From Ingress NGINX to Higress: migrating 60+ resources in 30 minutes with AI
Source: CNCF Blog
Overview
With the official retirement of Ingress NGINX in March 2026, enterprise platform teams face an urgent security and compliance mandate. Continuing to run a retired controller leaves critical infrastructure exposed to unpatched vulnerabilities. For an infrastructure engineer managing a cluster with over 60 complex Ingress resources, the challenge was clear: find a modern, enterprise‑ready replacement that could be adopted without months of manual refactoring.
Why Higress for the AI era?
Higress, built on Envoy and Istio, is an AI‑native API gateway that addresses the shortcomings of legacy controllers while offering specialized features for Large Language Models (LLMs).
- AI‑Native Architecture – Treats LLMs as first‑class citizens with token‑based rate limiting (to control model costs) and caching capabilities (to reduce latency for common prompts).
- LLM Protocol Governance – Provides a unified protocol for interfacing with various LLM providers, enabling seamless model swaps behind a single secure endpoint.
- Zero‑Downtime Reliability – Leverages Envoy’s xDS protocol for configuration updates in milliseconds, eliminating the “NGINX reload” issue that disrupts persistent AI streaming and gRPC connections.
- Model Context Protocol (MCP) – Supports hosting MCP servers, allowing AI agents to securely interact with enterprise tools and data via the gateway.
AI‑Assisted Migration Workflow
1. Understanding the Current State
An AI agent equipped with the nginx-to-higress-migration skill (link) audited the cluster, automatically identifying all Ingress resources and flagging NGINX‑specific annotations that required translation.
2. Risk‑Free Simulation
To verify that migration would not break production traffic, a simulated environment was created with Kind (Kubernetes in Docker). Higress was installed with status updates disabled (global.enableStatus=false) so it would not modify the Ingress status field, allowing it to coexist with NGINX and enabling side‑by‑side testing of routing logic.
3. Solving Custom Logic with WASM
For complex NGINX snippets flagged during analysis, the higress-wasm-go-plugin skill (link) generated high‑performance WebAssembly (WASM) plugins that replicated custom Lua or NGINX logic within the Higress sandbox.
Outcome: 30 Minutes to Compliance
By leveraging Higress’s native NGINX compatibility and AI‑assisted validation, the entire migration was completed in just half an hour.
| Phase | AI Agent Task | Outcome |
|---|---|---|
| Analysis | Audit 60+ Ingress resources | Full gap analysis in < 1 minute |
| Simulation | Mirror environment in Kind | Verified “digital twin” with < 10 minutes of manual typing |
| Plugin Dev | WASM plugin generation | Custom snippets translated in < 2 minutes |
| Execution | Generate final runbook | Production‑ready in 30 minutes |
The retirement of Ingress NGINX is not merely a migration hurdle; it is an opportunity to upgrade to a more resilient, AI‑ready architecture. Moving to Higress gives organizations an enterprise‑grade gateway built on Envoy and Istio, ready for the future of LLM integration.