The Kubernetes community recently announced that Ingress NGINX, one of the most widely used Ingress controllers, will be retired. This change means teams need to plan for a secure, modern, and future-proof alternative for managing Kubernetes traffic. The Kubernetes SIG Network and the Security Response Committee confirmed that the project will only receive basic maintenance until March 2026. After that, there will be no new releases, bug fixes, or security updates.
For organizations that have depended on Ingress NGINX for many years, this is more than a routine update. It represents a major change in how Kubernetes ingress traffic will need to be managed going forward. This raises an important question:
What should replace Ingress NGINX in a way that is secure, modern, standardized, and reliable for the long term?
As the industry moves toward the Kubernetes Gateway API and expectations for security and reliability grow, this is the right time to adopt an ingress solution designed for the future.
Calico Ingress Gateway is a 100% upstream distribution of the Envoy Gateway, supported by Tigera’s enterprise expertise, and offers a smooth and dependable path forward.
The Role of the Calico Ingress Gateway in Modern Kubernetes
Managing traffic in Kubernetes environments presents serious security and operational challenges. Traditional ingress solutions lack flexibility, rely on proprietary configurations, and offer limited traffic control, creating security gaps and inefficiencies.
What’s needed is a more flexible, scalable, and policy-driven approach to ingress traffic management. Enter Calico Ingress Gateway—built to eliminate these limitations while enhancing security, visibility, and control over ingress traffic at scale.
So Why an Ingress Gateway?
An ingress gateway serves as the first point of contact for external traffic entering a Kubernetes cluster. For most modern applications, this traffic includes API requests, user connections, or service calls, all of which need to be routed to the appropriate workloads securely and efficiently. Without a robust ingress solution, organizations face a range of challenges:
- Customization Challenges: Legacy ingress solutions provide limited flexibility, frequently requiring custom annotations to extend functionality, which increases the time and complexity of implementations.
- Operational Complexity: Traditional ingress controllers often rely on proprietary configurations, making deployments harder to manage and less portable across environments.
- Limited Traffic Control: Basic ingress controllers lack some of the advanced features needed to manage, shape, and secure traffic effectively.
What is the Calico Ingress Gateway?
The Calico Ingress Gateway is a 100% upstream distribution of the Envoy Gateway, an OSS implementation of the Kubernetes Gateway API, that solves these problems by providing a standardized, feature-rich, and highly customizable ingress solution designed for Kubernetes environments.
Why Kubernetes Gateway API Matters Now More Than Ever
The Kubernetes Gateway API is an evolution of Kubernetes networking designed to provide a more expressive, extensible, and role-oriented way of managing ingress traffic for services. With new resources (Gateway, GatewayClass, HTTPRoute), it provides:
- Better separation of responsibilities
- Stronger security guarantees
- More flexible and scalable traffic routing controls
- A vendor-neutral standard supported by the Kubernetes community
With the retirement of Ingress NGINX, the Kubernetes Gateway API becomes the new default path forward.
Why Calico Ingress Gateway?
Calico extends this foundation with:
- Enterprise-grade hardening that includes CVE protection
- Superior security integration (WAF, IDS/IPS, policy enforcement)
- Full lifecycle support
- Deep Calico observability and enforcement capabilities
The Calico Ingress Gateway improves security and policy enforcement by enabling fine-grained control over how traffic is handled across different namespaces and teams. Advanced traffic control features like traffic splitting, retries, rate limiting, and more are built in, reducing the need for custom annotations. As Kubernetes environments grow more complex, the Calico Ingress Gateway, which is based on the Kubernetes Gateway API, provides a structured and standardized way to manage ingress and service-to-service traffic.
🎥 Looking for guidance on what comes after NGINX Ingress?
These on-demand sessions cover both the strategy and the hands-on migration to Kubernetes Gateway API using Calico Ingress Gateway.
① Moving Beyond NGINX: Gateway API & Calico Ingress Gateway
Learn the safest, future-proof path away from NGINX Ingress using the Kubernetes Gateway API.
② Calico Demo: Switching from NGINX Ingress to Gateway API
See a real migration from NGINX Ingress Controller to Calico Ingress Gateway, including security and observability.
How Calico Ingress Gateway Fits into the Calico Platform
The Calico Ingress Gateway extends Calico Cloud and Calico Enterprise into unified platforms for ingress, egress, intra-cluster, cross-cluster, and service mesh traffic—eliminating silos and simplifying security management.
By integrating WAF, IDS/IPS, and advanced security controls with an ingress gateway, Calico enhances visibility and enforcement not just for ingress traffic, but for all traffic types. This approach provides a comprehensive security posture, plugs critical gaps, and streamlines operations for Kubernetes environments.
