API Gateway (Spring Cloud Gateway)

In a microservices architecture, clients should not communicate directly with multiple services.

An API Gateway acts as a single entry point that receives all client requests and routes them to the appropriate backend microservices.

It works as a traffic controller, security layer, and cross-cutting concern handler, keeping microservices clean and loosely coupled.

What Is an API Gateway?

An API Gateway is a reverse proxy that sits between clients and backend microservices. It acts as a single entry point for all incoming requests and manages how those requests are handled inside the system.

Instead of clients communicating with multiple microservices directly, they send requests to the API Gateway, which then forwards them to the appropriate service.

An API Gateway typically handles:

• Request routing – Directs requests to the correct microservice
• Authentication & authorization – Validates tokens and access rights
• Load balancing – Distributes traffic across service instances
• Rate limiting & throttling – Protects services from overuse
• Request/response transformation – Modifies headers or payloads
• Monitoring, logging & tracing – Centralized observability

An API Gateway simplifies, secures, and manages communication between clients and microservices through a single, centralized entry point.

Why API Gateway Is Needed

In a microservices architecture, applications consist of many small, independent services. Without proper coordination, client communication quickly becomes complex and hard to manage. This is where an API Gateway becomes essential.

Without an API Gateway

When there is no API Gateway, clients must communicate with each microservice directly.

• Clients must know multiple service URLs
• Multiple network calls increase latency
• Authentication, logging, and rate limiting are duplicated across services
• Clients are tightly coupled to backend services
• Any change in services can break client integrations
• Scaling and evolving APIs becomes difficult

Direct Communication Example:

Client → Order Service
Client → Payment Service
Client → Inventory Service

This approach increases complexity on the client side and makes the system harder to maintain as it grows.

With an API Gateway

An API Gateway introduces a single entry point between clients and microservices.

Benefits:

• Clients communicate with one endpoint
• Gateway handles routing to internal services
• Centralized authentication, authorization, and rate limiting
• Unified logging, monitoring, and tracing
• Backend services stay private, secure, and independent
• Services can evolve without impacting clients

Gateway-Based Communication:

Client → API Gateway → Microservices

Clients remain simple, while microservices focus purely on business logic.

Key Responsibilities of API Gateway

An API Gateway acts as a single entry point for all client requests in a microservices system. It centralizes common responsibilities, keeping services simple and independent.

1. Request Routing

Directs requests to the correct microservice based on path or method.

Example routing rules:

/api/orders    → Order Service
/api/payments  → Payment Service
/api/users     → User Service

2. Load Balancing

Distributes traffic across healthy service instances using service discovery.

• Integrates with Eureka + Spring Cloud LoadBalancer
• Routes traffic only to healthy service instances
• Distributes load across multiple instances automatically

Gateway → Load Balancer → Service Instance

3. Security

Handles authentication (JWT/OAuth2) and authorization centrally.

• Authentication using JWT or OAuth2
• Authorization using roles and permissions
• Token validation
• Blocking unauthorized requests

📌 Backend services trust the gateway and stay simple.

4. Cross-Cutting Concerns

Manages logging, rate limiting, caching, request transformation, and tracing.

• Logging
• Rate limiting
• Caching
• Request/response transformation
• Header manipulation
• Correlation IDs for tracing

5. API Versioning

Supports multiple API versions without breaking clients.

/v1/orders
/v2/orders

Spring Cloud Gateway

Spring Cloud Gateway is the official API Gateway for Spring Boot microservices.

Key Features

• Built on Spring WebFlux (non-blocking, reactive)
• High performance & cloud-native
• Filter-based architecture
• Seamless integration with Eureka & LoadBalancer
• Ideal for modern microservices systems

Why Use Spring Cloud Gateway?

It offers a lightweight, flexible, and production-ready solution for routing, security, and traffic control in microservices architectures.

Core Concepts in Spring Cloud Gateway

Route – Where to Send the Request

A Route defines which service a request should go to.

A Route contains:

• Route ID
• URI (destination service)
• Predicates
• Filters

Predicate – When to Route

Predicates define conditions to match incoming requests.

Example:

predicates:
-Path=/orders/**
-Method=POST

➡ Route is selected only if all predicates match.

Filter – What to Do With Request/Response

Filters allow you to modify requests or responses before or after routing.

