balajivijayan

API Rate Limiting and Beyond

Balaji Vijayan's photo
Balaji Vijayan
·

2 min read

What is API Rate Limiting?

API Rate limiting is a traffic management technique used to restrict overload on the backend server by limiting the number of requests it can process over a period of time. It's a widely used API design pattern which improves the resiliency of the backend service.

What are the different Rate-limiting algorithms?

Some of the most commonly used rate-limiting algorithms are,

  • Fixed Window

  • Leaky Bucket

  • Token Bucket

  • Sliding Window Log

  • Sliding Window Counter

Benefits of API Rate limiting

  • Improve Resiliency

  • Prevent abuse of service/DDos Attacks

  • Ensure Fair Usage

  • Reduce Cost

Let's see how we can implement rate-limiting using the fixed window algorithm

Fixed window algorithm allows a certain rate of request within a window. For example, in a time window of every 5 minutes, a maximum of 5 requests can be processed. The limit can be based on the number of requests or on the size of the request

The request highlighted in red is the sixth request which is over the max limit of five requests configured between the window of 10:00 - 10:05 and it gets rejected.

The fixed window algorithm can be implemented in Java as below,

package com.grepcoder.alg;

import java.util.concurrent.TimeUnit;

public class FixedWindowAlg {
    private long windowStartTime = System.currentTimeMillis();
    private long windowSize;
    private int limit;
    private int requestCount = 0;

    public FixedWindowAlg(int requestLimit, int windowSizeInMin) {
        this.limit = requestLimit;
        this.windowSize = TimeUnit.MINUTES.toMillis(windowSizeInMin);
    }
    public boolean checkLimit() {
        if (System.currentTimeMillis() - windowStartTime >= windowSize) {
            clearWindow();
        }

        if(requestCount < limit) {
            requestCount++;
            return true;
        }
        return false;
    }

    private void clearWindow() {
        windowStartTime = System.currentTimeMillis();
        requestCount = 0;
    }

}

In the above code, we can invoke the checkLimit() method to check whether the request is within the limit for that particular windowSize . The method clearWindow() will clear the requestCount and re-initialise the window

In this upcoming series of blog posts let's deep dive into how these rate-limiting techniques can be applied in API Gateways like Kong, APIgee, AWS, NGINX etc..

Did you find this article valuable?

Support balajivijayan by becoming a sponsor. Any amount is appreciated!

APIsapigatewayratelimitMicroservices