Want to see how Calico can replace and improve your current ingress setup? 👉 Schedule a demo to explore it firsthand.
Calico Ingress Gateway Capabilities
Based on the Envoy Gateway
One of the key benefits of the Calico Ingress Gateway is that it is an enterprise-hardened, 100% upstream distribution of Envoy Gateway, which offers a more structured and extensible approach to managing ingress compared to the traditional Kubernetes Ingress API. This allows organizations to define policies for security, traffic routing, and observability in a more consistent and scalable manner. Since it is built on Envoy Gateway, it benefits from Envoy’s performance optimizations, support for Layer 7 traffic management, and extensibility, making it a robust choice for modern Kubernetes networking.
Advanced Traffic Management
Path-Based Routing
Path-based routing in the Kubernetes Gateway API allows users to define how incoming HTTP requests are routed to backend services based on the URL path. This is accomplished using the HTTPRoute resource, which enables fine-grained control over traffic routing by specifying path match rules, path types (exact, prefix, or regular expression), and destination services. For example, an HTTPRoute can direct requests with paths like /api/* to one backend service while sending requests with /blog/* to another, ensuring that different parts of an application are properly segmented. By leveraging path-based routing, users can optimize request handling, improve performance, and simplify service composition in complex Kubernetes environments.
Traffic Splitting
Traffic splitting in the Kubernetes Gateway API enables users to distribute incoming traffic across multiple backend services, making it useful for delivery strategies like canary deployments, blue/green deployments, and A/B testing. This is configured using the HTTPRoute resource, where multiple backend Services are assigned different weight values, determining the percentage of traffic each service receives. For example, an HTTPRoute can send 90% of traffic to a stable version of an application while directing 10% to a new version for gradual rollout and monitoring. The Gateway API’s native support for weighted traffic distribution provides a structured and vendor-neutral way to implement traffic splitting without relying on custom annotations or service-specific configurations. Combined with observability tools, this approach allows teams to test new features safely, minimize risk, and roll back easily if needed.

Load Balancing
Load balancing in the Kubernetes Gateway API ensures that incoming traffic is evenly distributed across multiple backend services, improving performance, reliability, and scalability. The HTTPRoute resource allows users to specify multiple backend services, and the Gateway implementation handles distributing requests based on the configured load-balancing strategy. The Calico Ingress Gateway supports advanced load-balancing policies, including round-robin, least connections, and hash-based balancing.
By default, most load balancers are configured to use a round-robin strategy, evenly distributing traffic across all healthy backends. However, users can fine-tune this behavior by defining policies that prioritize certain backends based on latency, session affinity (sticky sessions), or geographic proximity. Load balancing with the Gateway API ensures that Kubernetes services remain responsive under varying loads, optimizing resource utilization while enhancing fault tolerance and high availability.

Resilience Features
In dynamic Kubernetes environments, network disruptions, service failures, and traffic spikes are inevitable. Calico Ingress Gateway enhances resilience by providing built-in mechanisms to mitigate failures, optimize performance, and maintain service continuity. Features like rate limiting, retry policies, circuit breaking, and timeouts ensure that applications remain stable, responsive, and secure—even under unpredictable conditions.
Rate Limiting
Rate limiting in the Calico Ingress Gateway helps control the volume of incoming requests to prevent service overload and ensure fair usage. This is done through policy attachments or custom resource definitions (CRD). Rate limiting allows users to define limits based on requests per second, per client IP, or authentication tokens, ensuring controlled access to backend services. By enforcing rate limits at the Ingress Gateway level, organizations can prevent abuse, protect APIs, and ensure stability across their Kubernetes workloads without requiring application-level rate limiting.

Retry Policies
Retry policies allow users to automatically retry failed requests, improving resiliency and fault tolerance for backend services. These policies can specify conditions for retries, such as HTTP status codes (e.g., 500, 503), connection failures, or timeouts, along with parameters like the maximum number of retries and backoff intervals. By implementing retry policies at the Gateway level, Kubernetes users can increase service reliability, reduce transient failures, and enhance application availability.
Circuit Breaking
Circuit breaking helps prevent service failures from cascading by limiting the number of failing requests sent to an unhealthy backend. These policies allow users to define thresholds for maximum concurrent connections, request rates, failure percentages, and timeout limits, automatically stopping traffic to a failing service until it recovers. By enforcing circuit breaking at the Gateway level, Kubernetes users can improve system stability, prevent overload, and ensure that failures in one service don’t degrade the entire application.
Timeouts
Timeouts control how long a request can wait for a response before failing, improving system responsiveness and preventing resource exhaustion. These settings can define maximum durations for upstream responses, idle connections, and retries, ensuring that slow or unresponsive services do not degrade overall performance. By enforcing timeouts at the Gateway level, Kubernetes users can improve reliability, free up resources, and prevent requests from hanging indefinitely.
