Skip to main content
Published 2026-02-14Updated 2026-06-3047 min read

Gateway API Adoption Guide

πŸ“Œ Reference Versions: Gateway API v1.5.1, Cilium v1.19.0, EKS 1.33+, AWS LBC v3.0.0, Envoy Gateway v1.7.0

1. Overview​

Kubernetes traffic management is converging on the Gateway API, driven by two forces.

First, the retirement of the NGINX Ingress Controller. Its official EOL (End-of-Life) in March 2026 ends security patching, and the structural limits of the Ingress API itself (annotation-based extension, no role separation) have become clear. Migrating to the Gateway API is now mandatory rather than optional.

Second, the rise of tiered gateways for agentic workloads. LLM inference and agent traffic have different requirements than general web/API traffic: token-based metering and rate limiting, model/provider routing, KV-cache-aware routing, prompt/response guardrails, and load balancing across inference pods. Rather than handling all of this in a single gateway, a 2-tier structure is becoming the standard β€” a general Gateway API layer that receives North-South traffic plus a dedicated Inference Gateway layer for inference traffic. The Gateway API and the Gateway API Inference Extension on top of it form the common foundation of this tiered model.

This guide covers Gateway API architecture, comparison of 6 major implementations (AWS LBC v3, Cilium, NGINX Gateway Fabric, Envoy Gateway, kGateway, Kong), Cilium ENI mode deep-dive configuration, step-by-step migration execution strategy, and performance benchmark plans. The detailed design of the inference gateway layer for agentic workloads is covered in the Agentic AI Platform β€” Inference Gateway reference.

General Gateway vs Inference Gateway β€” which to read
  • Designing North-South traffic, NGINX Ingress replacement, general API routing β†’ this document (general Gateway API layer)
  • Designing LLM inference pod routing, KV-cache-aware distribution, model endpoint management β†’ Inference Gateway reference
  • Most agentic platforms use both layers. The Section 4 comparison here is the starting point for deciding which combination of solutions fills each layer.

1.1 Target Audience​

  • EKS cluster administrators running NGINX Ingress Controller: EOL response strategy
  • Platform engineers building agentic AI platforms: general gateway + inference gateway 2-tier design
  • Platform engineers planning Gateway API migration: technology selection and PoC
  • Architects reviewing traffic management modernization: long-term roadmap design
  • Network engineers considering Cilium ENI mode + Gateway API integration: eBPF-based high-performance networking

1.2 Tiered Gateway at a Glance​

2-Tier Gateway for Agentic Workloads
Role separation: Tier 1 general Gateway API + Tier 2 inference traffic layer
Clients Β· Agents Β· External APIs
β–Ό
Tier 1 β€” General Gateway API (North-South)
Auth Β· TLS Β· Routing Β· Rate Limiting Β· WAF
General Gateway API implementations (see Β§4 comparison)
πŸ“„ This document
β–Ό
General API / web services
Tier 2 β€” Inference Traffic (LLM-specific)
β‘  Inference Routing (in-cluster pods) Β· β‘‘ LLM API Gateway (provider proxy)
β‘  Gateway API Inference Extension Β· β‘‘ Bifrost Β· LiteLLM Β· OpenRouter
πŸ“„ Tiered Gateway Architecture
β–Ό
LLM inference pods Β· external LLM APIs
ℹ️ Tier 2 splits into two types β€” β‘  Inference Routing (Inference Extension) does KV-cache-aware routing to in-cluster inference pods, while β‘‘ LLM API Gateway (BifrostΒ·LiteLLMΒ·OpenRouter) abstracts external/internal model APIs. See the Tiered Gateway Architecture document for definitions.

1.3 Document Structure​

πŸ“š Document Structure
Required
1. Overview β€” Structure, audience2. NGINX Retirement β€” EOL timeline, security3. Gateway API Architecture β€” 3-Tier model, roles4. Implementation Comparison β€” AWS Native vs Open Source, NGINX mappings, code6. Conclusion β€” Recommendations, roadmap
Situational
5. Benchmark Planning β€” Test design
Reading Strategy
  • Quick understanding: Sections 1-3, 6 (~10 min)
  • Technology selection: Sections 1-4, 6 (~20 min)
  • Full migration: Entire document + sub-documents (~25 min)

2. NGINX Ingress Controller Retirement β€” Why Migration Is Mandatory​

2.1 EOL Timeline​

Key events in detail:

  • March 2025: IngressNightmare (CVE-2025-1974) discovered β€” an arbitrary NGINX config injection vulnerability via Snippets annotations that accelerated retirement discussions in the Kubernetes SIG Network
  • November 2025: Kubernetes SIG Network officially announced the retirement of the NGINX Ingress Controller, citing insufficient maintainers (1-2) and Gateway API maturity as the main reasons
  • March 2026: Official EOL β€” security patches and bug fixes cease completely. Continued production use after this date risks compliance violations
Mandatory Action

After March 2026, the NGINX Ingress Controller receives no security vulnerability patches. To maintain PCI-DSS, SOC 2, and ISO 27001 compliance, migration to a Gateway API-based solution is required.

2.2 Security Vulnerability Analysis​

IngressNightmare (CVE-2025-1974) attack scenario:

IngressNightmare attack overview

An unauthenticated remote code execution (RCE) attack vector targeting the Ingress NGINX Controller inside a Kubernetes cluster. External and internal attackers take over the controller pod via a Malicious Admission Review, gaining access to all pods in the cluster. (Source: Wiz Research)

Risk assessment:

⚠️ NGINX Ingress Security Risk Assessment
Known vulnerabilities and impact scope
Arbitrary config injection via Snippets annotations
CriticalCVSS: 9.8
Impact Scope:Full Ingress traffic hijacking
Invalid config propagation due to no schema validation
HighCVSS: 7.5
Impact Scope:Service disruption, security policy bypass
RBAC privilege escalation (namespace isolation bypass)
CriticalCVSS: 9.1
Impact Scope:Cross-namespace privilege theft
End of patches after EOL
CriticalCVSS: N/A
Impact Scope:No zero-day vulnerability response
If You Are Currently Operating

For existing NGINX Ingress environments, applying an admission controller policy that immediately prohibits the use of the nginx.ingress.kubernetes.io/configuration-snippet and nginx.ingress.kubernetes.io/server-snippet annotations is recommended.

2.3 Structural Resolution Through Gateway API​

The Gateway API fundamentally resolves the structural vulnerabilities of NGINX Ingress.

πŸ”„ NGINX Ingress vs Gateway API Comparison
Architecture and configuration differences
Resource Structure
NGINX IngressAll settings in a single Ingress resource
Gateway APISeparation of concerns with 3 resources (GatewayClass, Gateway, HTTPRoute)
Configuration
NGINX IngressNon-standard annotations (50+)
Gateway APIStandard CRD fields
Permission Management
NGINX IngressAll settings controllable with namespace-level Ingress permission
Gateway APIPer-resource RBAC separation (Infra/Platform/App teams)
Controller Replacement
NGINX IngressFull Ingress rewrite required
Gateway APIOnly change GatewayClass
Extensibility
NGINX IngressSnippet injection or custom controllers
Gateway APIPolicy Attachment pattern

1. Configuration Snippet Injection Attack

NGINX Ingress allows arbitrary strings to be injected into annotations, creating serious security risks:

# ❌ NGINX Ingress β€” arbitrary string injection possible
annotations:
nginx.ingress.kubernetes.io/configuration-snippet: |
# Can steal credentials of adjacent services (CVE-2021-25742)
proxy_set_header Authorization "stolen-token";

2. All Permissions Concentrated in a Single Resource

  • A single Ingress resource mixes routing, TLS, security, and extension settings
  • RBAC separation at the annotation level is impossible β€” it is all-or-nothing Ingress permission
  • A developer who only wants to modify routing also holds the permission to change TLS/security settings

3. Vendor Annotation Dependency

  • Features not in the standard are added via vendor-specific annotations β†’ loss of portability
  • Difficult to debug when annotations conflict
  • Increasing complexity of managing 100+ vendor annotations

These structural problems make it hard for NGINX Ingress to meet production security requirements.

