High-performance, cloud-native traffic management for Gateway API, Ingress, and beyond
The continuous shift toward containerization means businesses are migrating more complex, mission-critical workloads to Kubernetes. This trend necessitates traffic management solutions that support diverse protocols (such as TCP, UDP, HTTP, and gRPC) and sophisticated organizational architectures, while delivering exceptional performance and efficiency.
To address these modern cloud-native requirements, HAProxy Technologies today announced the public beta of the new HAProxy Unified Gateway for Kubernetes at KubeCon + CloudNativeCon North America 2025, where the company is a Diamond sponsor. HAProxy Unified Gateway is a free, open-source product dedicated to providing unified, high-performance, Kubernetes-native application routing for both Gateway API and Ingress – with a powerful enterprise implementation coming in 2026, integrated directly into the groundbreaking HAProxy Fusion Control Plane.
HAProxy Unified Gateway provides flexible protocol support, role-based access control, and a low-risk, gradual migration path for organizations moving from Ingress to Gateway API. Combined with HAProxy’s legendary performance and reliability, these key features support the needs of modern applications and evolving organizations.
Built on HAProxy’s 20+ years of open-source innovation, HAProxy Unified Gateway is designed to be the most dependable and scalable solution for cloud-native application delivery within the Kubernetes community.
Quick start
You can get the Docker image for HAProxy Unified Gateway’s beta release on Docker Hub, and contribute to the community project on GitHub.
In the GitHub project, you can find an example of how to deploy HAProxy Unified Gateway as well as examples of how to use various features.
If you want to learn how to set up HAProxy Unified Gateway with a GatewayClass, a new Gateway, and an HTTPRoute, you can see a step-by-step example with configuration in this article.
Why Kubernetes users need more than Ingress
For years, the Kubernetes Ingress standard has served a foundational role, but it is fundamentally unsuited to the demands of today’s complex, high-scale environments. The core limitations of Ingress controllers include:
Protocol constraints: Ingress typically lacks flexible protocol support, often restricting traffic to HTTP/S unless you use a workaround like vendor-specific ConfigMaps or port mapping. This inflexibility limits the types of applications – such as those relying on TCP or UDP – that can be easily migrated and managed behind a standard Ingress controller, slowing innovation and modernization.
Operational risk: The standard uses a single Ingress object for all configuration. This lack of “separation of concerns” or robust role-based access control (RBAC) forces organizations to either create operational bottlenecks by restricting management to one team or risk errors and conflicts by allowing multiple teams to modify the same resource. This design limits scalability and undermines the core Platform Engineering goal of enabling teams to operate safely with autonomy.
The Kubernetes Gateway API standard was created to resolve these architectural and operational deficits. While the Ingress API is not currently deprecated, the ecosystem’s focus on Gateway API means that further development of the Ingress standard is uncertain. As a result, while organizations see the opportunity to realize significant benefits by adopting Gateway API, many are simultaneously feeling pressure to replace existing (and sometimes large-scale) Ingress deployments faster than they might be comfortable with.
HAProxy Unified Gateway is engineered to leverage the modern Gateway API standard immediately, and relieve pressure on organizations with substantial Ingress deployments by providing unified support for both Ingress and Gateway API.
Simple adoption of the latest Kubernetes Gateway API standard
The core use case of HAProxy Unified Gateway lies in its support for the latest Kubernetes Gateway API, delivering the role-based access, flexibility, and portability required for cloud-native ecosystems.
Immediate multi-protocol flexibility
HAProxy Unified Gateway launches with crucial support for TCP and HTTP/S (including TLS termination) via its Gateway API implementation, a level of flexible protocol support that was challenging under the old Ingress standard. With future releases, we plan to make HAProxy Unified Gateway progressively conformant with the Gateway API specification, which includes supporting GRPCRoute and more. This flexibility empowers the community to quickly onboard a wider variety of application workloads, including legacy or specialized Layer 4 (L4) applications, which will accelerate modernization initiatives.
Additionally, the upcoming enterprise implementation via HAProxy Fusion and HAProxy Enterprise will support UDP for applications that prioritize real-time communication.
