Comparison among NGINX Ingresses, ALB Ingresses, and MSE Ingresses - Container Service for Kubernetes

Container Service for Kubernetes (ACK) and ACK Serverless support NGINX Ingresses, Application Load Balancer (ALB) Ingresses, and Microservices Engine (MSE) Ingresses. NGINX Ingresses require manual maintenance, while ALB Ingresses and MSE Ingresses are fully managed. This topic describes the differences among NGINX Ingresses, ALB Ingresses, and MSE Ingresses from multiple aspects.

Background information

NGINX Ingresses require manual maintenance. If you want to customize gateways, you can choose NGINX Ingresses.
ALB Ingresses are based on ALB instances and are fully managed and O&M-free. Each ALB instance supports one million QPS and provides improved traffic routing capabilities for ALB Ingresses.
MSE Ingresses are based on the cloud-native gateways of MSE and are fully managed and O&M-free. Each cloud-native gateway of MSE supports one million QPS and provides enhanced traffic routing capabilities for MSE Ingresses.

Use scenarios

Type	Scenario
Nginx Ingress	Require highly customized gateways. Perform canary releases and blue-green deployments for cloud-native applications.
ALB Ingress	Require fully managed and O&M-free gateways. Require high-performance auto scaling for Internet applications at Layer 7. Perform canary releases and blue-green deployments for cloud-native applications. Require high QPS and a large number of concurrent connections.
MSE Ingress	Require fully managed and O&M-free gateways. Require centralized management of north-south traffic and east-west traffic, microservices gateways, and end-to-end canary releases. Share a gateway among multiple clusters, multiple PaaS platforms, and multiple Elastic Compute Service (ECS) instances. Require internal communication within hybrid clouds, multiple data centers, and multiple business domains. Require authentication, flexible configuration, and enhanced security protection. Require high QPS and high concurrency.

