BestHub
Sign in
Cloud Native 11 min read

How Higress Unifies Multiple Kubernetes Ingress Gateways into One Cloud‑Native Solution

This article explains how Higress replaces Nginx Ingress, Spring Cloud Gateway, Kong, and Istio Ingress Gateway with a single, high‑performance, cloud‑native ingress that reduces maintenance cost, improves traffic management, and integrates seamlessly with Kubernetes and service‑mesh APIs.

Alibaba Cloud Native
Alibaba Cloud Native
Alibaba Cloud Native
How Higress Unifies Multiple Kubernetes Ingress Gateways into One Cloud‑Native Solution

Founded in 2014, Shisu Cloud (时速云) provides cloud‑native platforms such as TCAP and KubeData, covering DevOps, PaaS, middleware, edge computing, micro‑service governance, service mesh, and API gateways. Their PaaS platform originally used several different gateway products (HAProxy/Nginx Ingress, Spring Cloud Gateway, Kong, and Istio Ingress Gateway), which caused divergent technology stacks and high maintenance overhead.

Requirement Background

The team needed a single gateway that could satisfy all use cases while using a unified technology stack. Higress was identified as the solution that meets these criteria.

Higress Solution Overview

Higress can act as the Kubernetes Ingress entry point and is compatible with most Nginx Ingress annotations, enabling a smooth migration from Nginx Ingress to Higress.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    # Compatible with Nginx Ingress annotations
    nginx.ingress.kubernetes.io/rewrite-target: "/"
    # Higress-specific annotations for method/header/query matching
    higress.io/match-method: POST
    higress.io/exact-match-query-higressQuery: hi
    higress.io/prefix-match-header-x-higress-header: hi
  name: foo
spec:
  ingressClassName: higress
  rules:
  - host: foo.example.com
    http:
      paths:
      - pathType: Prefix
        path: /foo
        backend:
          service:
            name: foo-service
            port:
              number: 5678

Performance tests show Higress significantly outperforms Nginx Ingress, especially when Lua scripts are involved.

Replacing Spring Cloud Gateway

In Spring Cloud environments, Higress uses the McpBridge CRD to connect to various service registries. The example below connects to a Nacos 2.x registry.

apiVersion: networking.higress.io/v1
kind: McpBridge
metadata:
  name: default
  namespace: higress-system
spec:
  registries:
  - name: my-nacos
    type: nacos2
    domain: 127.0.0.1
    port: 8848
    nacosNamespaceId: d8ac64f3-xxxx-xxxx-xxxx-47a814ecf358
    nacosGroups:
    - DEFAULT_GROUP

Ingress resources can then forward traffic to services registered in Nacos:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    higress.io/destination: user-center.DEFAULT-GROUP.d8ac64f3-xxxx-xxxx-xxxx-47a814ecf358.nacos
  name: user
  namespace: default
spec:
  rules:
  - http:
      paths:
      - backend:
          resource:
            apiGroup: networking.higress.io
            kind: McpBridge
            name: default
        path: "/"
        pathType: Prefix

Compared with Spring Cloud Gateway or Zuul, Higress delivers more than twice the throughput, reducing resource consumption.

Replacing Kong

Higress provides the same authentication plugins (Key Auth, Basic Auth, JWT, HMAC) via the WasmPlugin CRD. An example Key Auth configuration is shown below.

apiVersion: extensions.higress.io/v1alpha1
kind: WasmPlugin
metadata:
  name: key-auth
  namespace: higress-system
spec:
  defaultConfig:
    consumers:
    - credential: 2bda943c-xxxx-xxxx-xxxx-00163e1250b5
      name: consumer1
    - credential: c8c8e9ca-xxxx-xxxx-xxxx-e700dcc40e35
      name: consumer2
    keys:
    - x-api-key
    in_header: true
    global_auth: true
  matchRules:
  - ingress:
    - default/foo
    config:
      allow:
      - consumer1
  - domain:
    - www.test.com
    - "*.example.com"
    config:
      allow:
      - consumer2
  url: oci://higress-registry.cn-hangzhou.cr.aliyuncs.com/plugins/key-auth:1.0.0

A request to xxx.example.com with a key belonging to consumer2 will be rejected (403) because only consumer1 is allowed for that domain.

curl http://xxx.example.com/test -H 'x-api-key: 2bda943c-xxxx-xxxx-xxxx-00163e1250b5'

Higress also supports dynamic, hot‑updatable Wasm plugins written in multiple languages, eliminating the need to redeploy the gateway for new plugins.

Replacing Istio Ingress Gateway

Although the underlying service‑mesh product at Shisu Cloud is built on Istio, Higress can serve as a drop‑in replacement for the Istio Ingress Gateway. By enabling the Istio API via a Helm flag, users can manage routes with standard Istio resources.

helm upgrade higress -n higress-system higress.io/higress --reuse-values --set global.enableIstioAPI=true

Example Istio Gateway and VirtualService definitions that work with Higress:

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: devops
  namespace: higress-system
spec:
  selector:
    higress: higress-system-higress-gateway
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - devops.com
---
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: devops
  namespace: higress-system
spec:
  gateways:
  - higress-system/devops
  hosts:
  - devops.com
  http:
  - name: default
    route:
    - destination:
        host: devops.default.svc.cluster.local

Higress also supports TCP routing, allowing it to replace HAProxy for services like MySQL:

apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: mysql
  namespace: higress-system
spec:
  selector:
    higress: higress-system-higress-gateway
  servers:
  - hosts:
    - "*"
    port:
      name: tcp
      number: 3306
      protocol: TCP
---
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: mysql
  namespace: higress-system
spec:
  gateways:
  - mysql
  hosts:
  - "*"
  tcp:
  - match:
    - port: 3306
    route:
    - destination:
        host: mysql
        port:
          number: 3306
        subset: v1

Benefits and Outlook

Higress supports both Kubernetes Ingress API and Istio Gateway/VirtualService API, enabling fast, seamless upgrades across multiple clusters.

Unifying traffic entry, routing, load balancing, and security under a single stack reduces operational costs and improves developer productivity.

Built on Envoy, Higress shares the same data‑plane technology as sidecars, simplifying extensions and maintenance.

Future expectations include native support for Gateway API (including TCPRoute/UDPRoute), a richer Wasm plugin ecosystem, and an Operator to simplify multi‑instance deployments within a single Kubernetes cluster.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

Cloud NativeKubernetesapi-gatewayIngressHigress
Alibaba Cloud Native
Written by

Alibaba Cloud Native

We publish cloud-native tech news, curate in-depth content, host regular events and live streams, and share Alibaba product and user case studies. Join us to explore and share the cloud-native insights you need.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment