloud WAF to support WAF protection.

  • Blacklists and whitelists are supported.

  • MSE Ingress gateways are integrated with Certificate Management Service.

Authentication

  • BasicAuth

  • OAuth

  • BasicAuth

  • OAuth

  • JWT

  • OIDC

  • IDaas

  • Custom authentication

Scalability

Lua scripts are supported.

  • The WebAssembly plug-in can be used to write code in multiple programming languages.

  • The Lua plug-in is under development.

Observability

  • Access logs

  • Prometheus

Ecosystem integration

Nginx Service Mesh

MSE Ingress gateways are integrated with Istio service mesh (De facto standard).

Summary

  • NGINX Ingress gateways are Kubernetes Ingress gateways that are built based on open source NGINX gateways. NGINX Ingress gateways are widely used and have become the default Kubernetes Ingress gateways. NGINX Ingress gateways provide basic capabilities, such as the capabilities related to security, routing, and observability. NGINX Ingress gateways are more suitable for scenarios in which your service traffic and the requirements for security, scalability, and stability are low and manual O&M of gateways is allowed.

  • MSE Ingress gateways are high-performance, high-scalability, and high-integration ingress gateways that are built based on cloud-native gateways of MSE. MSE Ingress gateways provide features such as hardware acceleration, WAF local protection, and WebAssembly plug-in marketplace to help you build managed gateway middleware. The middleware offers the advantages of low costs, high performance, high scalability, and high integration. MSE Ingress gateways support multiple service discovery modes and multiple service canary release policies. In terms of observability, MSE Ingress gateways have end-to-end full-stack capabilities to provide access logs, tracing data, metrics, and alerts. If your service traffic and the requirements for security, scalability, and stability are high, we recommend that you use MSE Ingress gateways as ingress gateways.