Common Filter Use Cases

• Add / remove headers
• Authentication & authorization
• Rate limiting
• Retry & fallback
• Logging & tracing
• Modify request/response body

High-Level Request Flow

Client
  ↓
API Gateway
  ↓
[ Predicates → Filters ]
  ↓
Target Microservice

Spring Cloud Gateway Setup

Dependency (Maven)

Add spring-cloud-starter-gateway to enable Spring Cloud Gateway in your project.

This provides routing, predicates, filters, and reactive support out of the box.

<dependency>
  <groupId>org.springframework.cloud</groupId>
  <artifactId>spring-cloud-starter-gateway</artifactId>
</dependency>

Gateway Application

The gateway is a regular Spring Boot application.

• @SpringBootApplication bootstraps the gateway
• SpringApplication.run() starts the gateway server
• This application acts as the single entry point for all microservices

@SpringBootApplication
publicclassApiGatewayApplication {
publicstaticvoidmain(String[] args) {
        SpringApplication.run(ApiGatewayApplication.class, args);
    }
}

Spring Cloud Gateway – Routing Configuration

application.yml

spring:
  cloud:
    gateway:
      routes:
        - id: order-service
          uri: lb://ORDER-SERVICE
          predicates:
            - Path=/orders/**
          filters:
            - AddRequestHeader=X-Gateway, SpringCloud

lb:// enables Eureka + Spring Cloud LoadBalancer

Predicates (When to Route)

Predicates define conditions for routing requests.

Example Usage in application.yml:

predicates:
  - Path=/orders/**
  - Method=POST

Filters (What to Do With Request/Response)

Filters allow you to intercept and modify HTTP requests or responses as they pass through the API Gateway.

Built-In Filters

• Add or remove HTTP headers
• Retry failed requests
• Rate limiting (protect backend services)
• Modify request or response body

Example: Add a Header

filters:
  - AddRequestHeader=X-Request-Source, API-Gateway
  - Retry=3

Custom Global Filter Example

@Component
public class LoggingFilter implements GlobalFilter {

    @Override
    public Mono<Void> filter(ServerWebExchange exchange,
                             GatewayFilterChain chain) {
        System.out.println("Request Path: " +
                exchange.getRequest().getPath());
        return chain.filter(exchange);
    }
}

• Executes for every request
• Can log, modify headers, or enforce custom rules

API Gateway + Eureka Integration

• Gateway registers with Eureka
• Discovers services dynamically
• Routes using service names, not hardcoded URLs

Flow Diagram:

Client → API Gateway → Eureka → Service Instance

Rate Limiting

• Prevents API abuse
• Protects backend services from overload
• Often Redis-based for distributed systems

Example: Redis Rate Limiter

filters:
  - name: RequestRateLimiter
    args:
      redis-rate-limiter.replenishRate: 10
      redis-rate-limiter.burstCapacity: 20

Explanation:

• replenishRate: Requests per second
• burstCapacity: Maximum burst of requests

Advantages of API Gateway

• Single entry point for all clients → simplifies routing
• Centralized security & policies → authentication, authorization, CORS
• Simplifies client logic → clients don’t need to know multiple service URLs
• Load balancing & fault tolerance → integrates with service discovery and resiliency tools
• Supports scalable microservices architecture → decouples services from clients

Disadvantages of API Gateway

• Single point of failure → mitigate with HA, clustering, or multiple instances
• Extra network hop → may introduce latency
• Configuration complexity → managing predicates, filters, and routes can grow challenging

Best Practices

• Keep gateway lightweight
• Never add business logic
• Use non-blocking, reactive APIs
• Combine with Resilience4j (Circuit Breaker, Retry)
• Secure gateway using OAuth2/JWT
• Monitor latency, logs, and metrics

API Gateway vs Direct Service Calls

API Gateway vs Service Discovery

👉 They complement each other, not replace each other.

Real-World Example: E-Commerce Microservices

Client
  ↓
API Gateway
  ├── /orders     → Order Service
  ├── /payments   → Payment Service
  └── /inventory  → Inventory Service

Gateway handles:

• JWT validation
• Routing
• Rate limiting
• Load balancing

Key Takeaways

• API Gateway = Front door of microservices
• Centralizes routing, security, monitoring
• Simplifies client communication
• Protects backend services
• Essential for production-grade microservices

Conclusion

API Gateway is the nervous system of microservices architecture.

It enables:

• Independent scaling
• Centralized security
• Safe evolution of services
• Resilient, cloud-native systems

👉 API Gateway + Eureka + LoadBalancer = Scalable Microservices Architecture