Gateway API for EKS: Unify Traffic Before 2026
Ingress NGINX retires in March 2026. The industry must shift to Gateway API as the sole standard for EKS traffic management. Amazon Web Services confirms that traditional reliance on annotation-heavy JSON configurations creates significant friction. The new AWS Load Balancer Controller integration enables type-safe routing across distinct layers. Gateway API modernizes EKS network architecture by replacing fragmented tools with a single, role-oriented specification that separates infrastructure concerns from application logic.
We dissect the architectural mechanics of running dual controllers simultaneously. One API definition orchestrates both ALB internet ingress and Amazon VPC Lattice service-to-service communication. The following strategic decision framework guides controller selection without sacrificing the consistency required for reliable GitOps pipelines.
The Role of Gateway API in Modernizing EKS Network Architecture
Gateway API CRDs and Role-Oriented Design in EKS
Gateway API functions as a collection of Kubernetes Custom Resource Definitions (CRDs) modeling service networking. This specification represents the next-generation of routing in Kubernetes, replacing the monolithic Ingress API with distinct objects for infrastructure and application layers. The GatewayClass resource defines the controller implementation, while HTTPRoute resources specify traffic rules for developers. This separation prevents application teams from modifying load balancer configurations accidentally. AWS moved from annotation-based configuration to type-safe Custom Resource Definitions with the GA of Gateway API support. Legacy methods often required cramming JSON into annotations, a practice prone to runtime errors without compile-time validation.
A single `HTTPRoute` object directs external traffic to an ALB and internal mesh traffic to VPC Lattice simultaneously. This unified specification eliminates the operational friction of maintaining separate configuration schemas for north-south and east-west flows. AWS implements this through two distinct backends: the AWS Load Balancer Controller provisions internet-facing resources, while the AWS Gateway API Controller manages service network endpoints. Teams define one routing rule and the cluster dispatches it to the correct infrastructure plane based on the attached `GatewayClass`.
| Traffic Direction | Target Service | Controller Requirement |
|---|---|---|
| Internet Ingress | Application Load Balancer | AWS Load Balancer Controller |
| Service-to-Service | Amazon VPC Lattice | AWS Gateway API Controller |
Strict resource lifecycle ordering prevents orphaned cloud assets. Operators must delete `HTTPRoute` and `Gateway` objects before terminating the EKS cluster. This allows controllers to cleanly remove underlying AWS resources. Skipping this deletion order step leaves load balancers active and billing continues. Running dual controllers consumes more control plane resources than a single-purpose setup. Developers no longer need to master service-mesh-specific DSLs for internal routing.
Legacy Ingress Annotations vs Expressive Gateway Routing
Ingress API relies on controller-specific JSON annotations that lack validation and type safety, creating runtime errors during deployment. Legacy configurations embed complex logic directly into metadata fields, forcing operators to manage error-prone strings instead of structured objects. This approach prevents standard GitOps workflows from detecting routing mistakes before they reach production clusters. Gateway API replaces these opaque comments with native header-based routing and weighted routing capabilities set in clear YAML blocks. Developers specify traffic splits and match conditions using dedicated fields rather than abusing annotation keys for features they do not support. The shift eliminates the need for custom parsers and reduces the cognitive load required to understand network behavior.
| Feature | Ingress API | Gateway API |
|---|---|---|
| Configuration Method | Controller-specific annotations | Native CRD fields |
| Routing Logic | Limited path matching | Header and weight support |
| Validation | None at apply time | Schema-enforced types |
| Owner Separation | Mixed responsibilities | Distinct role resources |
Upstream Kubernetes schedules the retirement of Ingress NGINX to accelerate adoption of this modern standard. Clusters running version 1.36 will face increased maintenance burdens as legacy support vanishes in April 2026. Operators sticking with old patterns risk losing community support and security patches for their ingress controllers. Migration becomes mandatory rather than optional once the deprecation window closes for the older specification.