Active Community Support
  • 15+ production implementations: AWS, Google Cloud, Cilium, Envoy, NGINX, Istio, and more
  • Regular quarterly releases: GA resources included as of v1.4.0
  • Official CNCF project: development led by the Kubernetes SIG Network

3. Gateway API β€” The Next-Generation Traffic Management Standard​

3.1 Gateway API Architecture​

Gateway API role-based model β€” Source: gateway-api.sigs.k8s.io

Source: Kubernetes Gateway API official documentation β€” three roles (Infrastructure Provider, Cluster Operator, Application Developer) manage GatewayClass, Gateway, and HTTPRoute respectively

Detailed Comparison

The architecture comparison between NGINX Ingress and the Gateway API is available tab-by-tab in 2.3 Structural Resolution Through Gateway API.

3.2 3-Tier Resource Model​

The Gateway API separates responsibilities across the following layered structure:

Gateway API resource model β€” Source: gateway-api.sigs.k8s.io

Source: Kubernetes Gateway API official documentation β€” GatewayClass β†’ Gateway β†’ xRoute β†’ Service layered structure

πŸ‘₯ Role-Based Responsibility Separation
Resource managers and change frequency
GatewayClass⏱ 1-2 per quarter
Manager:Infrastructure Team (SRE, Cluster Admin)
Responsibility:Controller selection, global policies, cost optimization
Gateway⏱ 1-2 per month
Manager:Platform Team (Network Engineers)
Responsibility:Listener config, TLS certificates, load balancer settings
HTTPRoute⏱ Daily
Manager:Application Team (Developers)
Responsibility:Per-service routing, Canary deployment, A/B testing
Service⏱ Per deployment
Manager:Application Team (Developers)
Responsibility:Backend endpoint management

3.3 GA Status (v1.4.0)​

The Gateway API is divided into a Standard Channel and an Experimental Channel, with maturity differing per resource:

βœ… Gateway API GA Status
Resource stability and production recommendation
GatewayClassStandard
GA (v1)βœ…
Controller definition, parameter reference
GatewayStandard
GA (v1)βœ…
Listeners, TLS, load balancer settings
HTTPRouteStandard
GA (v1)βœ…
HTTP routing, header/query matching
GRPCRouteStandard
GA (v1)βœ…
gRPC service mesh matching
ReferenceGrantStandard
GA (v1beta1)βœ…
Cross-namespace reference security
BackendTLSPolicyStandard
Beta (v1alpha3)⚠️
Backend TLS termination (mTLS)
TLSRouteExperimental
Alpha (v1alpha2)❌
TLS Passthrough (SNI routing)
TCPRouteExperimental
Alpha (v1alpha2)❌
L4 TCP routing
UDPRouteExperimental
Alpha (v1alpha2)❌
L4 UDP routing (DNS, VoIP)
Experimental Channel Caution

Alpha-status resources have no API compatibility guarantee and may have fields changed or removed on minor version upgrades. In production environments, using only GA/Beta resources from the Standard channel is recommended.

3.4 Key Benefits​

The 6 key benefits of the Gateway API are presented with visual diagrams and YAML examples.

βœ•
🚫
κΈ°μ‘΄ Ingress
단일 κΆŒν•œ λͺ¨λΈ
🏒 인프라 νŒ€ β†’ GatewayClassπŸ”’
RBAC 격리
πŸ”§ ν”Œλž«νΌ νŒ€ β†’ GatewayπŸ”’
RBAC 격리
πŸ’» μ•± νŒ€ β†’ HTTPRouteπŸ”’

3.5 Basic Resource Examples​

The deployment order of Gateway API resources used in real production environments:

Gateway API resources are deployed separately by role. The infrastructure team manages the GatewayClass, the platform team the Gateway, and the app team the HTTPRoute.