Role-Based Access Control (RBAC)
Role-Based Access Control (RBAC) in the Calico Ingress Gateway provides fine-grained security by controlling which users or services can configure and interact with the gateway’s resources. Calico Ingress Gateway leverages Kubernetes RBAC to manage access to its API objects, ensuring that only authorized users can create or modify Gateway configurations, HTTPRoutes, and other resources. This means you can delegate different aspects of configuring the Ingress Gateway to different roles, for example: cluster admin, DevOps, and developer roles.
Comprehensive Observability
The Calico Ingress Gateway provides comprehensive logging and metrics capabilities to enhance observability, troubleshooting, and performance monitoring for Kubernetes networking. Calico Ingress Gateway leverages Envoy’s built-in observability features, exposing detailed access logs, traffic metrics, and tracing data to help operators understand request flow and system behavior.
Access Logs
Calico Ingress Gateway captures detailed logs of all incoming and outgoing requests, including source and destination IPs, HTTP status codes, request durations, and response sizes. These logs can be configured in JSON or text format and exported to logging systems like Fluentd, Elasticsearch, or Loki.
Error Logs
Provides insight into failures, misconfigurations, and traffic issues, helping diagnose connectivity problems and policy violations.
Metrics
- Traffic Metrics: Calico Ingress Gateway exposes HTTP request counts, response codes, latency, and active connections, allowing users to monitor traffic patterns.
- Load Balancing Metrics: Tracks load distribution across backends, helping optimize performance.
- Rate Limiting Metrics: If rate limiting is enabled, Calico Ingress Gateway provides statistics on blocked requests and allowed requests per client/IP.
- Circuit Breaking Metrics: Monitors the number of connections or requests that are rejected due to circuit-breaking policies.
Easy Deployment and Configuration
Deploying the Calico Ingress Gateway is simple using the Calico Operator. Since Calico Ingress Gateway is a 100% enterprise-grade distribution of the Envoy Gateway, it integrates seamlessly into existing Calico environments without requiring any complex configurations or custom patches, and it can be installed with zero additional effort in new Kubernetes environments. With just a few YAML manifests to configure ingress traffic policies using Resources which are called Custom Resource Definitions (CRDs) in the Gateway API specification, teams can easily have a fully operational ingress solution that enforces security policies and traffic control at scale.
Future Developments for Calico Ingress Gateway
The Calico Ingress Gateway is being enhanced to work better with other Calico capabilities to deliver deeper observability, stronger security, and seamless multi-cluster ingress traffic control. Future enhancements to the Calico Ingress Gateway will provide richer traffic insights, superior observability of ingress traffic, deep integration with Calico’s WAF, and improved cluster mesh support.
Conclusion: Preparing for a Post–Ingress NGINX World
The retirement of Ingress NGINX is a meaningful shift for many Kubernetes teams. It forces organizations to think about how they want to manage traffic going forward and what kind of solution will remain dependable as the ecosystem continues to evolve.
The Calico Ingress Gateway delivers the security, scalability, and control that modern Kubernetes environments need. Calico, by unifying ingress, egress, intra-, and inter- traffic management, eliminates security gaps, simplifies policy enforcement, and enhances observability within and across clusters.
The Calico Ingress Gateway offers a path built on open standards and backed by active community and enterprise support. It provides:
- A stable, long-term option based on the Kubernetes Gateway API
- Strong security and consistent policy enforcement
- Integration with Calico’s broader network security capabilities
- Reliable performance and flexibility as environments grow
As teams plan for life beyond Ingress NGINX’s end of maintenance in March 2026, the Calico Ingress Gateway offers a practical and future-ready option for managing ingress traffic with confidence.
📚 Your Guided Reading on NGINX Deprecation
Get up to speed on Ingress NGINX retirement and learn how to migrate confidently. Follow these posts in order for a structured path from awareness to action:
- Step 1 – Understand the change: Ingress NGINX Controller Is Dead — Should You Move to Gateway API?
- Step 2 – Assess your options: Is It Time to Migrate? A Practical Look at Kubernetes Ingress vs Gateway API
- Step 3 – Explore migration strategy: 5 Reasons to Switch to the Calico Ingress Gateway and How to Migrate Smoothly
- Step 4 – Deep dive into Calico Ingress Gateway: A Detailed Look at the Calico Ingress Gateway
- Step 5 – Understand security implementation: Securing Kubernetes Traffic with Calico Ingress Gateway
- Step 6 – Take action:
Ask for a demo
This reading path ensures you go from understanding the NGINX deprecation to a practical migration plan with confidence.
Blog updated November 2025 with new insights and webinar information.




