Open in app

Sign in

Write

Sign in

Day 10/21: System Design, Advanced Rate limiting and throttling

Ankit Kumar
3 min readMar 12, 2025

--

Dynamic Rate Limiting (Smart & Adaptive Limits)

What is Dynamic Rate Limiting?

  • Instead of using fixed limits (e.g., 1000 requests per hour), dynamic rate limiting adjusts in real-time based on factors like:
  • User behavior
  • System load
  • API response times
  • Historical request patterns

Example Use Case: Netflix API

  • A premium user watching 4K videos gets higher API request limits than a free user.
  • If Netflix’s backend servers are overloaded, the system temporarily reduces the allowed request rate for all users.

Implementation Strategies

  • Load-aware limits: Adjust based on real-time CPU, memory, and database usage.
  • User-based adaptation: Prioritize VIP users or paid users over free-tier users.
  • AI-powered prediction: Analyze past request patterns to predict and proactively limit potential abusive users.

Distributed Rate Limiting (Scaling Across Servers & Data Centers)

Why is Distributed Rate Limiting Needed?

  • In microservices and cloud environments, API requests come from multiple servers.
  • A single rate limiter on one server won’t work because requests can hit different instances.
  • Solution: Use centralized storage (Redis, DynamoDB, or Google Cloud Memorystore) to track request counts globally.

Example Implementation Using Redis

  1. Each API request updates a counter in Redis.
  2. If the counter exceeds the limit, the request is blocked.
  3. The counter resets after a fixed time window.

Alternative Distributed Rate Limiting Tools

  • Cloudflare Rate Limiting — Automatically scales with traffic.
  • AWS API Gateway Rate Limiting — Managed, no need to track requests manually.
  • Envoy & Istio Service Mesh — Enforce limits at the microservices layer.

AI-Driven & Behavioral Rate Limiting

AI-Based Traffic Analysis

  • Instead of setting static request limits, AI models analyze patterns and dynamically block suspicious users.
  • Example: If a user suddenly makes 1000 requests in 1 second, the AI system flags them as a potential bot and reduces their request rate.

Google’s AI-Based Rate Limiting

  • Google uses AI-powered fraud detection to block abusive API calls from spammers.
  • Example: ReCaptcha v3 scores each request and reduces API access for low-trust users.

How AI Learns Request Patterns?

  • Step 1: Monitor normal user traffic (e.g., average request rate per minute).
  • Step 2: Detect outliers (e.g., a sudden spike in requests).
  • Step 3: Apply automated throttling based on confidence scores.

Request Prioritization & Fair Queuing

What is Request Prioritization?

  • Not all API requests should be treated equally.
  • High-priority users or actions should bypass rate limits in certain cases.

Examples of Prioritization

  • Emergency services API (911, medical apps) should always have access, even during high traffic.
  • Premium users (e.g., Twitter Blue, YouTube Premium) get higher rate limits than free users.
  • Financial transactions (banking APIs) are prioritized over non-critical requests (e.g., analytics logs).

Fair Queuing Algorithm

  • If multiple users hit the rate limit at the same time, fair queuing ensures everyone gets a fair share.
  • Example: Instead of blocking some users completely, requests are queued and processed evenly over time.

Rate Limiting at Multiple Layers

A well-designed system enforces rate limiting at different levels to improve reliability.

Levels of Rate Limiting:

Client-Side Throttling (Avoid unnecessary retries)

  • Implemented in SDKs & front-end apps to prevent clients from flooding the server.
  • Example: A mobile app detects “429 Too Many Requests” and waits before retrying.

API Gateway-Level Throttling (Most Common)

  • Blocks excessive requests before they hit backend services.
  • Example: AWS API Gateway limits requests per IP or user key.

Service-Level Rate Limiting (Microservices)

  • Limits requests at individual services to prevent internal overload.
  • Example: Payment service limits transaction attempts per user.

Database-Level Rate Limiting (Prevent slow queries)

  • Avoids too many expensive queries from overloading databases.
  • Example: A social media app limits users to 10 profile searches per minute to prevent scraping.

High-Performance Rate Limiting Architectures

API Gateway + Distributed Cache (Best Practice for Scale)

  • API Gateway (Kong, Envoy, NGINX) handles initial rate limiting.
  • A distributed cache (Redis, DynamoDB, Google Cloud Memorystore) tracks request counts.
  • Pros: Scalable, fast, and easy to manage.

Rate Limiting with Sidecars in Kubernetes (Istio + Envoy)

  • In microservices architecture, each service can have a sidecar proxy (Envoy) that enforces rate limits locally.
  • Example: Istio service mesh limits internal API calls between microservices.

Using Kafka for Asynchronous Rate Limiting

  • Instead of blocking requests, Kafka queues them and processes at a safe rate.
  • Example: A ticket booking app limits requests but queues them for later processing instead of rejecting outright.

Understanding these advanced concepts is essential for designing scalable APIs, preventing DDoS attacks, and optimizing microservices communication.
I’ll be posting and stay consistent in both my learning followed by daily pushups. Thank you!

Follow my journey:
Medium: https://ankittk.medium.com/
Instagram: https://www.instagram.com/ankitengram/

--

--

Ankit Kumar
Ankit Kumar

Written by Ankit Kumar

78 Followers
11 Following

Senior Software Engineer | DevX | Weave HQ https://www.linkedin.com/in/ankittk

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Rules

Terms

Text to speech