Native Canary Deployment

The Gateway API supports canary deployment without annotations via the weight field. It is more concise and more portable than NGINX Ingress's nginx.ingress.kubernetes.io/canary annotation combination.

4. Gateway API Implementation Comparison β€” AWS Native vs Open Source​

This section compares 6 major Gateway API implementations in detail. It helps make the optimal choice for an organization by clarifying each solution's characteristics, strengths, and weaknesses.

Positioning Kong β€” policy model and AI Gateway distinction

Kong is a mature OpenResty (NGINX + Lua) based API gateway whose KIC (Kong Ingress Controller) is conformant to the Gateway API Standard channel at the Core level. However, most L7 policies (auth, rate limiting, IP control) are implemented via KongPlugin CRDs rather than native Gateway API resources (a 100+ plugin ecosystem). Also, Kong's AI Gateway is an LLM API gateway that proxies external LLM providers β€” a different layer from the in-cluster inference pod routing (Gateway API Inference Extension, kgateway family) covered by this guide. The tables reflect this distinction explicitly.

4.1 Solutions at a Glance​

Before the detailed comparison, the cards below summarize each of the 6 solutions' data plane, best-fit scenario, strength, and watch-outs. Grasping the big picture first, then drilling into the matrices below, is the recommended order.

6 Gateway API Solutions β€” At a Glance
Each card: data plane Β· best fit Β· strength Β· watch-out. See matrices below for detail
AWS Native (LBC v3)
Fully managed Β· SLA 99.99%
ALB / NLBNorth-South (general)
🎯 Best fit AWS all-in + minimal ops
βœ“ WAF/Shield/ACM integration, zero ops
⚠ AWS lock-in, WAF cost for rate limiting
Cilium
Top eBPF performance Β· Hubble
Envoy + eBPFNorth-South (general)
🎯 Best fit High perf + netpol + mesh
βœ“ Lowest latency, ENI native, GAMMA GA
⚠ Learning curve, self-managed nodes
NGINX Gateway Fabric
NGINX 20+ yrs Β· F5 enterprise
NGINXNorth-South (general)
🎯 Best fit NGINX experience + multi-cloud
βœ“ Proven stability, familiar config
⚠ No GAMMA, limited L4 routing
Envoy Gateway
CNCF standard Β· Istio compatible
Envoy ProxyNorth-South (general)
🎯 Best fit CNCF standard + service mesh
βœ“ Policy Attachment, advanced L7
⚠ Relatively new (2 yrs), Envoy complexity
kGateway
AI/ML routing Β· unified gateway
Envoy ProxyNorth-South + Inference
🎯 Best fit In-cluster inference + unified
βœ“ Inference Extension, MCP, API+mesh+AI
⚠ CNCF Sandbox, limited AI prod cases
Kong
100+ plugins Β· 24x7 support
OpenResty (NGINX+Lua)North-South (general)
🎯 Best fit Enterprise API mgmt + LLM API proxy
βœ“ KongPlugin ecosystem, Kong AI Gateway
⚠ Policies via KongPlugin, no TLSRoute

4.2 Solution Overview​

The following matrix compares the key features, limitations, and best use cases of the 6 Gateway API implementations.

Gateway API Solution Overview Comparison
6 solutions Β· 5 comparison categories
Overviewβ–Ά
Click to expand
Key Featuresβ–Ά
Click to expand
Key Limitationsβ–Ά
Click to expand
Best Use Casesβ–Ά
Click to expand
Not Recommendedβ–Ά
Click to expand

4.3 Feature Comparison Matrix​

The following is a comprehensive comparison of the 6 solutions. This table makes each solution's strengths and weaknesses clear at a glance.

