All Products
Search
Document Center

Container Service for Kubernetes:Recommendations for selecting an Ingress for Knative

最終更新日:Nov 05, 2024

Knative enables flexible ingress of external traffic and routes it to different Knative services. ACK Knative supports Application Load Balancer (ALB) Ingresses, Microservices Engines (MSE) Ingresses, Service Mesh (ASM) Ingresses, and Kourier Ingresses. Each Ingress comes with distinct strengths and is designed for specific use scenarios. This topic compares these Ingresses in terms of product positioning, architecture, basic routing capability, O&M capability, performance, supported mainstream protocols, and observability, to help you select an appropriate Ingress to meet your business requirements.

Introduction to Knative Ingresses

  • ALB Ingresses: ALB Ingresses are fully-managed O&M-free Ingresses empowered by the ALB service of Alibaba Cloud for traffic management. ALB Ingresses also provide auto scaling capabilities.

  • MSE Ingresses: MSE Ingresses are next-generation Ingresses that comply with Kubernetes Ingress standards. MSE Ingresses support all features of traditional traffic gateways.

  • ASM Ingresses: ASM is an Istio-compatible platform that allows you to centrally manage the traffic of microservices applications. ASM Ingresses provide features such as traffic control, mesh observability, and secure inter-service communication to simplify service governance and help you manage services that run on top of heterogeneous computing infrastructure.

  • Kourier Ingresses: Kourier Ingresses are open-source lightweight Ingresses developed based on the Envoy architecture.

Knative Ingress comparison

Type

ALB

MSE

ASM

Kourier

Product positioning

  • Focus on workloads at the application layer. ALB Ingresses provide Layer 7 load balancing and are deeply integrated with containerization technologies.

  • ALB Ingresses support HTTP, HTTPS, and QUIC and are suitable for auto scaling and heavy traffic scenarios.

  • ALB Ingresses provide various release policies, including canary release, A/B testing, and blue-green deployment. You can use ALB Ingresses with Web Application Firewall (WAF), Function Compute, PrivateLinks, and transit routers.

  • MSE Ingresses can serve as traditional traffic gateways, microservices gateways, and security gateways. You can use features such as hardware acceleration, WAF local protection, and the WebAssembly plug-in marketplace to build high-performance, highly-scalable, and easy-to-integrate cloud-native Ingresses that support hot updates.

  • MSE Ingresses provide traffic management and advanced routing features at Layer 7. MSE Ingresses provide multiple service discovery modes and service release policies, including canary release, A/B testing, blue-green deployment, and traffic distribution based on a custom ratio.

  • MSE Ingresses are intended for workloads at the application layer. MSE Ingresses are deeply integrated with containerization technologies and can directly forward traffic to the IP addresses of backend pods.

ASM provides a fully-managed service mesh platform and is compatible with open source Istio. ASM Ingresses can simplify inter-service traffic routing, splitting, and management and provide authentication and mesh observability for service communication to greatly reduce your development and O&M work.

Kourier Ingresses are lightweight Ingresses developed based on Envoy for Knative Serving. Kourier Ingresses provide routing and service discovery capabilities.

Architecture

  • ALB Ingresses run on the Cloud Network Management platform of Alibaba Cloud.

  • ALB Ingresses are developed based on the CyberStar platform and support auto scaling.

  • MSE Ingresses are developed based on the open source Higress project, where Istio serves as the control plane and Envoy serves as the data plane. For more information about Higress, see Higress.

  • MSE Ingresses are exclusive to users.

  • The Istio control plane consists of fully-managed components and is compatible with open source Istio.

  • Each ASM instance can serve applications deployed in multiple Kubernetes clusters or applications that run in Elastic Container Instance-based pods.

  • Kourier Ingresses are developed based on the Envoy architecture.

  • The number of replicas and resource limits can be manually configured.

Basic routing

  • Support routing based on content and source IP addresses.

