API Gateway: Concepts, Functional and Non‑Functional Requirements

Concept

An API Gateway (API GW) is a unified entry point that exposes internal service interfaces to external clients, acting as the system's sole entrance. It is not exclusive to microservices; similar gateway concepts have existed in banking and securities as front‑end systems.

From an object‑oriented perspective, an API Gateway resembles the Facade pattern, encapsulating internal architecture and providing customized APIs for each client, while also handling authentication, monitoring, load balancing, caching, request splitting, static responses, traffic control, logging, retries, circuit breaking, and more.

In microservice scenarios, the gateway remains the entry point, handling all cross‑cutting concerns.

Functional Requirements

Routing

Microservice architectures consist of multiple services each exposing a subset of APIs. The gateway must determine which service should handle an incoming request and route it accordingly, with dynamic rule configuration to avoid frequent restarts.

Load Balancing

Each service is typically deployed in a cluster for availability. After routing selects the target service, the gateway must balance requests across its instances. Dynamic algorithm adjustment is usually unnecessary, but support for multiple algorithms may be provided.

Note: Routing matches a request to a target service, while load balancing selects an instance among that service's replicas.

Service Aggregation

Clients often need to call multiple services to complete a business function, leading to performance overhead and poor developer experience. The gateway should aggregate these calls, returning a single combined response, which improves decoupling, targeted optimization, client simplicity, and performance, though it adds development and availability complexity.

Authentication & Authorization

The gateway must enforce security, handling both authentication and authorization. Permissions are defined over resources (exposed APIs) and can be split into operation permissions (CRUD actions) and data permissions (access to specific data). Additional granularities include page and menu permissions.

Overload Protection

To prevent system overload, the gateway should implement traffic control, circuit breaking, and service degradation. Traffic control limits request rates per time window, circuit breaking stops forwarding to unresponsive services, and degradation prioritizes core services during overload.

Caching

Frequently accessed, rarely changing responses can be cached at the gateway to reduce request latency, lower backend load, and simplify service logic, though it introduces cache synchronization and operational overhead.

Retry

The gateway can automatically retry failed requests within a configurable limit to improve availability when transient network issues occur.

Logging

Comprehensive request logging is required for monitoring, analysis, and troubleshooting.

Management UI

A user interface should be provided for configuring routing rules, service degradation, call statistics, deployment management, and other operational aspects.

Non‑Functional Requirements

Security

The gateway must ensure secure communication, data encryption, integrity, and non‑repudiation to protect exposed services.

Performance

As the system’s bottleneck, the gateway must be highly performant to avoid becoming a capacity limiter; horizontal scaling may be required.

High Availability

Target availability is 99.99% (four nines) or higher, limiting total downtime to minutes per year.

Scalability & Extensibility

The gateway should support hot‑deployment of new features (e.g., logging, authentication, load‑balancing strategies) without downtime, and be stateless to enable easy horizontal scaling.

Monitoring

Metrics such as request volume, latency, error rates, and custom alerts must be available, along with analytical dashboards.

Prioritization

Core functional priorities are routing, load balancing, authentication/authorization, and overload protection, while performance, high availability, and scalability are essential quality attributes. Optimizations like aggregation, caching, retries, and extensibility can be staged for later releases.

Summary

The article outlines the comprehensive functional and non‑functional requirements for a microservice API Gateway, setting the stage for subsequent design discussions.