BestHub
Sign in
Cloud Native 11 min read

Seamless Migration from Nginx Ingress to Alibaba Cloud MSE Cloud‑Native Gateway

This guide explains why and how to migrate Nginx Ingress or traditional micro‑service gateways to Alibaba Cloud's MSE cloud‑native gateway, covering security motivations, a five‑stage migration process, preparation steps, command‑line checks, CRD configuration, testing, and gradual SLB traffic shifting.

Alibaba Cloud Native
Alibaba Cloud Native
Alibaba Cloud Native
Seamless Migration from Nginx Ingress to Alibaba Cloud MSE Cloud‑Native Gateway

Why Migrate?

The MSE cloud‑native gateway fully supports over 80% of Nginx Ingress annotations, allowing users to switch without changing existing Ingress resources while gaining richer features. Recent high‑severity CVEs (CVE‑2021‑25745, CVE‑2021‑25746, CVE‑2021‑25748) in the Nginx Ingress project highlight security risks, making a more secure, actively maintained gateway essential.

Migration Overview

The migration is divided into five logical phases, but the core "migration" phase requires only a single operation to convert Nginx Ingress configuration to MSE cloud‑native gateway, minimizing downtime and operational risk.

Step 1: Preparation

Install mse‑ingress‑controller from the ACK marketplace into the cluster that hosts Nginx Ingress.

Run the compatibility check command to verify annotation support before migration:

kubectl run -i --rm --restart=Never checker \
  --image=curlimages/curl \
  -- -s "ack-mse-ingress-controller.mse-ingress-controller.svc:8081/check-nginx-ingress?ingress-class=mse&namespace=mse-ingress-controller"

Parameters:

ack-mse-ingress-controller.mse-ingress-controller.svc – service name in the format ${svcName}.${svcNamespace}.svc.

ingress-class – selects Ingress resources; empty means all, "nginx" selects nginx‑class or unspecified, custom value selects the specified class.

namespace – limits the check to a single namespace when provided; otherwise all namespaces are scanned.

The command returns a JSON payload indicating overall compatibility, total Ingress count, sets of fully supported resources, and details of unsupported ones.

{
  "isAllSupported": false,
  "totalNumber": 3,
  "supportedSet": [
    {"namespacedName": "mse-ingress-controller/ingress"}
  ],
  "unSupportedSet": [
    {"namespacedName": "default/test-3", "reason": "default backend is not supported"},
    {"namespacedName": "mse-ingress-controller/test-3", "reason": "annotation nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream is not supported, tls missing secret"}
  ]
}

Step 2: Migration Execution

Create a MseIngressConfig custom resource to let the controller provision a gateway instance and automatically translate Nginx annotations.

apiVersion: mse.alibabacloud.com/v1alpha1
kind: MseIngressConfig
metadata:
  name: test
spec:
  ingress:
    local:
      ingressclass: mse
  common:
    network:
      vSwitches:
        - "vsw-xxxx"

Apply the configuration: kubectl apply -f mse-ingress-test.yaml Check the status until it becomes Listening , indicating the gateway is created and monitoring Ingress resources:

kubectl get MseIngressConfig test
NAME   STATUS      AGE
test   Listening   3m15s

Status meanings:

Pending – gateway creation in progress (≈3 minutes).

Running – gateway created and operational.

Listening – gateway is running and actively watching Ingress resources.

Failed – abnormal state; inspect the Message field for details.

Step 3: Functional Testing

Deploy a sample Ingress that uses the new class and verify routing with a curl command that resolves the host to the gateway’s SLB IP.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress
spec:
  ingressClassName: mse
  rules:
  - host: "foo.bar.com"
    http:
      paths:
      - backend:
          service:
            name: go-httpbin
            port:
              number: 80
        path: /version
        pathType: Prefix
curl http://foo.bar.com/version --resolve foo.bar.com:80:114.55.243.37
version:v1

SLB Traffic Migration

In the SLB console, switch the scheduling algorithm to "Weighted Round Robin" (no impact if weights were never set). Then, in the MSE console, use the "SLB Migration" feature to add gateway nodes to the SLB's server group and assign a small weight (e.g., <5%). Gradually increase the weight to 100% to complete the cut‑over.

Additional Migration Scenarios

For environments using Spring Cloud Gateway or Zuul, the same MSE cloud‑native gateway can replace them, eliminating the extra network layer and reducing operational overhead. Detailed migration guides are available at:

Spring Cloud Gateway migration: https://help.aliyun.com/document_detail/375387.html

Zuul migration: https://help.aliyun.com/document_detail/375389.html

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

migrationCloud NativeKubernetesNginxIngressMSE
Alibaba Cloud Native
Written by

Alibaba Cloud Native

We publish cloud-native tech news, curate in-depth content, host regular events and live streams, and share Alibaba product and user case studies. Join us to explore and share the cloud-native insights you need.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment