Rate Limiting — Complete Gateway-Level Throttling Guide
In this tutorial, you will learn about Rate Limiting. We cover key concepts, practical examples, and best practices to help you master this topic.
Gateway-level rate limiting enforces request quotas at the entry point, before any traffic reaches backend services. It is the most effective place to implement rate limiting because it protects all downstream services at once.
What You'll Learn
You'll learn how to configure rate limiting in popular gateways and how gateway-level limits differ from application-level limits.
Why It Matters
Rate limiting at the gateway protects all backend services with a single configuration. It reduces load, prevents cascading failures, and ensures fair usage across all clients.
Real-World Use
Kong Gateway enforces rate limits per consumer. Free tier consumers get 100 requests per hour. Pro tier consumers get 10000 requests per hour. When limits are exceeded, Kong returns 429 before the request reaches any backend service.
Implementation
# Kong rate limiting plugin
plugins:
- name: rate-limiting
config:
minute: 60
hour: 1000
policy: local
fault_tolerant: true
hide_client_headers: false
consumer: free-tier
- name: rate-limiting
config:
minute: 600
hour: 10000
policy: redis
redis_host: redis-cluster.example.com
redis_port: 6379
redis_database: 0
redis_timeout: 2000
consumer: pro-tier
# Express Gateway rate limiting
{
"gateway": {
"policies": ["rate-limiter"]
},
"pipelines": {
"default": {
"policies": {
"rate-limiter": {
"action": {
"max": 100,
"window": 60000,
"key": "request.ip"
}
}
}
}
}
}
Common Mistakes
| Mistake | Fix |
|---|---|
| Single rate limit for all endpoints | Different endpoints need different limits |
| No Redis-based limits for distributed gateways | Use Redis for consistent limits across multiple gateway instances |
| Missing headers (X-RateLimit) | Inform clients of their limits |
| No rate limit on auth endpoints | Auth endpoints need stricter limits |
| Rate limiting without retry-after | Return Retry-After header for UX |
What's Next
Learn about authentication at the API Gateway.
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro