Alibaba’s Higress just got the official CNCF rubber stamp, and let’s be clear about what this means for real people: if you’re running Kubernetes clusters on Nginx Ingress, you’ve got about four years before that tool hits end-of-life. Someone is now betting you’ll switch to this thing instead.
Look, I’ve been watching API gateways come and go since the days when we thought Kong was going to own the world. So let me cut through the announcement noise here: Higress is an Envoy-based traffic router that Alibaba built internally, battleship-tested across their massive operations, and is now open-sourcing with serious enterprise backing. That part’s legitimate.
But the real story? It’s not just another gateway. It’s a calculated move to bundle AI gateway functionality directly into what used to be a pure networking layer.
The Nginx Problem That Higress Is Solving (Sort Of)
Nginx Ingress, the de facto standard Kubernetes controller for years, is getting deprecated in 2026. The reasons are tired but real—it’s aging, it’s vulnerable to configuration-injection attacks, and the Kubernetes community wanted a better standard (hence the Gateway API). This leaves millions of organizations scrambling.
“With Nginx Ingress scheduled for retirement in 2026, Higress provides a secure, drop-in replacement for Nginx Ingress. It remains fully compatible with mainstream Nginx Ingress annotations while replacing the vulnerable configuration-injection model with a strong xDS control plane.”
That compatibility claim matters. Drop-in replacement is engineer-speak for “you don’t have to rewrite everything tomorrow.” Higress supports Nginx Ingress annotations while offering something better under the hood—an xDS control plane (the same thing Envoy uses) instead of Nginx’s configuration-file model. Translation: better security, less risk.
So far, so boring. It’s what any respectable successor would do.
Where It Gets Interesting (And Where I Get Skeptical)
Here’s where the narrative shifts: Higress doesn’t just want to be Nginx’s replacement. It wants to be your AI gateway too.
Token-based rate limiting for LLM calls. Multi-model fallback (hit Claude, fallback to Gemini, fallback to local model). Model-aware routing. Intelligent load balancing. MCP (Model Context Protocol) support for AI agents. All of this in the same control plane that handles your HTTP traffic.
And look, I get the engineering appeal. Single pane of glass. Unified telemetry. One less thing to operate. But here’s where my skepticism kicks in: Is this actually what enterprises want, or is it what vendors want enterprises to want?
Alibaba built this internally because they run everything at massive scale. They have AI workloads and traditional microservices rubbing shoulders. Unifying the traffic management made sense for them. But most organizations don’t operate at Alibaba’s complexity level. Most teams still struggle to get their first Kubernetes cluster stable, let alone orchestrate AI model routing across it.
The risk I see: you’re now asking platform engineers to become AI infrastructure experts to operate a single tool. That’s not unified governance—that’s complexity hiding under one name.
Who’s Actually Making Money Here
Let’s talk the real game. Alibaba open-sourced this. The CNCF accepted it as a sandbox project (not even incubating yet—lower bar to entry, actually). So where’s the money?
AlibabaCloud gets a credibility boost in cloud-native and AI spaces, two markets it cares about. If Higress becomes the standard AI gateway in Kubernetes, more workloads land on AlibabaCloud’s infrastructure. That’s the play.
For the 10,000+ organizations currently on Nginx Ingress, the question isn’t whether Higress is better—it probably is—but whether they’re willing to bet their traffic routing on something Alibaba maintains. CNCF governance helps, but governance doesn’t fix bugs at 3 a.m. when the gateway goes down.
The Real Moment We Should Be Watching
This matters because Nginx Ingress’s end-of-life is a forcing function. Kubernetes clusters don’t migrate themselves. Someone has to decide: move to Gateway API (the CNCF’s preferred standard, more work upfront), stay on Nginx and eat security risk, or jump to Higress.
Higress is betting it can pull enough organizations away from the Gateway API path by offering a richer feature set right now. That’s not a bad strategy. But it also means Higress is competing against both Gateway API (which has backing from every major cloud provider) and purpose-built AI gateway companies that don’t have to maintain traffic routing compatibility.
The companies Higress lists as customers—Alibaba, Ant Group, DJI, Ctrip—these are giants. But they’re mostly Alibaba ecosystem companies. Real proof would be a Fortune 500 American tech company or a European bank running it in production. We’ll see if that happens.
What Happens Next
Higress will iterate, add more AI features, try to move from sandbox to incubating status in CNCF (that requires actual traction and diverse contributors). The 2026 Nginx deadline is real, and it creates pressure for decision-making. But don’t mistake CNCF acceptance for mainstream adoption.
The smart move for most organizations right now? Watch this for 18 months. Let others burn through the upgrade path. Then decide whether Higress’s AI features are actually worth your migration effort, or whether you’re better off on the boring, stable, vendor-agnostic Gateway API.
Because at the end of the day, the tool that doesn’t surprise you in production is worth more than the tool that does 15 clever things you don’t actually use.
🧬 Related Insights
- Read more: Why Your AI Models Are Stuck in 2015: The Infrastructure Crisis Nobody’s Fixing
- Read more: HCP Terraform’s IP Allow Lists: Finally, a Lock on the Front Door
Frequently Asked Questions
What does Higress actually do? It’s a Kubernetes traffic router (API gateway) built on Envoy, positioned as a Nginx Ingress replacement. It adds native support for AI workloads—LLM routing, model fallback, token-based rate limiting—in the same control plane.
Will I have to switch from Nginx Ingress to Higress? Not immediately. Nginx Ingress is deprecated in 2026, so you have time. Your options are migrate to Gateway API (the community standard), switch to Higress, or use a managed gateway from your cloud provider. Higress offers backward compatibility, making the switch less painful.
Is Higress safe for production? Alibaba has run it internally at massive scale, and it’s based on proven technology (Envoy, Istio). But “safe for production” depends on your risk tolerance. It’s newer to the open-source world than Nginx, and adoption outside the Alibaba ecosystem is still growing.
