MSE Cloud‑Native Gateway vs Nginx Ingress: Performance, Reliability & Security Insights

Performance and Cost

The MSE cloud‑native gateway delivers nearly double the throughput of the Nginx Ingress Controller, especially for small‑text traffic. In a 16‑core, 32 GB, 4‑node test (ecs.c7.8xlarge), MSE maintains higher throughput at 30% CPU usage, while Nginx’s throughput drops sharply when CPU reaches 70% due to pod restarts.

When TLS encryption is enabled, MSE leverages CPU SIMD acceleration for TLS handshakes, halving handshake latency and boosting peak QPS by over 80% compared with standard HTTPS processing.

Reliability

Under high load, Nginx Ingress Controller suffers pod restarts caused by two main issues: livenessProbe timeouts and OOM kills triggered by Prometheus metric collection (see https://github.com/kubernetes/ingress-nginx/pull/8397). These stem from the controller’s monolithic design where the Go‑based control plane and Nginx data plane share a container, leading to CPU contention.

MSE’s architecture isolates the control and data planes and runs as a fully managed service, avoiding co‑location with user workloads. This design eliminates pod‑restart failures, provides SLA‑backed availability, and prevents single‑point‑of‑failure scenarios.

Security

Multiple CVE vulnerabilities affect various versions of the open‑source Nginx Ingress Controller (e.g., CVE‑2022‑0778, CVE‑2022‑23308, CVE‑2021‑23017, CVE‑2018‑16843, CVE‑2019‑9516, etc.). Migrating to MSE eliminates all listed CVEs in one step and offers a smooth upgrade path for future patches.

MSE also bundles Alibaba Cloud’s Web Application Firewall (WAF), delivering shorter request paths, lower response times, and fine‑grained route‑level protection at roughly two‑thirds the cost of the traditional WAF.

Key Advantages of MSE Cloud‑Native Gateway

Up to 50% lower resource cost while achieving higher performance.

Enhanced reliability with managed SLA, no need for dedicated ECS nodes, and isolation from user workloads.

Comprehensive security: all known Nginx Ingress CVEs are patched and built‑in WAF protection.

Smooth Migration Procedure

The migration does not disrupt existing traffic; DNS weight adjustments enable gradual traffic shifting to the new gateway.

Install mse-ingress-controller from the Alibaba Cloud Container Service Marketplace into the target ACK cluster.

Configure MseIngressConfig in Kubernetes to provision a MSE gateway of the desired specifications.

Retrieve the gateway IP from the Ingress address field, bind it locally, and point the business domain to this IP for testing.

Adjust DNS weight to gradually increase traffic to the MSE gateway while monitoring performance.

After full validation, remove the original IP from DNS, completing the cut‑over.

Reference Images