Calico Ingress Gateway: Key FAQs Before Migrating from NGINX Ingress Controller

What Platform Teams Need to Know Before Moving to Gateway API

We recently sat down with representatives from 42 companies to discuss a pivotal moment in Kubernetes networking: the NGINX Ingress retirement.

With the March 2026 retirement of the NGINX Ingress Controller fast approaching, platform teams are now facing a hard deadline to modernize their ingress strategy. This urgency was reflected in our recent workshop, “Switching from NGINX Ingress Controller to Calico Ingress Gateway” which saw an overwhelming turnout, with engineers representing a cross-section of the industry, from financial services to high-growth tech startups.

During the session, the Tigera team highlighted a hard truth for platform teams: the original Ingress API was designed for a simpler era. Today, teams are struggling to manage production traffic through “annotation sprawl”—a web of brittle, implementation-specific hacks that make multi-tenancy and consistent security an operational nightmare.

The move to the Kubernetes Gateway API isn’t just a mandatory update; it’s a graduation to a role-oriented, expressive networking model. We’ve previously explored this shift in our blogs on Understanding the NGINX Retirement and Why the Ingress NGINX Controller is Dead.

Bridging the Role Gap: Transitioning from the flat, annotation-heavy Ingress model to the role-oriented Kubernetes Gateway API.

After the workshop, we narrowed down the top questions keeping platform engineers up at night. Here is a detailed breakdown of those key concerns and our answers.

Question 1: Can I use the upstream Envoy Gateway as a PoC before moving to Calico Ingress?

Answer: Yes. Calico Ingress Gateway is built on a 100% upstream distribution of Envoy Gateway. Because we maintain strict compatibility with the Kubernetes Gateway API standard, you can confidently start a Proof of Concept (PoC) using standard Envoy Ingress Gateway.

High-Performance Architecture: How the Calico Ingress Gateway control plane translates your intent into actionable configuration for the Envoy Proxy data plane.

When you are ready to transition to production, the upgrade to Calico is seamless. You gain access to enterprise-grade security hardening and full lifecycle management via the Tigera Operator, which handles the complex deployment and maintenance tasks for you. This allows you to “start standard” and “scale for the enterprise” without rewriting your configuration.

Question 2: What is the difference between Calico Open Source and Calico Enterprise in terms of Gateway API features?

A: Both versions provide a solid foundation by supporting the core Gateway API spec. However, Calico Enterprise is designed for mission-critical environments where visibility and security are paramount.

Key additions include:

• Advanced Security: Out-of-the-box integration for a Web Application Firewall (WAF) and IDS/IPS directly at the cluster edge.
• Deep Observability: While open source provides basic metrics, Enterprise delivers detailed flow logs and real-time visualization via the Dynamic Service Graph, allowing you to see exactly how traffic traverses your ingress layer.
• Lifecycle Support: Access to 24/7 technical support and CVE-scanned, “hardened” images.

Calico Ingress Gateway integrates seamlessly with the broader Calico Cloud framework to provide unified security, from WAF and IDS/IPS to deep network observability.

Question 3: What exactly does a “hardened” image mean? Are they modified, security-validated, or aligned with compliance requirements?

A: In the Tigera ecosystem, “hardening” is a multi-layered security process. We don’t just pull images from public registries; we rebuild our Envoy images using secure, minimal base images to reduce the attack surface.

• Security Validation: Every image undergoes continuous CVE scanning and vulnerability patching.
• Compliance Alignment: Our build process is designed to meet rigorous standards like FIPS 140-2, ensuring that the traffic entry point for your cluster meets the same compliance requirements (such as PCI DSS or SOC 2) as your internal workloads.

Question 4: Do I need to install the Calico CNI to use Calico Ingress Gateway?

A: No. You do not need the Calico CNI to run the Gateway. While there are “better together” security benefits when using Calico Networking and the Gateway together, the solution is designed to be highly compatible with standard environments.

• Broad Compatibility: You can deploy it as a standalone Gateway API implementation on clusters using Flannel, AWS VPC CNI, Azure VNET CNI, or other standard cloud-native providers.
• Managed Service Support: It is fully supported on EKS, AKS, and GKE.

For a full list of supported platforms and installation steps, check out the Calico Ingress Gateway documentation.

Question 5: Can I migrate incrementally, or is it an “all-or-nothing” big bang?

A: Incremental migration is highly recommended. One of the greatest strengths of the Gateway API is that it can run side-by-side with your existing NGINX Controller.

1. Deploy the New Gateway: Set up Calico Ingress Gateway without touching your existing traffic.
2. Migrate by Route: Use the HTTPRoute resource to move low-risk applications one at a time.
3. Weighted Shift: Leverage weighted load balancing at the DNS or cloud load balancer level to shift a small percentage (e.g., 5-10%) of traffic to the new gateway, validating performance before the final cutover.

Risk-Reduced Rollouts: Using native Gateway API traffic splitting to shift traffic gradually from NGINX to Calico without a “big bang” cutover.

Question 6: Are there any recommendations or best practices for capturing and evaluating performance with Gateway API?

A: Evaluation should be data-driven. We recommend establishing a baseline using Envoy’s native telemetry before and after the move. Key metrics to track include:

• Upstream/Downstream Latency: Measured end-to-end to ensure your data plane meets SLAs.
• Data Plane Apply Time: Monitor how long it takes for new routing rules to propagate (Calico metrics provide high visibility here).
• Error Rates (4xx/5xx): Use Calico’s observability tools to quickly identify if an error is due to a misconfigured ReferenceGrant or a TLS handshake failure.

Migrating from Ingress API to Gateway API

In our recent workshop, we introduced the Ingress-to-Gateway Migration Tool, an open-source utility designed to automate the heavy lifting of manifest conversion. During the live demo, we successfully migrated NGINX-based setups, highlighting a few key operational realities:

• Automation is the Foundation: The tool automatically translates standard NGINX annotations (like weighted traffic and canary rules) into standardized Gateway API resources like HTTPRoute.
• The “Manual” Edge: For sophisticated configurations such as complex OIDC flows or custom Lua snippets human review is still necessary. As Meysam Kamali noted during the session: “Automated tools are an incredible accelerator, but ensure you verify complex rules manually to ensure production-grade security.”

Your Roadmap to Modern Ingress

The questions we received from over 40 companies confirm that the community is ready for a more robust and role-oriented way to handle traffic. The retirement of Ingress NGINX is not just a challenge to overcome. It is an opportunity to build a more secure and scalable platform for the future.

Many of you asked whether migration can be incremental. The answer is a resounding yes. In our upcoming migration guide, we will walk through the exact steps, manifests, and traffic-shifting strategies needed to move safely and confidently from NGINX Ingress to Gateway API using Calico Ingress Gateway.

Coming next: A step-by-step NGINX controller migration guide

In the guide, learn how to:

• Enable Calico Ingress Gateway and Gateway API
• Map NGINX annotations to HTTPRoute resources
• Run NGINX Ingress and Gateway API side by side
• Configure TLS, redirects, rewrites, and header manipulation
• Perform canary traffic shifts, validation, and safe cutover
• Troubleshoot common migration issues

See the Migration in Action

With the March 2026 NGINX retirement deadline approaching, don’t wait to modernize your stack. Watch our on-demand workshop to see a step-by-step demonstration of migrating traffic from Ingress NGINX to Calico Ingress Gateway in a production environment.

Watch the Workshop →

Request a Demo →

Prefer the technical docs? Get a sneak peek of the upcoming migration guide here.

The post Calico Ingress Gateway: Key FAQs Before Migrating from NGINX Ingress Controller appeared first on Tigera - Creator of Calico.