Decentralized Request Throttling for Distributed API Gateways
Rate limiting is a critical aspect of API management, but implementing it in distributed environments presents unique challenges. This article explores a practical approach to decentralized request throttling that works efficiently across multiple API gateway instances without requiring per-request coordination.
Decentralized Request Throttling for Distributed API Gateways
The Challenge of Distributed Rate Limiting
Rate limiting is essential for protecting backend services from excessive load, whether caused by legitimate traffic spikes, programming errors, or malicious attacks. However, implementing effective throttling in distributed environments presents unique challenges.
Consider a typical microservice architecture with an API gateway layer running across multiple instances:
┌─────────────────┐
│ │
┌─────────┐ │ API Gateway 1 │ ┌────────────┐
│ │ │ │ │ │
│ Clients ├─────►│ API Gateway 2 ├─────►│ Services │
│ │ │ │ │ │
└─────────┘ │ API Gateway 3 │ └────────────┘
│ │
└─────────────────┘
In this scenario, each gateway instance operates independently, handling a portion of the incoming traffic. Traditional rate limiting approaches often fall short here:
- Centralized counters require a database query for every request, adding latency and creating a potential bottleneck
- Local counters in each instance can’t account for traffic flowing through other instances, allowing clients to bypass limits by distributing requests
- Sticky sessions might work for small-scale deployments but break down with load balancing and don’t handle instance failures
We need an approach that balances accuracy with performance, without requiring coordination for every single request.
Design Constraints and Requirements
Before diving into the solution, let’s clarify our constraints and requirements:
- No per-request coordination: We can’t afford the performance impact of checking a central database for every request
- Eventual consistency: We can tolerate some delay in global limit enforcement
- Fault tolerance: The system should continue functioning if the coordination mechanism is temporarily unavailable
- Static configuration: For simplicity, we’ll assume throttling rules are static and uniform across instances
- Approximate enforcement: We prioritize preventing significant overuse rather than guaranteeing precise request counts
Decentralized Throttling Algorithm
Our solution uses a combination of local in-memory counters with periodic asynchronous synchronization via Redis. Here’s how it works:
Core Concept
For a basic throttling rule:
Allow no more than MAX_REQUESTS within INTERVAL time for any API route (KEY). If the limit is exceeded, block requests to KEY for COOLDOWN seconds.
We’ll:
- Divide INTERVAL into N spans (where N ≥ 2)
- Track requests locally during each span
- Periodically synchronize counts across instances
- Make blocking decisions based on both local and global information
Detailed Algorithm
Interval Segmentation:
- Divide the throttling interval into N equal spans
- For example, a 60-second interval might be divided into 6 spans of 10 seconds each
Local Tracking:
- Maintain in-memory counters for each route/key
- Increment counters for every request processed
Periodic Synchronization:
- At the end of each span:
- Atomically increment a value in Redis by the local count for each key
- Use a composite key including the route and current interval number
- This allows all instances to contribute to a global view without per-request coordination
- At the end of each span:
Decision Logic:
- If the Redis increment returns a value exceeding MAX_REQUESTS, block the route for COOLDOWN seconds
- If Redis is unavailable AND local count exceeds MAX_REQUESTS/N, block the route for COOLDOWN seconds
Visual Representation
Here’s a simplified visualization of how the algorithm works with three gateway instances and a 60-second interval divided into 3 spans:
Span 1 Span 2 Span 3
Time: 0s ------------- 20s ------------- 40s ------------- 60s
API Gateway 1: [local count: 30] [local count: 40] [local count: 50]
│ │ │
▼ ▼ ▼
INCRBY route:1 30 INCRBY route:1 40 INCRBY route:1 50
│ │ │
│ │ │
API Gateway 2: [local count: 25] [local count: 35] [local count: 45]
│ │ │
▼ ▼ ▼
INCRBY route:1 25 INCRBY route:1 35 INCRBY route:1 45
│ │ │
│ │ │
API Gateway 3: [local count: 35] [local count: 30] [local count: 60]
│ │ │
▼ ▼ ▼
INCRBY route:1 35 INCRBY route:1 30 INCRBY route:1 60
Redis: route:1 = 90 route:1 = 195 route:1 = 350
↑
Limit exceeded!
