what is Rate limiter?
Rate limiter is a mechanism which helps us to control the API or system requests or attempts for access the system resources in a period of time
Use Cases of Rate Limiting
prevents system overloading
Defends the DDoS attacks -->First level of defense against bot requests
cost management (limiting the requests can helps the API usage and which indirectly reduce the cost)
where should be implemented (server /client)?
It will be implemented in the server side because in the client side there is a threat for malicious attack
Popular Rate Limiting Algorithms:
1)Token Bucket: A bucket holds tokens.
Tokens are added at a fixed rate (e.g., 1/sec).
Each request consumes one token.
If no tokens remain, the request is denied/queued
2)Leaky Bucket: Imagine a bucket leaking at a fixed rate.
Incoming requests fill the bucket.
If the bucket overflows
(too many incoming requests), extra requests are discarded or delayed.
3)Fixed window:
Time is divided into fixed windows (e.g., 1 minute).
Count the number of requests in each window.
If the request count exceeds the limit, block further requests until the next window
Basic Architecture flow:
Client → API Gateway → Redis → Backend
client makes the https request
API gateway is the one which receive the first request and authenticate and check the Rate Limiting rules
Redis used as in-memory cache to check the tokens of the user(It keeps track of how many requests each client)
Then after these checks it moves to the backend services
Rule Engine vs Rate Limiter
Rate Limiter: Controls how many actions (e.g., API calls) are allowed per time unit.
Focus: Quantity and frequency.
Rule Engine: Controls whether an action is allowed, based on complex business logic.
Focus: Conditions and decisions.
Together, they create a secure, fair, and intelligent access control system
Top comments (1)
Good Attempt.