The primary purpose of Consul’s ingress is to facilitate east-west service-to-service communication within a datacenter environment or region.
It can potentially also be used for user traffic, but it really depends on your requirements. Currently ingress gateways only support L4/L7 traffic routing, and TLS listeners which are secured with private certificates provisioned by the configured Connect CA (e.g, built-in, Vault, custom CA). If you require the ability to use TLS certificates from a publicly signed certificate authority, or features such as IP access lists, web application firewall (WAF), identity-aware proxying (JWT, OIDC, SAML), etc then you’ll need to use a third-party API Gateway or Proxy, like Ambassador.
I hope this helps. Let me know if I can provide any additional detail.