(if MAX_REQUESTS = 300)
In this example, by the end of Span 3, the combined request count exceeds our threshold, triggering throttling across all instances for the next COOLDOWN period.
Implementation in Go
Here’s a simplified implementation of this algorithm in Go:
package throttling
import (
"context"
"fmt"
"math"
"sync"
"time"
"github.com/go-redis/redis/v8"
)
type ThrottleConfig struct {
MaxRequests int // Maximum allowed requests per interval
Interval time.Duration // Interval duration
Spans int // Number of spans to divide the interval into
Cooldown time.Duration // Cooldown period after limit exceeded
}
type Throttler struct {
config ThrottleConfig
client *redis.Client
localCounts map[string]int
blockedRoutes map[string]time.Time
mutex sync.RWMutex
spanDuration time.Duration
}
func NewThrottler(config ThrottleConfig, client *redis.Client) *Throttler {
return &Throttler{
config: config,
client: client,
localCounts: make(map[string]int),
blockedRoutes: make(map[string]time.Time),
spanDuration: config.Interval / time.Duration(config.Spans),
}
}
func (t *Throttler) Start(ctx context.Context) error {
// Calculate initial delay to align with span boundaries
now := time.Now()
intervalNum := int(now.Unix() / int64(t.spanDuration.Seconds()))
nextSpan := time.Unix(int64((intervalNum+1)*int(t.spanDuration.Seconds())), 0)
initialDelay := nextSpan.Sub(now)
// Start the span processing ticker
ticker := time.NewTicker(t.spanDuration)
defer ticker.Stop()
// Wait for the initial delay
select {
case <-ctx.Done():
return ctx.Err()
case <-time.After(initialDelay):
// Process the first span immediately after the delay
t.processSpan(ctx)
}
// Process subsequent spans
for {
select {
case <-ctx.Done():
return ctx.Err()
case <-ticker.C:
t.processSpan(ctx)
}
}
}
func (t *Throttler) processSpan(ctx context.Context) {
t.mutex.Lock()
localCounts := t.localCounts
t.localCounts = make(map[string]int) // Reset counts for next span
t.mutex.Unlock()
// Get the current interval number
now := time.Now().Unix()
intervalNum := now / int64(t.config.Interval.Seconds())
// Clean up expired blocked routes
t.cleanupBlockedRoutes()
// Synchronize counts with Redis
for route, count := range localCounts {
if count == 0 {
continue
}
redisKey := fmt.Sprintf("%s:%d", route, intervalNum)
// Try to increment in Redis
val, err := t.client.IncrBy(ctx, redisKey, int64(count)).Result()
// Set expiration to clean up old keys
t.client.Expire(ctx, redisKey, t.config.Interval*2)
// Block route if limit exceeded globally
if err == nil && val > int64(t.config.MaxRequests) {
t.blockRoute(route)
continue
}
// Block route if limit exceeded locally and Redis failed
if err != nil && count > t.config.MaxRequests/t.config.Spans {
t.blockRoute(route)
}
}
}
func (t *Throttler) blockRoute(route string) {
t.mutex.Lock()
defer t.mutex.Unlock()
t.blockedRoutes[route] = time.Now().Add(t.config.Cooldown)
}
func (t *Throttler) cleanupBlockedRoutes() {
t.mutex.Lock()
defer t.mutex.Unlock()
now := time.Now()
for route, expiry := range t.blockedRoutes {
if now.After(expiry) {
delete(t.blockedRoutes, route)
}
}
}
func (t *Throttler) IncrementAndCheck(route string) bool {
t.mutex.RLock()
// Check if route is blocked
if expiry, blocked := t.blockedRoutes[route]; blocked {
if time.Now().Before(expiry) {
t.mutex.RUnlock()
return false // Route is blocked
}
}
t.mutex.RUnlock()
// Increment local counter
t.mutex.Lock()
t.localCounts[route]++
t.mutex.Unlock()
return true // Request is allowed
}
Usage in an API Gateway
Here’s how you might integrate this throttler into an actual API gateway handler:
func ThrottlingMiddleware(throttler *throttling.Throttler) func(http.Handler) http.Handler {
return func(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
// Extract the route key from the request
route := r.Method + ":" + r.URL.Path
// Check if the request is allowed
if !throttler.IncrementAndCheck(route) {
// Request is throttled
w.WriteHeader(http.StatusTooManyRequests)
w.Write([]byte("Rate limit exceeded. Please try again later."))