  • Support HTTP request header rewrite, redirect, throttling, cross-origin resource sharing (CORS), and session persistence.

  • Support forwarding rules in the inbound and outbound directions.

  • Support content-based routing.

  • Support HTTP request header rewrite, redirect, throttling, cross-origin resource sharing (CORS), timeouts, and retries.

  • Provide multiple load balancing modes, including round-robin, random, least connections, consistent hashing, and prefetching.

  • Support thousands of Ingress rules.

  • Support custom traffic routing rules.

  • Support traffic management between applications in different Kubernetes clusters.

  • Provide fine-grained traffic management.

  • Provide out-of-the-box chaos engineering capabilities.

  • Support content-based routing.

  • Support HTTP request header rewrite.

O&M

  • Fully-managed O&M and zero configuration.

  • Support auto scaling and provide ultra-large capacities.

  • Support auto scaling to withstand traffic spikes.

Fully-managed and O&M-free.

  • Install, deploy, and update with a few clicks.

  • Fully-managed control plane components.

  • Allow you to focus on the development of business applications.

  • Comply with the specifications of open source Istio.

  • You need to manually maintain components.

  • Allow you to configure Horizontal Pod Autoscaling (HPA).

  • Allow you to specify computing resource specifications for optimization.

Performance

  • Support one million QPS per instance.

  • Support tens of millions of connections per instance.

  • Use SSL hardware for acceleration by default.

  • When the CPU utilization reaches 30% to 40%, the transactions per second (TPS) of MSE Ingresses is about 90% higher than the TPS of open source NGINX Ingresses.

  • HTTPS service performance is improved by 80% after hardware acceleration is enabled.

  • Support cross-region deployment, nearby access, and DNS intelligent resolution. Domain names are resolved to IP addresses that are closest to the clients.

  • Access ASM Ingresses through Classic Load Balancer (CLB) instances.

  • ASM Ingresses of TLS Acceleration Edition can accelerate HTTPS requests based on the Intel MultiBuffer technology to improve the QPS by 80%.

Require manual tuning to optimize performance.

Supported mainstream protocols

Support HTTP, HTTPS, QUIC, WebSocket, WSS, and gRPC.

  • Support HTTP, HTTPS, HTTP 3.0, WebSocket, and gRPC.

  • Support HTTP and redirects from HTTPS to Dubbo.

  • Support HTTPS and dynamic certificate loading.

  • Allow you to access internal gPRC services through Ingress Ingresses and switch traffic between two gRPC versions.

  • Support transcoding HTTP/JSON to gRPC, which allows you to use HTTP/JSON to access gRPC services in ASM.

  • Allow you to access WebSocket services in ASM through Ingress Ingresses.

Support HTTP, HTTPS, and gRPC.

Observability

  • Support access log collection and metric collection.

  • Allow you to view and analyze access logs in Simple Log Service.

  • Allow you to view and analyze metrics in CloudMonitor.

  • Support alerting. Allow you to view and analyze alerts in CloudMonitor.

  • Support access log collection and allow you to view access logs in Simple Log Service and Managed Service for Prometheus.

  • Allow you to configure monitoring and alerting in Managed Service for Prometheus.

  • Support tracing and integration with Tracing Analysis and Apache SkyWalking.

  • Support visualized mesh topology and topology analysis.

  • Support integration with self-managed Prometheus systems.

  • Support integration with Application Real-Time Monitoring Service (ARMS).

  • Support integration with Simple Log Service.

  • Support custom metrics.

  • Support service-level objectives (SLOs).

Support access log collection.

ALB Ingresses focus on load balancing at the application layer, MSE Ingresses focus on microservices scenarios, ASM Ingresses provide service mesh (Istio) capabilities, and Kourier Ingresses provide only basic Ingress features.

References

For more information about how to use these Ingresses in Knative, see Use ALB Ingresses in Knative, Use MSE Ingresses in Knative to implement auto scaling, Use the Kourier gateway in Knative, and Use the Kourier gateway in Knative.