Role-based access control
The Gateway API’s role-oriented design is another significant benefit, resolving the complexity of the Ingress standard. HAProxy Unified Gateway implements RBAC through the Gateway API, which enables a clear separation of concerns among Cluster Operators, Infrastructure Providers, and Application Developers.
This design allows teams to safely share network infrastructure without direct coordination, centralizing control over the underlying Gateway while distributing flexibility to application teams to manage their own routing rules. This directly reduces operational complexity and lowers the risk of configuration errors and conflicts.
Low-risk migration from Ingress to Gateway API
HAProxy Unified Gateway is designed to solve the difficult choice faced by organizations migrating from Ingress to Gateway API (the "massive cut-over" versus the complex "gradual migration"). Our roadmap includes the future integration of both Ingress and Gateway API standards in a single HAProxy Unified Gateway instance (coming in 2026). This unification will provide a low-risk, gradual migration path with consistent management and centralized observability, eliminating the need to manage separate products from different vendors.
Challenge | HAProxy Unified Gateway’s solution | How this helps |
Limited to HTTP/S, requiring complex workarounds | Multi-protocol support (TCP and HTTP/S at launch) | Faster innovation; easily onboard specialized applications |
Single configuration object (no RBAC) | Role-based access control (RBAC) | Reduced operational complexity, and safer multi-team collaboration |
High risk during migration | Unified Ingress + Gateway API (coming in 2026) | Low-risk, gradual migration path with consistent management |
Unrivaled performance and efficiency
HAProxy Unified Gateway is built on the proven HAProxy core, widely recognized as the world’s fastest software load balancer. This foundation ensures HAProxy Unified Gateway brings industry-leading throughput, latency, and resource efficiency to Kubernetes traffic management using the Gateway API.
Performance as a cost lever
Low performance and efficiency significantly increase the cost of scalability in cloud-native deployments. An inefficient Gateway – like any inefficient component – directly increases resource consumption and, therefore, cloud costs.
However, the indirect consequences for the resilience of a Kubernetes cluster are perhaps even greater. A poorly performing Gateway, requiring more instances, results in more calls to the Kubernetes API, which can lead to synchronization problems and bring down an entire cluster – something to be avoided at all costs.
HAProxy Unified Gateway is cost-effective and resilient, delivering the exceptional performance and efficiency HAProxy is known for. The HAProxy core is proven to scale well, reaching over 2 million HTTPS requests per second on a single AWS Graviton2 instance. HAProxy is used by some of the world’s largest platforms to handle hundreds of billions of requests a day with low latency.
How is this possible? HAProxy uses a high-performance event-driven architecture; advanced multi-threading with thread groups and automatic CPU binding; and a task scheduler that balances high throughput with low latency. These core architectural choices translate directly into resource savings, enabling users to handle large-scale traffic with fewer (and smaller) machines.
This fundamental performance ensures HAProxy Unified Gateway can manage bigger and more demanding Kubernetes applications while reducing the total cost of ownership for cloud infrastructure.
Operational simplicity and reliability
HAProxy Unified Gateway is engineered to make Kubernetes networking simple and reliable, leveraging more than two decades of open-source expertise.
Streamlined deployment
To simplify implementation and management, HAProxy Unified Gateway deploys efficiently in a single Application Stack. This design minimizes the number of moving parts and reduces points of failure compared with products requiring multi-pod deployments.
Battle-tested reliability
HAProxy Unified Gateway’s reliability is underwritten by the HAProxy open-source core, which has been in continuous development and production use for 20+ years. The core is known for being extremely robust, built with extensive internal checks that prevent service outages and other failures. This foundation of reliability, trusted by the world’s leading platforms and public sector organizations, ensures dependability for the most critical traffic management needs.
Seamless path to enterprise evolution
HAProxy Unified Gateway is and always will remain a free, open-source product dedicated to the Kubernetes community and the adoption of the Gateway API standard. We encourage contribution and participation through our community channels.
For organizations whose requirements extend beyond a single Kubernetes cluster – such as global governance, multiple gateway classes and multi-cluster management, or centralized security – HAProxy Unified Gateway provides a seamless evolution path to a powerful enterprise solution.
The enterprise implementation of a unified Ingress/Gateway API capability will be introduced in 2026, integrated in HAProxy One – the world’s fastest application delivery and security platform. HAProxy One consists of HAProxy Enterprise (a flexible data plane), HAProxy Fusion (a scalable control plane), and HAProxy Edge (a secure edge network).
The enterprise implementation in HAProxy One will provide a natural extension of the open-source product, providing critical centralized capabilities without requiring users to completely rewrite their foundational traffic management layer. By migrating their Gateway API configuration seamlessly from the open-source HAProxy Unified Gateway to HAProxy One, users will gain the following benefits:
Universal traffic management: The ability to consolidate cloud-native traffic management (Gateway API and Ingress) with other methods – north-south and east-west – across any environment, including on-premises, multi-cloud, and multiple Kubernetes clusters (supporting Kubernetes federation initiatives).
Intelligent multi-layered security: Industry-leading edge security, including DDoS protection, bot management, global rate limiting, and a robust Web Application Firewall (WAF).
Centralized control plane: HAProxy Fusion provides centralized management, observability, and automation for all HAProxy Enterprise instances, along with high-performance service discovery, supporting the massive scale of large Kubernetes clusters.
This strategy ensures that the core, high-performance, Kubernetes-standard routing functionality remains free and open-source, while providing an enterprise upgrade path that delivers the platform consolidation and advanced security needed for more complex global deployments.
Example: deploying a Gateway and an HTTPRoute using HAProxy Unified Gateway
It’s simple to get started with HAProxy Unified Gateway. You can easily configure it to route traffic through Kubernetes. In this example, we will:
Define a
GatewayClassDeploy a
GatewayDeploy an
HTTPRoute
Step 1: Define a GatewayClass
First, you need to define a GatewayClass that your Gateway resources will use.
apiVersion: gateway.networking.k8s.io/v1
kind: GatewayClass
metadata:
name: haproxy
spec:
controllerName: gate.haproxy.org/hugThe GatewayClass is a similar construct to the Ingress class. The GatewayClass needs a name and a controller. The controllerName indicates that this GatewayClass belongs to HAProxy Unified Gateway (abbreviated here to “hug”). Every Gateway that uses this GatewayClass will also belong to the controller.
Step 2: Deploy a Gateway
After you have deployed the GatewayClass, you need to deploy a Gateway.
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: hug-gateway
spec:
gatewayClassName: haproxy
listeners:
- name: http
port: 31080
protocol: HTTP
allowedRoutes:
kinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
hostname: "*.haproxy.local"The Gateway needs a name, it needs to be connected to our gatewayClassName, and it needs to contain at least one listener. In HAProxy terms, a listener is a Frontend that defines the port to listen to and the type of traffic it accepts.
Step 3: Deploy an HTTPRoute
After you have deployed the Gateway, you can deploy the HTTPRoute.
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: route-hello-world-exact
spec:
parentRefs:
- name: hug-gateway
sectionName: http
hostnames:
- "exact.haproxy.local"
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- name: hello-world
port: 8888The HTTPRoute needs a name, a Gateway, and routing rules. You can use parentRefs to show that this particular HTTPRoute is connected to our Gateway. Each rule also needs to specify at least one service to which this route will point traffic.
After you have deployed the HTTPRoute, you can safely check if the service is reachable through the controller.
Try HAProxy Unified Gateway today and share feedback on the beta release
The beta release of HAProxy Unified Gateway marks a pivotal moment in cloud-native traffic management. By adopting the Kubernetes Gateway API standard, HAProxy Unified Gateway eliminates the complexity and limitations of legacy Ingress resources while leveraging HAProxy’s legendary performance and two decades of experience.
HAProxy Unified Gateway delivers unified, high-performance, Kubernetes-native application routing backed by an incredible open-source community and provides a low-risk pathway toward modernizing Kubernetes networking.
The HAProxy Unified Gateway beta is now available for download on Docker Hub. We encourage the community to try the beta, explore the documentation, and actively contribute to the project to help shape the final v1.0 release (and beyond).
Subscribe to our blog. Get the latest release updates, tutorials, and deep-dives from HAProxy experts.