Gateway API Solution Comprehensive Comparison
73 comparison items Β· 10 categories Β· 6 solutions
Basic Info (5개)β–Ά
Click to expand Β· 5개 ν•­λͺ©
Gateway API (6개)β–Ά
Click to expand Β· 6개 ν•­λͺ©
Core Features (8개)β–Ά
Click to expand Β· 8개 ν•­λͺ©
Security (4개)β–Ά
Click to expand Β· 4개 ν•­λͺ©
Performance (3개)β–Ά
Click to expand Β· 3개 ν•­λͺ©
Operations (5개)β–Ά
Click to expand Β· 5개 ν•­λͺ©
Mesh Integration (4개)β–Ά
Click to expand Β· 4개 ν•­λͺ©
Advanced Features (6개)β–Ά
Click to expand Β· 6개 ν•­λͺ©
AI/ML (4개)β–Ά
Click to expand Β· 4개 ν•­λͺ©
Observability (4개)β–Ά
Click to expand Β· 4개 ν•­λͺ©
Cost (5개)β–Ά
Click to expand Β· 5개 ν•­λͺ©
Community (4개)β–Ά
Click to expand Β· 4개 ν•­λͺ©

4.4 NGINX Feature Mapping​

This compares how the 8 major features used in the NGINX Ingress Controller are implemented in each Gateway API implementation.

πŸ”€ NGINX Features β†’ Gateway API Mapping
NGINX feature implementation by solution
#NGINX FeatureAWS NativeCiliumNGINX FabricEnvoy GWkGatewayKong
1
Basic AuthLambda/JWTL7 PolicyOIDC PolicyExtAuthJWT/OIDCKongPlugin (jwt)
2
IP AllowlistWAF IP Sets + SGCiliumNetworkPolicyNginxProxySecurityPolicyRouteOptionKongPlugin (ip-restriction)
3
Rate LimitingWAF Rate RuleL7 Rate LimitNginxProxyBackendTrafficPolicyRouteOptionKongPlugin (rate-limiting)
4
URL RewriteHTTPRoute FilterHTTPRoute FilterHTTPRoute FilterHTTPRoute FilterHTTPRoute FilterHTTPRoute Filter
5
Body SizeWAF Size Rule-NginxProxyClientTrafficPolicyRouteOptionKongPlugin (request-size-limiting)
6
Custom ErrorALB Fixed Response-Custom BackendDirect ResponseDirectResponseKongPlugin / template
7
Header RoutingHTTPRoute matchesHTTPRoute matchesHTTPRoute matchesHTTPRoute matchesHTTPRoute matchesHTTPRoute matches
8
Cookie AffinityTG Stickiness-Upstream ConfigSession PersistenceRouteOptionKongPlugin (session)

Legend:

  • βœ… Native support (no separate tooling needed)
  • ⚠️ Partial support or additional configuration required
  • ❌ Not supported (separate solution required)

4.5 Implementation Difficulty​

βš–οΈ Implementation Difficulty Comparison
Feature implementation difficulty by solution
FeatureAWS NativeCiliumNGINX FabricEnvoy GWkGatewayKong
Basic Auth
Medium
Medium
Easy
Medium
Easy
Easy
IP Allowlist
Easy
Easy
Easy
Easy
Easy
Easy
Rate Limiting
Medium
Medium
Easy
Easy
Easy
Easy
URL Rewrite
Easy
Easy
Easy
Easy
Easy
Easy
Body Size
Medium
Hard
Easy
Easy
Easy
Easy
Custom Error
Easy
Hard
Medium
Easy
Easy
Medium
Header Routing
Easy
Easy
Easy
Easy
Easy
Easy
Cookie Affinity
Easy
Hard
Easy
Medium
Easy
Easy