Dual-Controller Routing Logic for ALB and VPC Lattice
The `GatewayClass` name acts as the deterministic switch that directs traffic to either an AWS ALB or a VPC Lattice service network. This separation allows the AWS Load Balancer Controller to satisfy L7 `HTTPRoute` specifications by provisioning public-facing Application Load Balancers for internet ingress. Conversely, the VPC Lattice Gateway API Controller interprets identical route objects to establish internal connectivity without requiring VPC peering or Transit Gateway attachments. Operators must define distinct `Gateway` resources referencing specific controller classes to prevent resource contention within the same cluster.
| Traffic Pattern | Controller | Infrastructure Provisioned |
|---|---|---|
| Internet Ingress | AWS Load Balancer Controller | AWS ALB / NLB |
| Internal Service Mesh | VPC Lattice Gateway API Controller | VPC Lattice Service Network |
Deletion order during cluster teardown presents a critical operational constraint. Gateway resources like `HTTPRoutes` require removal before the EKS cluster itself. This allows controllers to properly clean up AWS resources. Skipping this sequence leaves orphaned infrastructure that incurs costs and creates security gaps. The architecture enforces a strict boundary where external threats terminate at the ALB layer while lateral movement controls reside entirely within the VPC Lattice plane. This dual-plane approach eliminates configuration fragmentation but demands precise `GatewayClass` assignment to avoid routing loops or dropped packets.
Implementing Internet Ingress and Cross-Cluster Service Calls
External client requests to `shop. Api. Example.com` terminate TLS at the Application Load Balancer using certificates from AWS Certificate Manager. This north-south flow relies on the AWS Load Balancer Controller to provision the listener and forward decrypted traffic to the shop pod. Internal communication follows a distinct path where the shop pod calls `cart. Api. Example.com` for cross-cluster data retrieval. The VPC Lattice Gateway API Controller resolves this hostname to a service network endpoint, routing the packet directly to the cart service in the Apps-A cluster. This mechanism eliminates the need for VPC peering or Transit Gateway attachments between the source and destination environments. Operators must define separate `Gateway` resources referencing specific `GatewayClass` names to direct traffic to the correct infrastructure plane. The controller selection logic remains deterministic based on this class reference, preventing resource contention during simultaneous deployments. A significant limitation arises when teams attempt to share a single `Gateway` object across both controllers, as each watches only its assigned class. This constraint enforces strict separation between internet-facing and internal service meshes, reducing accidental exposure of internal APIs.
The dual-controller pattern introduces operational overhead by requiring maintenance of two distinct control loops within the same cluster. Teams gain architectural clarity but lose the simplicity of a single binary managing all routing decisions. Security boundaries remain explicit rather than implicit in shared configuration objects.
Decision Framework: AWS WAF Integration vs Native Service Mesh
Select the AWS Load Balancer Controller specifically when internet ingress requires AWS Web Application Firewall (WAF) protection or OIDC authentication. This controller provisions public Application Load Balancers capable of integrating Amazon CloudFront as a VPC origin for private backends. Organizations prioritizing edge security accept the operational overhead of managing public IP ranges to gain fixed response rules and redirect actions. Internal traffic flows demand the VPC Lattice Gateway API Controller to eliminate VPC peering complexity across multiple accounts. This implementation supports mixed compute targets including AWS Lambda and Amazon ECS without additional networking configuration. Onlyplay Gaming validated this architectural split by using Amazon Route 53 alongside caching features to reduce asset load times by 21 percent. Perimeter defense depth and simplified east-west connectivity require different tools. Operators cannot achieve both WAF integration and peer-less cross-cluster routing with a single controller instance.
| Requirement | AWS Load Balancer Controller | VPC Lattice Controller |
|---|---|---|
| Traffic Direction | North-South (Internet) | East-West (Internal) |
| Security Layer | AWS WAF Integration | Service Auth Policies |
| Compute Targets | EKS Pods Only | EKS, Lambda, ECS, EC2 |
| Network Prep | Public Subnets Required | No Peering Needed |
The GatewayClass name serves as the deterministic switch routing declarations to the correct infrastructure plane. Attempting to force internal service mesh traffic through a public ALB introduces unnecessary latency and exposure risk. Conversely, exposing VPC Lattice endpoints directly to the internet violates standard zero-trust networking principles.
Strategic Decision Framework for Controller Selection
Defining Traffic Patterns for ALB and VPC Lattice Controllers
Public internet ingress demands the AWS Load Balancer Controller to provision Application Load Balancers capable of terminating external TLS sessions. Internal service-to-service communication instead relies on the VPC Lattice Gateway API Controller to route east-west traffic without VPC peering. Operators must distinguish these flows because a single misapplied `GatewayClass` exposes internal microservices to public scanning or blocks legitimate external clients. Edge security features compete against simplified mesh connectivity.
Selecting the wrong controller forces costly refactors later in the deployment lifecycle. External APIs requiring AWS WAF integration must map to the ALB implementation, while hybrid workloads spanning Lambda and EC2 benefit from the service network abstraction. Resource Deletion Order creates a rigid sequential requirement for GitOps pipelines managing cluster lifecycles. Ambiguity manifests as idle network interfaces or unreachable internal endpoints during rollout windows.
Deploying Dual Controllers in Multi-Cluster EKS Architectures
Edge clusters route `shop. Api. Example.com` via public ALB while directing internal payments traffic through VPC Lattice service networks. This split requires distinct GatewayClass definitions to prevent controller contention over resource ownership. Operators must assign the AWS Load Balancer Controller to internet-facing gateways and the VPC Lattice Gateway API Controller to private mesh gateways within the same namespace.
Deleting the EKS cluster before removing `HTTPRoute` objects orphans underlying AWS resources. Expensive load balancers run indefinitely. The Gateway API specification allows both controllers to coexist, yet lifecycle management remains a manual burden for platform teams. Failure to enforce this sequence results in billing leakage that persists long after the cluster identifier vanishes from the console.
Comparing EKS Control Plane and Load Balancer Costs Across Cloud Providers
Standard Amazon EKS control plane pricing sits at $0.10 per hour, matching Google GKE rates while exceeding the free tier offered by Azure AKS. This baseline cost remains constant regardless of traffic volume, forcing operators to optimize variable expenses elsewhere. The real financial divergence appears in data plane components where AWS charges $0.025 per hour for Application Load Balancers, a rate five times higher than Azure's starting $0.005 per hour. High-frequency microservice architectures facing thousands of hourly rotations see these differences compound rapidly into significant operational expenditure gaps.
| Cost Component | AWS EKS | Google GKE | Azure AKS |
|---|---|---|---|
| Control Plane | $0.10/hour | $0.10/hour | Free Tier |
| L7 Load Balancer | $0.025/hour | Variable | $0.005/hour |
| Managed Service Depth | Dual Controllers | Integrated | Native |
AWS implements Gateway API through two distinct controllers, requiring careful selection to avoid provisioning expensive public ALBs for internal traffic. Misapplying the AWS Load Balancer Controller to east-west communication inflates costs without adding security value compared to VPC Lattice. Google differentiates its offering through a premium-tier global network rather than controller separation, altering the total cost of ownership calculation for multi-region deployments. Operators must delete Gateway resources. Architectural errors carry an immediate cost penalty measured in hourly billing cycles.
Defining the Dual-Controller Migration Path for AWS Load Balancer Controller
Updating the AWS Load Balancer Controller to v2.14.0+ enables simultaneous Ingress API and Gateway API processing without service interruption.
- Install the standard Gateway API CRDs into the cluster to expose the required custom resource definitions.
- Deploy new traffic flows using HTTPRoute objects while legacy Ingress resources continue functioning unchanged.
- Migrate existing services individually by creating equivalent Gateway and HTTPRoute configurations alongside the old definitions.
- Delete the obsolete Ingress objects only after validating the new routing paths.
Full general availability features require upgrading to v3.0.0+, which stabilizes the dual-controller implementation for production workloads. This coexistence model eliminates the big-bang migration risk often cited in platform modernization projects. Operators must manage two distinct configuration schemas during the transition window, increasing the cognitive load on networking teams. The parallel operation consumes additional controller cycles to reconcile both resource types, potentially delaying status updates during high-churn events.
Execute `curl com` to confirm AWS Load Balancer Controller provisions the ALB and terminates TLS via.
- Run the external ingress test from a local workstation to validate public endpoint availability and certificate chain integrity.
- Exec into the shop pod and trigger `curl com` to verify cross-cluster routing through the VPC Lattice service network.
- Inspect controller logs to ensure the VPC Lattice Gateway API Controller resolved the destination without requiring VPC peering or Transit Gateway attachments.
This second test confirms that internal service discovery functions across cluster boundaries using standard DNS rather than complex mesh sidecars. Deleting HTTPRoute resources before removing the cluster prevents orphaned load balancers and unexpected charges. The retirement of Ingress NGINX in March 2026 makes this validation discipline mandatory for production stability. Successful execution proves the unified interface standardization eliminates configuration fragmentation between edge and mesh layers. Cross-AZ data transfer incurs $0.01/GB, so validating shortest-path routing within the service network optimizes variable spend.
Enforce TLS termination using ACM certificates for both public ALBs and private VPC Lattice endpoints to prevent plaintext transmission.
- Provision managed certificates or apply ACM's Private Certificate Authority
- Attach IAM-based auth policies to every VPC Lattice service infrastructure, restricting east-west traffic to verified identities rather than open CIDR blocks.
- Enable access logging by routing telemetry streams to Amazon S3 or CloudWatch Logs for forensic analysis of denied requests..
| Requirement | Configuration Target | Operational Impact |
|---|---|---|
| Encryption | ACM / PCA | Eliminates man-in-the-middle risks |
| Identity | IAM Auth Policies | Replaces IP-based allowlists |
| Telemetry | Kinesis Data Firehose | Enables real-time anomaly detection |
| Durability | Multi-AZ Nodes | Survives zone-wide power loss |
Skipping IAM auth policies leaves internal APIs exposed to any compromised pod within the VPC. InterLIR recommends validating auth policies in staging before production rollout to prevent legitimate service-to-service calls from failing.
About
Alexander Timokhin, CEO of InterLIR, brings deep expertise in IT infrastructure and network resource management to the discussion on Gateway API. While InterLIR specializes in optimizing IPv4 address availability, Timokhin's daily work involves solving complex networking challenges for global enterprises. This hands-on experience with IP allocation and BGP routing provides a unique perspective on the operational efficiencies offered by unified API standards. As organizations migrate to Amazon EKS, the ability to simplify ingress and service-to-service communication via Gateway API directly impacts how efficiently network resources like IP addresses are utilized. Timokhin connects these dots by highlighting how reducing API fragmentation lowers overhead for teams managing critical cloud infrastructure. His leadership at InterLIR, focused on transparency and efficiency in network services, highlights the importance of adopting standardized tools like AWS Load Balancer Controller to maximize resource utility in modern Kubernetes environments.
Conclusion
Gateway API standardization solves configuration drift, but hidden data plane costs break budgets at scale. While control plane fees remain static across providers, the cumulative expense of high-frequency L7 routing on AWS creates a structural tax that erodes margins for chatty microservices. This operational overhead compounds silently as traffic volumes grow, making architecture decisions based solely on control plane parity a dangerous oversimplification. Teams must shift focus from initial deployment ease to sustained throughput economics before locking into a single vendor's data plane model.
Adopt Gateway API for its portability benefits, but mandate a cost-per-request audit within six months of production launch. If your average request size stays under a small threshold and call frequency exceeds 10,000 per second, the current ALB pricing model becomes unsustainable compared to alternative mesh topologies. Do not wait for the quarterly bill to reveal these inefficiencies; proactive modeling is the only defense against margin compression.
Start by instrumenting request cardinality this week using existing access logs to calculate your true cost-per-call across zones. Compare this metric against your projected Q4 traffic volume to determine if a hybrid approach using cheaper internal routing mechanisms is necessary before your next scaling event.
Frequently Asked Questions
EKS costs roughly $73 monthly while AKS control planes are free. This pricing gap significantly impacts total ownership expenses for large-scale cluster deployments running continuously throughout the month.
AWS charges $0.025 per hour, which is five times higher than Azure's rate. This substantial difference accumulates quickly for high-frequency microservice architectures requiring multiple active load balancers.
Skipping deletion leaves load balancers active and billing continues indefinitely. Operators must remove HTTPRoute and Gateway objects first to ensure controllers cleanly terminate underlying AWS resources and stop charges.
Running dual controllers consumes more control plane resources than single-purpose setups. This architectural choice trades increased infrastructure overhead for reduced developer cognitive load regarding distinct routing configurations.
Data transfer egress outside AWS is charged at $0.09 per GB. This rate slightly exceeds Azure's outbound networking costs, impacting budgets for applications with heavy external traffic volumes.
