NGINX Gateway Fabric 2.2: Modern Kubernetes Application Delivery
NGINX has released Gateway Fabric 2.2, representing a significant milestone in Kubernetes application delivery and modern workload support. This release focuses on advancing Kubernetes-native networking, with particular emphasis on supporting modern application patterns including Large Language Model (LLM) inference workloads. NGINX Gateway Fabric combines the power of the proven NGINX data plane with the flexibility and standardization of the Kubernetes Gateway API.
NGINX Gateway Fabric is NGINX’s official implementation of the Kubernetes Gateway API, providing a production-ready, high-performance solution for managing ingress traffic in Kubernetes clusters. Built on NGINX’s battle-tested data plane, it offers the reliability and performance that organizations expect from NGINX while embracing the modern Gateway API standard.
- Gateway API Compliant: Full implementation of Gateway API specifications
- NGINX Data Plane: Leverages proven NGINX technology
- Production Ready: Battle-tested in production environments
- High Performance: NGINX’s renowned performance and efficiency
- Feature Rich: Advanced traffic management capabilities
- Kubernetes Native: Designed from the ground up for Kubernetes
One of the most significant additions in 2.2 is the Gateway API Inference Extension, designed specifically for LLM inference workloads and modern AI/ML applications.
The Inference Extension enables intelligent routing for inference workloads:
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: llm-inference-route
spec:
parentRefs:
- name: production-gateway
hostnames:
- api.example.com
rules:
- matches:
- path:
type: PathPrefix
value: /inference
filters:
- type: ExtensionRef
extensionRef:
group: gateway.nginx.org
kind: InferencePolicy
name: llm-inference-policy
backendRefs:
- name: llm-inference-service
port: 8080
---
apiVersion: gateway.nginx.org/v1alpha1
kind: InferencePolicy
metadata:
name: llm-inference-policy
spec:
timeout: 300s
maxConcurrentRequests: 10
retryPolicy:
maxRetries: 3
retryOn:
- timeout
- 5xx
loadBalancing:
strategy: least_connections
stickySession: true
- Extended Timeouts: Support for long-running inference requests
- Concurrent Request Limits: Manage resource-intensive workloads
- Intelligent Retry Logic: Handle transient failures gracefully
- Connection Pooling: Efficient connection management
- Streaming Support: Real-time response streaming for LLM outputs
Gateway Fabric 2.2 includes improved integration with Red Hat OpenShift:
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: openshift-gateway
namespace: openshift-ingress
spec:
gatewayClassName: nginx-gateway
listeners:
- name: http
protocol: HTTP
port: 80
allowedRoutes:
namespaces:
from: Selector
selector:
matchLabels:
network.openshift.io/policy-group: ingress
- Seamless Migration: Easier migration from OpenShift Router
- Route Compatibility: Support for OpenShift Route resources
- Security Context: Better integration with OpenShift security policies
- Multi-tenancy: Enhanced support for OpenShift projects
Gateway Fabric 2.2 introduces enhanced traffic management capabilities:
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: canary-deployment
spec:
parentRefs:
- name: production-gateway
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- name: stable-service
port: 80
weight: 90
- name: canary-service
port: 80
weight: 10
filters:
- type: ExtensionRef
extensionRef:
group: gateway.nginx.org
kind: TrafficSplitPolicy
name: canary-policy
---
apiVersion: gateway.nginx.org/v1alpha1
kind: TrafficSplitPolicy
metadata:
name: canary-policy
spec:
healthChecks:
enabled: true
interval: 10s
timeout: 5s
failover:
enabled: true
threshold: 5
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: mirroring-route
spec:
parentRefs:
- name: production-gateway
rules:
- matches:
- path:
type: PathPrefix
value: /
filters:
- type: RequestMirror
requestMirror:
backendRef:
name: shadow-service
port: 8080
backendRefs:
- name: production-service
port: 80
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: rate-limited-route
spec:
parentRefs:
- name: production-gateway
rules:
- matches:
- path:
type: PathPrefix
value: /api
filters:
- type: ExtensionRef
extensionRef:
group: gateway.nginx.org
kind: RateLimitPolicy
name: api-rate-limit
---
apiVersion: gateway.nginx.org/v1alpha1
kind: RateLimitPolicy
metadata:
name: api-rate-limit
spec:
rate: 100
period: 1s
burst: 50
key: "${remote_addr}"
zones:
- name: api_zone
size: 10m
rate: 100r/s
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: secure-gateway
spec:
gatewayClassName: nginx-gateway
listeners:
- name: https-mtls
