Spring Cloud Gateway: Microservice Gateway Overview, Setup, CORS, Filters, and Rate Limiting

1. Microservice Gateway Spring Cloud Gateway

1.1 Introduction

The article introduces microservice gateway concepts, including a limit of 100,000 QPS, cross‑origin handling, filters, and token‑bucket rate limiting.

Gateways are essential in microservice architectures, evolving from Zuul to Spring Cloud Gateway.

This piece summarizes all accumulated gateway knowledge for learners.

Key topics: gateway CORS configuration, filter implementation, and token‑bucket rate limiting (10 万 QPS).

1.2 What is a Microservice Gateway?

This project provides a library for building an API Gateway on top of Spring WebFlux.

Official gateway site: https://spring.io/projects/spring-cloud-gateway

nginx – high‑performance HTTP reverse proxy.

Zuul – Netflix JVM‑based router and load balancer.

spring‑cloud‑gateway – Spring’s gateway with circuit breaker, path rewrite, better performance than Zuul.

Using gateway seamlessly integrates with Spring Cloud microservices.

1.3 Why Use a Gateway?

Gateways solve issues such as multiple service addresses, client complexity, cross‑origin requests, authentication duplication, refactoring difficulty, and firewall restrictions.

Clients would need to call many services, increasing complexity.

Cross‑origin requests become harder to handle.

Each service requires separate authentication.

Refactoring services is difficult when clients call them directly.

Some services use protocols not friendly to browsers or firewalls.

All these problems can be mitigated by a gateway.

1.4 Advantages of a Microservice Gateway

Security – services stay behind the firewall, only the gateway is exposed.

Monitoring – gateway can collect and forward metrics.

Authentication – centralized authentication at the gateway.

Reduced client‑service interactions.

Unified authorization.

1.5 Summary

The gateway acts as a central system for authentication, security control, unified logging, and easy monitoring.

Historical article collection: 200 issues summary

2. Building and Configuring the Microservice Gateway

2.1 Gateway Service Setup

For a management backend, a dedicated gateway service is built.

Setup steps:

(1) Add Maven dependencies in pom.xml:

<dependency>
    <groupId>org.springframework.cloud</groupId>
    <artifactId>spring-cloud-starter-gateway</artifactId>
</dependency>
<dependency>
    <groupId>org.springframework.cloud</groupId>
    <artifactId>spring-cloud-starter-netflix-hystrix</artifactId>
</dependency>
<dependency>
    <groupId>org.springframework.cloud</groupId>
    <artifactId>spring-cloud-starter-netflix-eureka-client</artifactId>
</dependency>

(2) Create the main class GatewayApplication:

@SpringBootApplication
@EnableEurekaClient
public class GatewayApplication {
    public static void main(String[] args) {
        SpringApplication.run(GatewayApplication.class, args);
    }
}

(3) Add application.yml under resources:

spring:
  application:
    name: apigateway
  cloud:
    gateway:
      routes:
      - id: open
        uri: lb://open
        predicates:
        - Path=/open/**
        filters:
        - StripPrefix=1
      - id: system
        uri: lb://system
        predicates:
        - Path=/system/**
        filters:
        - StripPrefix=1
server:
  port: 9999
eureka:
  client:
    service-url:
      defaultZone: http://127.0.0.1:10086/eureka
  instance:
    prefer-ip-address: true

Reference: Spring Cloud Gateway documentation

2.2 CORS Configuration

Add the following bean to GatewayApplication:

@Bean
public CorsWebFilter corsFilter() {
    CorsConfiguration config = new CorsConfiguration();
    config.addAllowedMethod("*"); // all methods
    config.addAllowedOrigin("*"); // all origins
    config.addAllowedHeader("*"); // all headers
    UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource(new PathPatternParser());
    source.registerCorsConfiguration("/**", config);
    return new CorsWebFilter(source);
}

3. Gateway Filters

Custom filters can implement IP black/white‑list, URL interception, etc.

(1) IpFilter implementation:

@Component
public class IpFilter implements GlobalFilter, Ordered {
    @Override
    public Mono<Void> filter(ServerWebExchange exchange, GatewayFilterChain chain) {
        ServerHttpRequest request = exchange.getRequest();
        InetSocketAddress remoteAddress = request.getRemoteAddress();
        // TODO: set IP whitelist
        System.out.println("ip:" + remoteAddress.getHostName());
        return chain.filter(exchange);
    }
    @Override
    public int getOrder() { return 1; }
}

(2) UrlFilter implementation:

@Component
public class UrlFilter implements GlobalFilter, Ordered {
    @Override
    public Mono<Void> filter(ServerWebExchange exchange, GatewayFilterChain chain) {
        ServerHttpRequest request = exchange.getRequest();
        String url = request.getURI().getPath();
        // TODO: intercept specific URLs
        System.out.println("url:" + url);
        return chain.filter(exchange);
    }
    @Override
    public int getOrder() { return 2; }
}

4. Rate Limiting (10 万 QPS) Using Token Bucket

The gateway can enforce rate limits to protect downstream services.

4.1 Rate‑Limiting Idea

Use a token‑bucket algorithm where each request must acquire a token; tokens are replenished at a fixed rate.

4.2 Token Bucket Algorithm

Key points: burst capacity (max tokens), replenish rate (tokens per second), and key resolver for per‑IP limits.

4.3 Implementation

(1) Add Redis dependency for the built‑in RequestRateLimiter:

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-data-redis-reactive</artifactId>
    <version>2.1.3.RELEASE</version>
</dependency>

(2) Define a KeyResolver for IP‑based limiting:

@Bean
public KeyResolver ipKeyResolver() {
    return exchange -> Mono.just(exchange.getRequest().getRemoteAddress().getHostName());
}

(3) Configure application.yml with rate‑limiter settings:

spring:
  cloud:
    gateway:
      routes:
      - id: open
        uri: lb://open
        predicates:
        - Path=/open/**
        filters:
        - StripPrefix=1
        - name: RequestRateLimiter
          args:
            key-resolver: "#{@ipKeyResolver}"
            redis-rate-limiter.replenishRate: 1
            redis-rate-limiter.burstCapacity: 1
      - id: system
        uri: lb://system
        predicates:
        - Path=/system/**
        filters:
        - StripPrefix=1
  redis:
    host: 101.57.2.128
    port: 6379
server:
  port: 9999

Explanation of parameters: burstCapacity: total token bucket size. replenishRate: tokens added per second. key-resolver: bean that provides the key for limiting (e.g., IP).

Setting burstCapacity higher than replenishRate allows temporary spikes; otherwise, excess requests receive HTTP 429.

4.4 Testing Steps

Start Redis.

Start Eureka registry.

Start the business microservice.

Start the gateway.

Open http://localhost:9999/open in a browser.

Refresh rapidly; exceeding 100 k requests per second returns 429.

How to generate 100 k requests? Feel free to comment.

Source: Juejin article