return
}
// Request is allowed, proceed to the next handler
next.ServeHTTP(w, r)
})
}
}
Enhancing the Algorithm
The basic algorithm works well, but we can make several improvements:
1. Adaptive Node Estimation
To improve accuracy, we can dynamically estimate the number of active API gateway instances:
type AdaptiveThrottler struct {
*Throttler
nodes float64 // Estimated number of nodes
previousTotalCount int // Total count from the previous interval
currentTotalCount int // Running total for current interval
nodesMutex sync.RWMutex
}
func (t *AdaptiveThrottler) processSpan(ctx context.Context) {
// ... existing code ...
// Calculate the total count for this span
var spanTotal int
for _, count := range localCounts {
spanTotal += count
}
// Add to the current interval total
t.nodesMutex.Lock()
t.currentTotalCount += spanTotal
t.nodesMutex.Unlock()
// If this is the last span in the interval, update nodes estimation
now := time.Now().Unix()
currentIntervalNum := now / int64(t.config.Interval.Seconds())
spanInInterval := (now % int64(t.config.Interval.Seconds())) / int64(t.spanDuration.Seconds())
if spanInInterval == int64(t.config.Spans-1) {
t.updateNodesEstimation(ctx, currentIntervalNum)
}
// ... continue with existing processSpan logic ...
}
func (t *AdaptiveThrottler) updateNodesEstimation(ctx context.Context, intervalNum int64) {
previousIntervalNum := intervalNum - 1
// Get the total count from all nodes for the previous interval
var globalCount int64
for route := range t.localCounts {
redisKey := fmt.Sprintf("%s:%d", route, previousIntervalNum)
val, err := t.client.Get(ctx, redisKey).Int64()
if err == nil {
globalCount += val
}
}
t.nodesMutex.Lock()
defer t.nodesMutex.Unlock()
// Only update if we have meaningful values
if globalCount > 0 && t.previousTotalCount > 0 {
// Calculate the ratio of global count to local count
t.nodes = float64(globalCount) / float64(t.previousTotalCount)
}
// Reset for next interval
t.previousTotalCount = t.currentTotalCount
t.currentTotalCount = 0
}
func (t *AdaptiveThrottler) IncrementAndCheck(route string) bool {
// ... existing checks ...
// Get current node estimation
t.nodesMutex.RLock()
nodes := t.nodes
t.nodesMutex.RUnlock()
// Calculate local threshold based on node estimation
localThreshold := t.config.MaxRequests / int(math.Max(1, nodes))
// Check if locally exceeded
t.mutex.RLock()
localCount := t.localCounts[route]
t.mutex.RUnlock()
if localCount > localThreshold {
t.blockRoute(route)
return false
}
// ... increment and return ...
}
This enhancement allows the throttler to adapt to changes in the number of gateway instances dynamically.
2. Hierarchical Throttling
We can extend the algorithm to support multi-level throttling:
type ThrottleLevel struct {
Scope string // e.g., "global", "user", "ip"
KeyExtractor func(*http.Request) string
Config ThrottleConfig
}
type HierarchicalThrottler struct {
levels []*AdaptiveThrottler
}
func (t *HierarchicalThrottler) CheckRequest(r *http.Request) bool {
for _, level := range t.levels {
key := level.KeyExtractor(r)
if !level.IncrementAndCheck(key) {
return false
}
}
return true
}
This allows for sophisticated throttling policies like:
- Global API limits (e.g., 10,000 requests/minute)
- Per-user limits (e.g., 100 requests/minute)
- Per-endpoint limits (e.g., 20 requests/minute for /api/expensive-operation)
3. Weighted Routes
Some API endpoints might be more resource-intensive than others. We can incorporate weights:
func (t *Throttler) IncrementAndCheck(route string, weight int) bool {
// ... existing checks ...