protocol: HTTPS
port: 443
tls:
mode: Terminate
certificateRefs:
- name: server-cert
clientCertificateRefs:
- name: client-ca-cert
allowedRoutes:
namespaces:
from: All
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: waf-protected-route
spec:
parentRefs:
- name: production-gateway
rules:
- matches:
- path:
type: PathPrefix
value: /
filters:
- type: ExtensionRef
extensionRef:
group: gateway.nginx.org
kind: WAFPolicy
name: waf-policy
backendRefs:
- name: web-service
port: 80
---
apiVersion: gateway.nginx.org/v1alpha1
kind: WAFPolicy
metadata:
name: waf-policy
spec:
enabled: true
mode: blocking
rules:
- id: 1001
enabled: true
- id: 1002
enabled: true
customRules:
- rule: 'SecRule REQUEST_URI "@contains /admin" "id:9001,deny,status:403"'
Gateway Fabric 2.2 provides comprehensive metrics:
apiVersion: v1
kind: ServiceMonitor
metadata:
name: nginx-gateway-metrics
namespace: nginx-gateway
spec:
selector:
matchLabels:
app: nginx-gateway-fabric
endpoints:
- port: metrics
interval: 30s
path: /metrics
Metrics include:
- Request Rates: Requests per second by route, hostname, status code
- Latency: P50, P95, P99 latency percentiles
- Error Rates: 4xx and 5xx error rates
- Connection Metrics: Active connections, connection rates
- Backend Metrics: Backend health, response times
- SSL/TLS Metrics: Certificate expiration, handshake failures
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: traced-route
spec:
parentRefs:
- name: production-gateway
rules:
- matches:
- path:
type: PathPrefix
value: /
filters:
- type: ExtensionRef
extensionRef:
group: gateway.nginx.org
kind: TracingPolicy
name: tracing-config
---
apiVersion: gateway.nginx.org/v1alpha1
kind: TracingPolicy
metadata:
name: tracing-config
spec:
enabled: true
samplingRate: 0.1
traceIdHeader: "x-trace-id"
spanIdHeader: "x-span-id"
exporter:
type: jaeger
endpoint: http://jaeger-collector:14268/api/traces
# Add Helm repository
helm repo add nginx-gateway-fabric https://nginxinc.github.io/nginx-gateway-fabric-helm-charts
helm repo update
# Install NGINX Gateway Fabric
helm install nginx-gateway-fabric nginx-gateway-fabric/nginx-gateway-fabric \
--namespace nginx-gateway \
--create-namespace \
--version 2.2.0
# Verify installation
kubectl get pods -n nginx-gateway
kubectl get gatewayclass
apiVersion: v1
kind: ConfigMap
metadata:
name: nginx-gateway-config
namespace: nginx-gateway
data:
nginx.conf: |
worker_processes auto;
worker_connections 1024;
events {
use epoll;
multi_accept on;
}
http {
keepalive_timeout 65;
keepalive_requests 100;
# Logging
log_format main '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';
access_log /var/log/nginx/access.log main;
error_log /var/log/nginx/error.log warn;
}
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-gateway-fabric
namespace: nginx-gateway
spec:
template:
spec:
containers:
- name: nginx-gateway-fabric
resources:
requests:
cpu: 500m
memory: 512Mi
limits:
cpu: 2000m
memory: 2Gi
Gateway Fabric 2.2 excels at routing traffic to LLM inference services:
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: llm-api-route
spec:
parentRefs:
- name: production-gateway
hostnames:
- llm-api.example.com
rules:
- matches:
- path:
type: PathPrefix
value: /v1/chat
filters:
- type: ExtensionRef
extensionRef:
group: gateway.nginx.org
kind: InferencePolicy
name: chat-inference
backendRefs:
- name: chat-llm-service
port: 8080
weight: 70
- name: chat-llm-service-gpu
port: 8080
weight: 30
- matches:
- path:
type: PathPrefix
value: /v1/completions
filters:
- type: ExtensionRef
extensionRef:
group: gateway.nginx.org
kind: InferencePolicy
name: completion-inference
backendRefs:
- name: completion-llm-service
port: 8080
# Gateway for tenant isolation
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: tenant-gateway
namespace: gateway-system
spec:
gatewayClassName: nginx-gateway
listeners:
- name: tenant-http
protocol: HTTP
port: 80
allowedRoutes:
namespaces:
from: Selector
selector:
matchLabels:
tenant: enabled
# Tenant-specific route
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: tenant-a-route
namespace: tenant-a
labels:
tenant: enabled
spec:
parentRefs:
- name: tenant-gateway
namespace: gateway-system
hostnames:
- tenant-a.example.com
rules:
- backendRefs:
- name: tenant-a-service
port: 80
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: ab-test-route
spec:
parentRefs:
- name: production-gateway
rules:
# A/B test based on header
- matches:
- headers:
- name: x-test-variant
value: "A"
backendRefs:
- name: variant-a-service
port: 80
- matches:
- headers:
- name: x-test-variant
value: "B"
backendRefs:
- name: variant-b-service
port: 80
# Default: weighted canary
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- name: stable-service
