Getting traffic into a cluster has three common answers, and teams routinely pick the heaviest one because it sounds the most enterprise. Start from what your requests actually need, then stop as soon as it is met.
Plain ingress controller
For the majority of HTTP services, an ingress controller (ingress-nginx, or the controller built into your cloud load balancer) is enough. It terminates TLS, routes by host and path, and that is most of what you need on day one. We still run ingress-nginx for plenty of clients with no regrets, as long as nobody is abusing the snippet annotations to smuggle in custom Lua.
- Host and path routing, TLS termination, basic rate limiting
- One controller, one well understood failure mode
- Cheap to operate and easy to hand to a team that is not full time on platform
Gateway API: the direction of travel
The Gateway API is the successor to Ingress, now stable, and it fixes the real pain: it splits responsibility cleanly. A platform team owns the Gateway and listeners, application teams own their HTTPRoutes via an HTTPRoute that references the shared gateway by parentRef. That role split is the actual reason to adopt it, not the feature checklist. If multiple teams share one entry point, this is where we point them.
Gateway API earns its keep through the clean split of who owns the listener versus who owns the route, not through a longer feature list.
When a full API gateway is overkill
A dedicated API gateway (Kong, Apigee, an Envoy mesh edge) makes sense when you are exposing a real product API to outside developers: keys, quotas, plan based rate limits, request transformation, monetization. That is a product surface. If you are routing traffic between your own internal services, you are buying a billing and developer portal you will never switch on.
- You sell or publish an API to third parties who need keys and quotas
- You need per consumer plans, monetization, or heavy request and response transformation
- You have a team that will actually own the policy layer, not just install it
Our default
Single team, internal traffic: ingress controller. Multiple teams sharing an edge: Gateway API. Public product API with external consumers: a real gateway. We have never regretted starting one rung lower than the room wanted to.