Skip to content

Rate Limiting — Complete Gateway-Level Throttling Guide

DodaTech Updated 2026-06-28 1 min read

In this tutorial, you will learn about Rate Limiting. We cover key concepts, practical examples, and best practices to help you master this topic.

Gateway-level rate limiting enforces request quotas at the entry point, before any traffic reaches backend services. It is the most effective place to implement rate limiting because it protects all downstream services at once.

What You'll Learn

You'll learn how to configure rate limiting in popular gateways and how gateway-level limits differ from application-level limits.

Why It Matters

Rate limiting at the gateway protects all backend services with a single configuration. It reduces load, prevents cascading failures, and ensures fair usage across all clients.

Real-World Use

Kong Gateway enforces rate limits per consumer. Free tier consumers get 100 requests per hour. Pro tier consumers get 10000 requests per hour. When limits are exceeded, Kong returns 429 before the request reaches any backend service.

Implementation

# Kong rate limiting plugin
plugins:
  - name: rate-limiting
    config:
      minute: 60
      hour: 1000
      policy: local
      fault_tolerant: true
      hide_client_headers: false
    consumer: free-tier

  - name: rate-limiting
    config:
      minute: 600
      hour: 10000
      policy: redis
      redis_host: redis-cluster.example.com
      redis_port: 6379
      redis_database: 0
      redis_timeout: 2000
    consumer: pro-tier
# Express Gateway rate limiting
{
  "gateway": {
    "policies": ["rate-limiter"]
  },
  "pipelines": {
    "default": {
      "policies": {
        "rate-limiter": {
          "action": {
            "max": 100,
            "window": 60000,
            "key": "request.ip"
          }
        }
      }
    }
  }
}

Common Mistakes

Mistake Fix
Single rate limit for all endpoints Different endpoints need different limits
No Redis-based limits for distributed gateways Use Redis for consistent limits across multiple gateway instances
Missing headers (X-RateLimit) Inform clients of their limits
No rate limit on auth endpoints Auth endpoints need stricter limits
Rate limiting without retry-after Return Retry-After header for UX

What's Next

Learn about authentication at the API Gateway.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro