Introduction

In November 2025, it was announced the NGINX Ingress Controller is being officially retired. The Kubernetes SIG Network and Security Response Committee announced that the project will enter best-effort maintenance until March 2026, after which it will receive no further updates or security patches.

Why is NGINX Ingress Controller Being Deprecated?

Ingress-NGINX has always been a popular ingress controller among the user base, but it has struggled to have a large enough maintainer team. The baked-in flexibility has, over time, introduced security bugs causing more work and technical debt for the team.

Alongside these project issues, Kubernetes has started to focus on Gateway API as a long term replacement for Ingress API due to its design with stronger governance, clearer separation of roles, and better extensibility.

Support Timeline

After March 2026, existing deployments will continue to function, but you’ll be running unsupported software. No further security fixes or CVE patches are planned, so any newly discovered vulnerabilities will remain unaddressed, potentially putting your cluster and applications at risk.

What This Means for Azure AKS Users

So if you are running AKS what’s next?

1. AKS doesn’t install NGINX Ingress by default – Azure Kubernetes Service does not deploy with Ingress-NGINX by default, but it can be installed manually or has been offered via a Managed Add-On where Microsoft manages the upgrade process.

If you’re running the Managed Add-On, Microsoft has committed to supporting it until November 2026, but regardless I believe it is still best to check your clusters to understand your position.

2. You need to audit your clusters – Run the following command to check if you’re using NGINX Ingress Controller:

kubectl get pods \
  --all-namespaces \
  --selector app.kubernetes.io/name=ingress-nginx

3. Azure offers supported alternatives – Azure provides several ingress options that are actively developed:

• Application Gateway for Containers (AGC) – A managed, Gateway API-based ingress and L7 load balancer that runs inside your cluster. As of November 2025, AGC is generally available and includes built-in Web Application Firewall (WAF) support. This addresses one of my main concerns, so will be looking into it in another blog soon.

• AKS Application Routing add-on – A managed add-on that deploys a managed Ingress NGINX, which is currently supported until November 2026 with critical security fixes. In the first half of 2026, the AKS team will also be bringing an update using the Istio control plane and Gateway API.

Kubernetes Gateway API

The Kubernetes SIG recommends migrating to Gateway API or an alternative Ingress Controller.

Gateway API

As mentioned earlier, the Gateway API has several improvements over the traditional Ingress controller:

• Role-oriented design: Clear separation of concerns between infrastructure providers, cluster operators, and application developers.
• Extensibility: Allows for custom resources to be linked at different layers of the API.
• Expressive: Gateway API provides built-in core capabilities such as header-based matching, traffic weighting, and other capabilities only possible using custom annotations in Ingress.
• Portable/Standardised: Like Ingress, Gateway API is designed to be a universal specification, supported by many implementations.

Azure’s Application Gateway for Containers

For AKS users, Microsoft provides Application Gateway for Containers (AGC) a Layer 7 Load Balancer and Traffic Manager, this is an evolution of the Application Gateway Ingress Controller (AGIC). Application Gateway for Containers offers new features like Gateway API support and traffic splitting. At time of writing AGC is available in approximately 30 regions, so best check whether the availability in your target region.

Alternative Options

While Gateway API feels like the best migration option if it works for you, there are other options available still:

1. Managed NGINX Ingress (AKS add-on) - Azure offers a managed NGINX ingress add-on for AKS as Application Routing, as previously mentioned it will continue to get critical security fixes until November 2026 but this feels like a transitional option to buy you time before implementing . It still relies on the Ingress resource and only gets security patches after March next year. Next year there should be Application Routing with Gateway API but that would will need some migration planning when it goes GA.

2. Other Ingress Controllers - Third party ingress controllers like Istio are also available, most of these projects are also focusing on Gateway API support, so even if you choose a controller, you are best to still plan around Gateway API resources.

Conclusion

So, in conclusion, if you are using NGINX for ingress, audit your deployments and start planning your migration now to either an alternative Ingress Controller or Gateway API implementation.

Keeping up with changes is a constant with Kubernetes, and this is just another reminder that nothing stands still for too long.

Additional Resources

• Official Ingress NGINX Retirement Announcement
  Background, rationale, and official timelines for the Ingress-NGINX retirement.
• Gateway API Documentation
  Concepts, API reference, and implementation details for Gateway API.
• Migrating from Ingress to Gateway API Guide
  Step-by-step migration examples for common Ingress patterns.
• Azure Application Gateway for Containers Documentation
  Architecture, configuration, and deployment guidance for AGC on AKS.
• Azure NGINX update
  Azure’s perspective on the Ingress-NGINX retirement and recommended paths for AKS customers.