port: 80
weight: 90
- name: canary-service
port: 80
weight: 10
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: api-versioning
spec:
parentRefs:
- name: production-gateway
hostnames:
- api.example.com
rules:
# v2 API - latest
- matches:
- path:
type: PathPrefix
value: /v2
backendRefs:
- name: api-v2-service
port: 8080
# v1 API - legacy support
- matches:
- path:
type: PathPrefix
value: /v1
backendRefs:
- name: api-v1-service
port: 8080
# Default routing
- matches:
- path:
type: PathPrefix
value: /
filters:
- type: RequestRedirect
requestRedirect:
scheme: https
hostname: docs.example.com
path:
type: ReplaceFullPath
replaceFullPath: /api/v2
statusCode: 301
Gateway Fabric 2.2 delivers exceptional performance:
- High Throughput: Handles millions of requests per second
- Low Latency: Sub-millisecond request processing
- Efficient Resource Usage: Minimal CPU and memory footprint
- Connection Handling: Supports hundreds of thousands of concurrent connections
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-gateway-fabric
namespace: nginx-gateway
spec:
replicas: 3
strategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
template:
spec:
containers:
- name: nginx-gateway-fabric
resources:
requests:
cpu: 500m
memory: 512Mi
limits:
cpu: 2000m
memory: 2Gi
apiVersion: gateway.nginx.org/v1alpha1
kind: LoadBalancingPolicy
metadata:
name: lb-policy
spec:
strategy: least_connections
healthChecks:
enabled: true
interval: 10s
timeout: 5s
unhealthyThreshold: 3
healthyThreshold: 2
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: example-cert
namespace: cert-manager
spec:
secretName: example-tls
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
dnsNames:
- example.com
---
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: production-gateway
spec:
listeners:
- name: https
protocol: HTTPS
port: 443
tls:
mode: Terminate
certificateRefs:
- name: example-cert
namespace: cert-manager
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: nginx-gateway
namespace: nginx-gateway
spec:
selector:
matchLabels:
app: nginx-gateway-fabric
endpoints:
- port: metrics
interval: 30s
path: /metrics
Organize Gateways by purpose and environment:
# Production Gateway
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: prod-gateway
namespace: gateway-system
labels:
environment: production
spec:
gatewayClassName: nginx-gateway
# Staging Gateway
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: staging-gateway
namespace: gateway-system
labels:
environment: staging
spec:
gatewayClassName: nginx-gateway
Use consistent naming conventions:
# Pattern: <app>-<environment>-route
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: webapp-prod-route
namespace: production
spec:
parentRefs:
- name: prod-gateway
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: secure-gateway
spec:
gatewayClassName: nginx-gateway
listeners:
- name: https
protocol: HTTPS
port: 443
tls:
mode: Terminate
options:
gateway.nginx.org/ssl-ciphers: "HIGH:!aNULL:!MD5"
gateway.nginx.org/ssl-protocols: "TLSv1.2 TLSv1.3"
certificateRefs:
- name: tls-cert
For organizations migrating from NGINX Ingress Controller:
- Install Gateway Fabric: Deploy alongside existing Ingress Controller
- Create Gateway Resources: Set up Gateway instances
- Convert Ingress to HTTPRoute: Migrate routes gradually
- Test Thoroughly: Validate functionality
- Switch Traffic: Gradually shift traffic
- Remove Ingress Controller: Once migration is complete
NGINX Gateway Fabric 2.2 represents a significant advancement in Kubernetes application delivery, particularly with its support for modern workloads like LLM inference. The combination of NGINX’s proven data plane with Gateway API standards provides organizations with a powerful, flexible, and future-proof solution for managing ingress traffic.
Key highlights of Gateway Fabric 2.2:
- LLM Inference Support: Gateway API Inference Extension for AI/ML workloads
- OpenShift Integration: Enhanced support for Red Hat OpenShift
- Advanced Traffic Management: Sophisticated routing and load balancing
- Security Enhancements: mTLS, WAF, and comprehensive security features
- Observability: Rich metrics and distributed tracing support
- Production Ready: Battle-tested and optimized for scale
As organizations continue to adopt modern application patterns and migrate from traditional Ingress controllers, NGINX Gateway Fabric 2.2 provides a compelling solution that combines the best of both worlds: NGINX’s performance and reliability with Gateway API’s flexibility and standardization.
For more information about NGINX Gateway Fabric 2.2, visit the NGINX Gateway Fabric documentation and NGINX blog.