Application Ingress selection-Enterprise Distributed Application Service(EDAS)-阿里云帮助中心

EDAS lets you configure Nginx Ingress, ALB Ingress, or a cloud-native gateway (MSE Ingress) to expose your Kubernetes applications to external traffic. This topic describes the common scenarios and differences among Nginx Ingress, ALB Ingress, and the cloud-native gateway (MSE Ingress).

Scenarios

Nginx Ingress gateway

The Nginx Ingress gateway is built on Nginx and is the default ingress gateway for Kubernetes. It provides basic features such as security, routing, and observability. The Nginx Ingress gateway is easy to integrate. You can create a basic Ingress resource to expose services in a Kubernetes cluster. You can also extend Lua plugins or use annotations to configure snippets. This allows Nginx to support custom request and response forwarding rules.

You can use Nginx Ingress in EDAS to provide external access to your applications. For high queries per second (QPS) scenarios, you can configure multiple LoadBalancer services for the Nginx Ingress Controller to expand the gateway bandwidth. You can also use Horizontal Pod Autoscaler (HPA) to automatically scale gateway instances based on memory or CPU usage. This scales the gateway's performance horizontally.

ALB Ingress

ALB Ingress is based on Alibaba Cloud Application Load Balancer (ALB) instances. It supports ultra-high QPS and many concurrent connections. It also features automatic elastic scaling. After you expose Kubernetes services with ALB Ingress, you do not need to manually perform gateway operations and maintenance (O&M).

To use ALB Ingress in EDAS, you must first create an ALB instance. Then, you can configure an ALB Ingress application route in the EDAS console to provide external access to your EDAS applications. Because ALB instances are fully managed, you can focus on your applications instead of manually tuning or maintaining the gateway.

Cloud-native gateway (MSE Ingress)

The cloud-native gateway supports service discovery from multiple sources, such as Kubernetes services, service registries, fixed IP addresses, and DNS. MSE Ingress provides rich traffic governance features, such as single-instance throttling, service prefetch, service fallback for disaster recovery, and tag-based routing for microservices.

You can use the MSE Ingress gateway in EDAS to provide external access for your Kubernetes Service applications. You can also create cloud-native gateway routes to forward traffic for services registered with EDAS or MSE.

Comparison

Item	Nginx Ingress	ALB Ingress	Cloud-native gateway (MSE Ingress)
Product positioning	Provides Layer 7 traffic processing and rich advanced routing features. A self-managed component that allows for a high degree of customization.	Provides Layer 7 traffic processing and rich advanced routing features. Supports large capacity, automatic elastic scaling, and is fully managed.	Provides Layer 7 traffic processing and rich advanced routing features. Designed for application-layer workloads and deeply integrated with containers. The gateway forwards requests directly to backend pod IP addresses.
Service Architecture	Based on Nginx and extended with Lua plugins.	Based on the Alibaba Luoshen Cloud Network Management platform. Based on the self-developed CyberStar platform, which supports automatic elastic scaling.	Istiod and Envoy. Each user has a dedicated instance.
Common scenarios	Scenarios that require a highly customized gateway.	Scenarios with ultra-high QPS and many concurrent connections.	North-south traffic scenarios. Backend service discovery supports multiple sources, such as Nacos, Kubernetes, DNS, and fixed IP addresses. East-west traffic scenarios. Supports internal communication across hybrid clouds, multiple data centers, and multiple business domains. Can be seamlessly integrated with service mesh systems.
Performance	Performance depends on manual tuning of system and Nginx parameters. Requires configuration of an appropriate number of replicas and resource limits.	A single instance supports 1 million QPS. A single instance supports tens of millions of maximum connections. Uses SSL hardware acceleration by default.	With hardware acceleration enabled, HTTPS performance improves by about 80%. Compared to a self-built solution with OS and internal tuning, performance is about 40% higher. Compared to open source Nginx Ingress, MSE Ingress achieves about 90% higher Transactions Per Second (TPS) at 30% to 40% CPU usage.
Basic routing	Content-based and source IP-based routing. Supports features such as HTTP header rewrite, redirection, rewrite, rate limiting, cross-domain access, and session persistence. Supports request and response forwarding rules. Response forwarding rules can be implemented by extending snippet configurations.	Content-based and source IP-based routing. Supports features such as HTTP header rewrite, redirection, rewrite, rate limiting, cross-domain access, and session persistence. Supports request and response forwarding rules.	Content-based routing. Supports features such as HTTP header rewrite, redirection, rewrite, rate limiting, cross-domain access, timeout, and retry. In addition to standard algorithms such as round robin, random, least connections, and consistent hashing, Server Load Balancer provides a warm-up feature that gradually increases the traffic forwarded to a backend server over a specified time window.
O&M capabilities	Components are maintained by the user. You can scale out or scale in by configuring HPA. Requires proactive tuning of specifications.	Fully managed and requires no O&M. Automatic elastic scaling supports large capacity without configuration. Processing capacity automatically scales with traffic peaks.	Fully managed. You can scale out or scale in by configuring HPA (in development).
Supported protocols	Supports HTTP and HTTPS. Supports WebSocket, WSS, and gRPC.	Supports HTTP and HTTPS. Supports WebSocket, WSS, and gRPC.	Supports HTTP and HTTPS. Supports protocol transformation: HTTP to Dubbo. HTTPS to Dubbo.
Configuration changes	Certificate changes require a process reload, which disrupts persistent connections. Non-certificate changes are hot-updated using Lua. Lua plugin changes require a process reload.	Uses OpenAPI for configuration changes, which is faster than the List-Watch mechanism.	Hot updates for configurations. Hot updates for certificates. Uses the List-Watch mechanism for more accurate and real-time configuration changes. Hot updates for Wasm plugins.
Authentication and authorization	Supports Basic Auth. Supports the OAuth protocol.	Supports TLS identity authentication.	Basic Auth. OAuth. JWT. OpenID Connect (OIDC). IDaaS. Custom authentication.
Observability	Collects logs using access logs. Supports monitoring and alert configuration using Prometheus. EDAS injects a trace ID into traffic and integrates with the ARMS Tracing Analysis feature. Supports log analysis using Loki, which is integrated with EDAS.	Collects logs using access logs and is integrated with Simple Log Service (SLS). Outputs monitoring metrics and is integrated with CloudMonitor. Supports alert configuration and is integrated with CloudMonitor.	Access logs. Metrics. Tracing. Alerts.
Service administration	Service discovery supports Kubernetes. Grayscale release supports canary releases. High availability supports rate limiting.	Service discovery supports Kubernetes. Grayscale release supports canary releases. High availability supports rate limiting.	Service discovery supports Kubernetes, Nacos, Eureka, DNS, and fixed IP addresses. Grayscale release supports canary releases and tag-based routing. High availability integrates with Application High Availability Service (AHAS) and supports rate limiting, circuit breaking, and degradation.
Security	Supports HTTPS. Supports blacklists and whitelists.	HTTPS (integrated with SSL) supports end-to-end HTTPS, multiple certificates with Server Name Indication (SNI), dual RSA and ECC certificates, the TLS 1.3 protocol, and TLS cipher suite selection. Supports Web Application Firewall (WAF) protection and is integrated with Alibaba Cloud WAF. Supports Anti-DDoS protection and is integrated with Alibaba Cloud Anti-DDoS. Supports blacklists and whitelists.	HTTPS (integrated with SSL). Web Application Firewall (WAF) protection and is integrated with Alibaba Cloud WAF. Supports blacklists and whitelists.
Extensibility	Lua scripts.	Uses self-developed AScript scripts.	Wasm plugins, which can be written in multiple languages.