4.6 Cost Impact Analysis​

AWS Native vs Open Source: Cost & Performance Impact
Comprehensive comparison of additional costs, latency overhead, and hop increases per feature
Feature
AWS Native Cost
Open Source Cost
Performance Impact
Basic Auth (JWT)
Lambda execution cost ~$2-10/mo (per 1M requests)
None (self-implemented)
AWS: +5-50ms from Lambda call (cold start +200ms) OSS: Built-in gateway processing, <1ms
⚠️ AWS: +1 hop (ALB β†’ Lambda Authorizer) OSS: No additional hops
IP Allowlist
WAF IP Set + rules $5 (Web ACL) + $1 (rule) = $6/mo
None (NetworkPolicy)
AWS: WAF rule evaluation +0.5-1ms OSS: Kernel/eBPF level processing, <0.1ms
βœ… No additional hops for either AWS: Inline at ALB OSS: Network layer processing
Rate Limiting
WAF Rate-Based Rule $5 (Web ACL) + $1 (rule) + $0.60/1M requests
None (L7 Policy)
AWS: WAF rule evaluation +0.5-1ms OSS: Envoy/NGINX proxy processing, +1-2ms
⚠️ AWS: No additional hops (ALB inline) OSS: May add proxy hop if L7 proxy not already in path
Body Size Limit
WAF Body Size Rule Included in WAF cost
None (Proxy Config)
AWS: WAF body inspection +1-3ms (proportional to body size) OSS: Proxy buffer config, <1ms
βœ… No additional hops for either Inline processing in existing path
Total
WAF total: ~$20-100/mo (varies by traffic)
None (compute resources only)
AWS: +1-5ms cumulative, proportional to rule count OSS: +2-5ms when routed through proxy
⚠️ AWS: Up to +1 hop with Lambda Auth OSS: Up to +1 hop with L7 proxy
Cost Optimization Tips
  • If 3+ WAF features are needed, AWS Native is cost-effective. Multiple rules can be bundled and managed in a single WebACL
  • If only 1-2 are needed, they can be implemented at no additional cost in open source solutions (Cilium, Envoy Gateway)
  • For performance-sensitive workloads, open source is advantageous. There is no WAF rule evaluation latency, as processing happens at the kernel/eBPF level
  • When using a Lambda Authorizer, watch for p99 latency spikes due to cold starts. Review Provisioned Concurrency settings

4.7 Per-Feature Implementation Code Examples​

The implementation of the following 8 features as YAML examples per implementation is provided in a separate cookbook document. This guide focuses on comparison and selection; refer to the cookbook for actual manifests.

#FeatureStandard?
1Authentication (Basic Auth replacement)Per-implementation
2Rate LimitingPer-implementation
3IP Control (IP Allowlist)Per-implementation
4URL RewriteGateway API v1 standard
5Header ManipulationGateway API v1 standard
6Session Affinity (cookie-based)Per-implementation
7Request Body Size LimitPer-implementation
8Custom Error PagesPer-implementation
View all implementation examples

The YAML manifests for each feature across AWS LBC, Cilium, NGINX GF, Envoy Gateway, and kGateway are available in the Feature Implementation Cookbook.

4.8 Solution Selection Decision Tree​

The following decision tree helps select the optimal solution for an organization.

4.9 Scenario-Based Recommendations​

The following are recommended solutions for common organizational scenarios.

🎯 Scenario-based Solution Recommendations
Optimal Gateway API implementation selection guide by use case
AWS All-in + Minimal Ops
1stAWS Native2ndCilium
Managed, SLA guaranteed, small ops team
High Performance + Observability
1stCilium2ndEnvoy GW
Best eBPF performance, Hubble Service Map
NGINX Experience + Multi-cloud
1stNGINX Fabric2ndEnvoy GW
Leverage existing NGINX knowledge, cloud neutral
CNCF + Service Mesh
1stEnvoy GW2ndkGateway
Istio compatible, CNCF standard compliance
AI/ML + Unified Gateway
1stkGateway2ndCilium
AI routing, MCP Gateway, future-oriented
Finance/Healthcare Security
1stAWS Native2ndCilium
WAF, Shield, audit trails, compliance
Startup + Cost Optimization
1stCilium2ndNGINX/Envoy
Fixed costs, avoid vendor lock-in
Hybrid/Multi-cluster
1stCilium2ndkGateway
BGP Control Plane, multi-site mesh
Quick PoC (Validation)
1stAWS Native2ndNGINX Fabric
Fast setup, managed, proven stability
Long-term Strategic Investment
1stCilium2ndEnvoy GW
eBPF future tech, CNCF ecosystem
Enterprise API Management + Plugins
1stKong2ndkGateway
100+ plugins, 24x7 support, existing Kong investment
LLM API Gateway (external model proxy)
1stKong2ndkGateway
Kong AI Gateway, LLM provider routing & semantic cache