// Increment local counter by weight
t.mutex.Lock()
t.localCounts[route] += weight
t.mutex.Unlock()
return true
}
Performance Considerations
The decentralized throttling approach offers several performance advantages:
- No per-request synchronization: The vast majority of requests are handled using only in-memory operations
- Bounded Redis operations: Redis is only accessed periodically (at the end of each span)
- Configurable accuracy/performance trade-off: By adjusting the number of spans, you can balance throttling accuracy against synchronization overhead
For example, in a system handling 10,000 requests per second across 5 API gateway instances with a 60-second interval divided into 6 spans:
- Traditional centralized approach: 10,000 Redis operations per second
- Decentralized approach: ~50 Redis operations per span (assuming 50 distinct routes) = ~5 Redis operations per second
This represents a 2,000x reduction in Redis load while still providing effective throttling.
Fault Tolerance
A key strength of this approach is its resilience to Redis failures:
- Continued operation: If Redis becomes unavailable, the system continues to function with local throttling
- Conservative fallback: When Redis is unreachable, we apply a stricter local threshold to prevent overload
- Self-healing: When Redis recovers, global coordination resumes automatically
This ensures that backend services remain protected even during infrastructure disruptions.
Practical Deployment
When implementing this solution in production, consider these practical tips:
Configuration Strategy
Start with conservative settings and adjust based on observed behavior:
- Interval: Usually 60 seconds is a good balance
- Spans: 4-6 spans per interval works well in most cases
- Cooldown: Set to 2-3x the interval for aggressive traffic
Monitoring and Observability
Implement proper monitoring:
- Track throttling events per route
- Monitor local vs. global throttling decisions
- Set up alerts for unusual throttling patterns
- Record span synchronization success/failure rates
Multiple Redis Instances
For high availability, configure the throttler to use Redis sentinels or clusters:
client := redis.NewFailoverClient(&redis.FailoverOptions{
MasterName: "mymaster",
SentinelAddrs: []string{"sentinel1:26379", "sentinel2:26379", "sentinel3:26379"},
})
throttler := NewThrottler(config, client)
Real-World Case Study
Let’s examine how this approach worked for a high-traffic e-commerce platform:
Initial situation:
- 12 API gateway instances across 3 regions
- ~5,000 requests per second at peak
- Frequent backend overload during sale events
- Traditional centralized rate limiting becoming a bottleneck
Implementation:
- Deployed decentralized throttling with 60-second intervals, 6 spans
- Configured three-level throttling hierarchy:
- Global limit: 300,000 requests/minute
- User limit: 600 requests/minute
- Endpoint-specific limits for resource-intensive operations
Results:
- 99.5% reduction in Redis operations
- Backend service stability improved from 98.7% to 99.95%
- API gateway P99 latency reduced by 27ms
- Successfully handled 3x previous peak load during major sale event
Conclusion
Decentralized request throttling offers an elegant solution to the challenge of rate limiting in distributed environments. By combining local in-memory tracking with periodic synchronization, we achieve efficient and effective protection against traffic spikes while avoiding the performance penalties of per-request coordination.
The approach is:
- Performant: Minimal impact on request latency
- Scalable: Works well across many gateway instances
- Resilient: Continues functioning during coordination failures
- Flexible: Adaptable to various throttling requirements
- Precise enough: Prevents significant overload while allowing efficient throughput
While not suitable for scenarios requiring absolute precision (like billing or quota systems), it excels at its primary purpose: protecting backend services from excessive load in distributed environments.
Note: The Redis-based implementation described here can be adapted to work with other distributed key-value stores that support atomic increments, such as etcd or Consul KV.