Monet: Building a Unified API Gateway with Spring Cloud Gateway

Background

The Linglong design platform serves many users and businesses, but its backend grew by adding separate services each with its own domain, leading to duplicated login and permission integration, scattered API management, manual rate‑limiting, and lack of global monitoring for both backend and operations teams.

These pain points motivated the creation of a single entry point that could handle authentication, authorization, rate‑limiting, and monitoring for all services.

Technical Selection

Because the existing backend is built on the Java Spring ecosystem, the team evaluated Java‑based gateway solutions. Two candidates were considered: Spring Cloud Gateway and Spring Cloud Zuul 2. After comparing usability, maintainability, and community maturity, Spring Cloud Gateway was chosen as the foundation.

For rate‑limiting and circuit‑breaking, Sentinel and Hystrix were compared. Sentinel offered richer features, active community support, and flexible rule configuration, while Hystrix was no longer maintained. Sentinel was selected.

Implementation

Unified API Entry

All client requests are directed to a single domain that resolves to the Monet service, which runs on Spring Cloud Gateway. Dynamic routing is achieved by implementing RouteDefinitionRepository to load route definitions from a database and trigger a reload event when routes change, avoiding service restarts.

API Management

API definitions are stored in Zookeeper. A global filter parses incoming URIs, matches them against a trie (prefix tree) structure for efficient lookup, and injects matched API metadata into the request context. Unmatched requests receive a 404 response. An approval workflow in the gateway console ensures that only reviewed APIs are published.

Unified Authentication & Authorization

Authentication is performed by a global filter that validates user credentials once at the gateway and places user information into the request context. Authorization then uses the same context together with the API metadata to enforce permission checks via a dedicated permission service.

Unified Rate Limiting

Sentinel is integrated as the rate‑limiting and circuit‑breaking component. Configuration rules are stored in Zookeeper, allowing administrators to set limits per user, IP, or API and to define degradation strategies such as response‑time thresholds or exception ratios.

Unified Monitoring

A monitoring interface abstracts the underlying monitoring system. The gateway’s global filter records request metrics—such as latency and error codes—and forwards them to the configured monitoring backend. This design enables plugging in different monitoring platforms without changing gateway code.

Conclusion

The Monet gateway successfully unifies API entry, management, authentication, rate‑limiting, and monitoring on top of Spring Cloud Gateway, solving the scalability and operational challenges of the Linglong platform. Future work includes expanding the API approval workflow, supporting non‑Java services, and adding detailed access logging.