How We Replaced Nginx Ingress with Higress: A Cloud‑Native API Gateway Case Study

Company background and requirements

Yong9 AI (用九智汇) provides data‑compliance and privacy‑protection solutions for Fortune‑500 customers. Their products run on a cloud‑native stack (Kubernetes, Istio, Apache Dubbo, Alibaba Nacos) and need a gateway that supports open APIs, custom domain names, and private‑cloud deployment without relying on customer infrastructure.

Technical requirements for the gateway

Cloud‑native and compatible with the existing Kubernetes‑based architecture.

Open‑source with a commercial‑friendly license (Apache‑2.0) and a clear roadmap.

Performance at least equal to Nginx Ingress, avoiding frequent restarts and connection drops.

Plugin extensibility, allowing custom authentication/authorization logic.

Ability to route based on domain and apply different plugins per business scenario.

Support for converting HTTP requests to microservice RPC (e.g., Dubbo) to expose a unified API.

Separate deployment of core gateway components and management console, with API‑driven automation for domains, certificates, and routes.

Combined security and traffic gateway to simplify private‑cloud deployments.

Evaluation of alternatives

The team examined Ambassador, Kong, APISIX, Gloo, Spring Cloud Gateway, and their existing Nginx Ingress. Higress was chosen because it builds on Envoy and Istio, matches the Kubernetes stack, and offers strong community support.

Why Higress fits the needs

Built on cloud‑native foundations (Envoy, Istio) and aligns with the current stack.

Open‑source under Apache‑2.0, allowing commercial use and custom modifications.

Wasm plugin mechanism supports multiple languages, enabling dynamic loading/unloading without gateway restarts.

Native HTTP‑to‑Dubbo conversion lets internal Dubbo services be exposed as Open APIs, reducing duplicate implementations.

High compatibility with Nginx Ingress annotations simplifies migration.

Implemented capabilities

1. Custom Wasm authentication plugin

Higress provides built‑in auth plugins (hmac‑auth, jwt‑auth, basic‑auth) but they lack dynamic credential lookup and tenant‑specific header injection. The team developed a Go‑based Wasm plugin to fetch credentials from external services and inject tenant information into request headers.

#1 In plugins/wasm-go/yong9ai-***-auth directory
go mod init yong9ai-***-auth
#2 Write main.go implementing onHttpRequestHeaders/onHttpRequestBody
#3 Build WASM binary
tinygo build -o main.wasm -scheduler=none -target=wasi -gc=custom -tags='custommalloc nottinygc_finalizer' ./main.go
#4 Test with docker‑compose (envoy + httpbin)

Build the plugin image:

#1 In plugins/wasm-go directory
PLUGIN_NAME=yong9ai-***-auth make build
#2 Push to image registry

Deploy the plugin via a WasmPlugin CRD:

apiVersion: extensions.higress.io/v1alpha1
kind: WasmPlugin
metadata:
  name: yong9ai-***-auth-1.0.0
  namespace: higress-system
spec:
  phase: AUTHN
  priority: 1000
  url: oci://****.cn-shanghai.cr.aliyuncs.com/**/**:yong9ai-***-auth-1.0.0
  matchRules:
  - config:
      namespace: ***
      serviceName: ***
      servicePort: ***
      serviceSource: ***
    domain:
    - ***.yong9ai.com

2. HTTP‑to‑Dubbo conversion

Using Higress’s Http2Rpc and McpBridge resources, internal Dubbo services are exposed as Open APIs.

apiVersion: networking.higress.io/v1
kind: McpBridge
metadata:
  name: default
  namespace: higress-system
spec:
  registries:
  - domain: nacos-***.***
    type: nacos2
    port: 8848
    name: Nacos
    nacosNamespaceId: public
    nacosGroups:
    - DEFAULT_GROUP

apiVersion: networking.higress.io/v1
kind: Http2Rpc
metadata:
  name: ***-***-***-service
  namespace: higress-system
spec:
  dubbo:
    service: com.yong9ai.***.***.***Service
    version: 1.0.0
    methods:
    - httpPath: /api/open/**/**/**/post.json
      httpMethods: [POST]
      params:
      - paramKey: request
        paramSource: BODY
        paramType: >-
          com.yong9ai.***.***.***Request
      serviceMethod: ***
      headersAttach: '*'

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ***-***-service-***
  namespace: higress-system
  annotations:
    higress.io/destination: '***.***.svc.cluster.local:8080'
    higress.io/ignore-path-case: 'true'
    higress.io/match-method: POST
    higress.io/ssl-redirect: 'true'
spec:
  ingressClassName: higress
  rules:
  - host: ***.yong9ai.com
    http:
      paths:
      - path: /api/open/**/**/**/post.json
        pathType: Exact
        backend:
          resource:
            apiGroup: networking.higress.io
            kind: McpBridge
            name: default
  tls:
  - hosts: [***.yong9ai.com]
    secretName: yong9ai-***

3. Customizing Higress‑console

The open‑source console (SpringBoot backend, React frontend) was extended to automate Dubbo service exposure, domain and certificate management, and route configuration, reducing manual effort.

4. Migration from Nginx Ingress

Partial traffic was shifted to Higress using Alibaba Cloud SLB weight adjustments. Monitoring showed stable performance, and Higress outperformed Nginx Ingress in latency and connection handling, allowing daytime configuration changes without service disruption.

Future plans

The team intends to complete the migration of all Nginx Ingress traffic, support hybrid‑cloud and private‑cloud deployments, and contribute additional features to the open‑source Higress console.