Comparison of features

Category	Nginx Ingress	ALB Ingress	MSE Ingress
Service positioning	Provides traffic management and advanced routing features at Layer 7. A cluster component that can be customized based on your business requirements.	Provides traffic management and advanced routing features at Layer 7. Runs at the application layer, provides deep integration with containers, and supports different release policies, such as canary release, A/B testing, blue-green deployment, and traffic distribution by ratio. Provides ultra-large capacities and supports auto scaling and automated O&M. Supports integration with multiple cloud services, such as Web Application Firewall (WAF), Function Compute, PrivateLink, and transit routers.	MSE Ingresses can serve as traditional traffic gateways, microservices gateways, and security gateways. You can use features such as hardware acceleration, WAF local protection, and the WebAssembly plug-in marketplace to build high-performance, highly-scalable, and easy-to-integrate cloud-native gateways that support hot updates. Provides traffic management and advanced routing features at Layer 7. Multiple service discovery modes and service canary release policies are supported. The service canary release policies include canary release, A/B testing, blue-green deployment, and traffic distribution based on a custom traffic percentage. MSE Ingresses are suitable for application-layer load balancing scenarios, and are deeply integrated with container services. MSE Ingresses are directly connected to the IP addresses of pods to forward requests.
Architecture	Provides extended features based on NGINX and Lua.	Developed based on the Cloud Network Management platform. Developed based on the CyberStar platform and supports auto scaling.	Developed based on the open source project Higress. Control planes are built based on Istiod and Envoy. For more information about Higress, see Higress. Exclusive to individual users.
Basic routing	Supports content-based routing. Supports HTTP rewrites, redirects, overwrites, throttling, and session persistence.	Supports routing based on content and source IP addresses. Supports HTTP rewrites, redirects, overwrites, throttling, cross-origin resource sharing (CORS), and session persistence Supports inbound and outbound forwarding rules.	Supports content-based routing. Supports features such as HTTP header rewrites, redirects, rewrites, throttling, CORS, timeouts, and retries. Supports load balancing modes such as round-robin (RR), random, minimum number of connections, consistent hashing, and prefetching. In prefetching mode, the traffic that is forwarded to a backend server within a specified time window increases at a steady rate. Supports thousands of Ingress rules.
Protocol	Supports HTTP and HTTPS. Supports Quick UDP Internet Connections (QUIC), WebSocket, WSS, and gRPC.	Supports HTTP and HTTPS. Supports Quick UDP Internet Connections (QUIC), WebSocket, WSS, and gRPC.	Supports HTTP and HTTPS. Supports HTTP 3.0, WebSocket, and gRPC. Supports conversion from HTTP/HTTPS to Dubbo.
Configuration change	Processes are reloaded when you change the certificate. This may interrupt persistent connections. Configuration changes other than certificate changes are performed by using hot updates based on Lua. Processes are reloaded when you change the configuration of the Lua plug-in.	Allows you to change the configuration by calling API operations. This method is more efficient than using the list-watch mechanism to modify the configuration.	Supports hot updates of configurations, certificates, and plug-ins. The List-Watch mechanism is used to update configurations in real time.
Authentication	Supports Basic Auth-based authentication. Supports the OAuth protocol.	Supports TLS-based authentication.	Supports authentication based on Basic Auth, OAuth, JWT, and OIDC. Supports integration with Alibaba Cloud IDaaS. Supports custom authentication.
Performance	Requires manual tuning to optimize system parameters and NGINX parameters. Requires proper configurations on the number of replicated pods and the amount of resources.	Supports one million QPS per instance. Supports tens of millions of connections per instance. Uses SSL hardware for acceleration.	When the CPU utilization is 30% to 40%, the transactions per second (TPS) of MSE Ingresses is about 90% higher than the TPS of open source NGINX Ingresses. Improves the performance of HTTPS by about 80% after hardware acceleration is enabled.
Observability	Allows you to collect access logs. Allows you to configure Prometheus monitoring.	Allows you to collect access logs by using Log Service. Allows you to collect metrics by using CloudMonitor. Allows you to configure alerting based on CloudMonitor.	Allows you to collect the access log by using Log Service and Managed Service for Prometheus. Allows you to configure monitoring and alerting based on Managed Service for Prometheus. Supports Tracing Analysis and SkyWalking.
O&M	Supports manual O&M for the component. Allows you to configure Horizontal Pod Autoscaler (HPA)-based scaling. Allows you to specify computing resource specifications for optimization.	Fully managed and O&M-free. Supports auto scaling and automated configuration and provides ultra-large capacities. Supports auto scaling for handling traffic spikes.	Fully managed and O&M-free.
Security	Supports HTTPS. Supports blacklists and whitelists.	Supports end-to-end data transfer over HTTPS, Server Name Indication (SNI) for multiple certificates, Rivest-Shamir-Adleman (RSA) and elliptic-curve cryptography (ECC) certificates, TLS 1.3, and TLS cipher suites. Supports WAF. Supports Anti-DDoS. Supports blacklists and whitelists.	Supports end-to-end encryption for data transfer over HTTPS, Server Name Indication (SNI) for multiple certificates, and custom TLS versions. Supports WAF. Supports blacklists and whitelists.
Service governance	Supports service discovery in Kubernetes clusters. Supports canary releases. Supports traffic throttling for high availability.	Supports service discovery in Kubernetes clusters. Supports canary releases. Supports traffic throttling for high availability.	Supports service discovery based on Kubernetes, Nacos, ZooKeeper, Enterprise Distributed Application Service (EDAS), Serverless App Engine (SAE), DNS, and static IP addresses. Allows you to use canary releases to release more than two application versions, supports tag-based routing, and supports end-to-end canary releases based on MSE service governance. MSE Ingresses are integrated with Sentinel to support throttling, circuit breaking, and degradation. Service testing supports service mocking.
Extended features	Supports Lua for configuring extended features.	Supports AScript, which can be used to configure extended features. For more information, see AScript overview.	Uses the WebAssembly plug-in to support multiple programming languages. Supports Lua for configuring extended features.
Cloud-native support	Supports NGINX Service Mesh. A component that requires manual maintenance and can be used in ACK clusters and ACK Serverless clusters.	Supports multiple cloud services, such as WAF, Function Compute, PrivateLink, and transit routers. A managed component that can be used in Container Service for Kubernetes (ACK) clusters and ACK Serverless clusters.	A user-side component that can be used in ACK clusters and ACK Serverless clusters and supports seamless integration with the key annotations of NGINX Ingresses. For more information about the annotations supported by MSE Ingresses, see Annotations supported by MSE Ingress gateways.