5. Benchmark Comparison Plan​

A systematic benchmark for objective performance comparison of the 6 Gateway API implementations is planned. Eight scenarios β€” throughput, latency, TLS performance, L7 routing, scaling, resource efficiency, failure recovery, and gRPC β€” are measured in the same EKS environment.

Benchmark Details

The test environment design, detailed scenarios, metrics, and execution plan are available at Gateway API Implementation Performance Benchmark Plan.


6. Conclusion and Roadmap​

6.1 Conclusion​

🎯 Gateway API Implementation Selection Guide
Optimal route for your organization needs
AWS Native→ AWS all-in organizations
βœ“ Fully managed, auto-scaling, zero ops
Cilium→ High performance + observability focus
βœ“ Best eBPF performance, Hubble visibility, ENI native
NGINX Fabric→ Leveraging NGINX experience
βœ“ Proven stability, familiar config, fast transition
Envoy Gateway→ CNCF standard + service mesh
βœ“ Rich L7 features, Istio integration, extensibility
kGateway→ AI/ML integration needs
βœ“ AI routing, enterprise support, Solo.io ecosystem
Kong→ Enterprise API management + LLM proxy
βœ“ 100+ plugins, 24x7 support, Kong AI Gateway (external LLM routing)

Select the solution that fits your organizational environment based on the table above.

AWS Native (LBC v3) β€” minimal operational burden, leverages the managed nature of ALB/NLB, SLA guarantee, AWS WAF/Shield/ACM integration. Optimal for environments where stability and automatic scaling matter more than raw performance.

6.2 Future Expansion Roadmap​

πŸ—ΊοΈ Future Expansion Roadmap
Gateway API Ecosystem Evolution Path β€” click to expand
πŸš€
Now
Now
1/4β–Ό
πŸ“Š
6 Months
6 Months
2/4β–Ό
πŸ”—
1 Year
1 Year
3/4β–Ό
πŸ€–
2 Years
2 Years
4/4β–Ό

6.3 Key Message​

info

Complete migration before the March 2026 NGINX Ingress EOL to eliminate security threats at the source.

The Gateway API is not just an Ingress replacement β€” it is the future of cloud-native traffic management.

  • Role separation: clear separation of responsibility between platform and development teams
  • Standardization: portable configuration without vendor lock-in
  • Extensibility: scales to East-West, service mesh, and AI integration

Start now:

  1. Collect the current Ingress inventory β€” see Migration Execution Strategy
  2. Select a solution that fits the workload (Section 4)
  3. Build a PoC environment β€” see Migration Execution Strategy
  4. Execute a gradual migration β€” see Migration Execution Strategy

Additional resources:


Sub-documents (Deep-dive Guides)​

The topic-specific deep-dive content of this guide is provided in separate sub-documents.

East-West (service mesh) topics, which extend the Gateway API into mesh traffic, are covered in a separate category.

  • Service Mesh Comparison Guide β€” Data plane architecture, feature matrix, performance overhead, and selection guide for Istio, Cilium, Linkerd, and VPC Lattice
  • GAMMA Initiative β€” GAMMA overview, East-West traffic management, per-implementation support status
  • Tiered Gateway Architecture β€” the full map and terminology of Tier 1 (this document), Tier 2 β‘  inference routing, β‘‘ LLM API gateway, and the Agent Data Plane (single source of definitions)
  • Inference Gateway Reference β€” the Tier 2 inference gateway layer for agentic workloads (KV-cache-aware routing, model endpoint management). Configured as a 2-tier setup together with this document (Tier 1 general gateway)
  • Inference Gateway Setup Guide β€” inference gateway Helm deployment, HTTPRoute, and OTel configuration

External References​