How To Use Rate Limiting In ASP.NET Core
Milan Jovanović
Posted on September 18, 2023
Rate limiting is a technique to limit the number of requests to a server or an API.
A limit is introduced within a given time period to prevent server overload and protect against abuse.
In ASP.NET Core 7 we have a built-in rate limiter middleware that's easy to integrate into your API.
We're going to cover four rate limiter algorithms:
- Fixed window
- Sliding window
- Token bucket
- Concurrency
Let's see how we can work with rate limiting.
What Is Rate Limiting?
Rate limiting is about restricting the number of requests to an API, usually within a specific time window or based on other criteria.
This is practical for a few reasons:
- Prevents overloading of servers or applications
- Improves security and guards against DDoS attacks
- Reduces costs by preventing unnecessary resource usage
In a multi-tenant application, each unique user can have a limitation on the number of API requests.
Configuring Rate Limiting
ASP.NET Core 7 introduced built-in rate limiting middleware in the Microsoft.AspNetCore.RateLimiting
namespace.
To add rate limiting to your application, you first need to register the rate limiting services:
builder.Services.AddRateLimiter(options =>
{
options.RejectionStatusCode = StatusCodes.Status429TooManyRequests;
// We'll talk about adding specific rate limiting policies later.
});
I suggest updating the RejectionStatusCode
to 429 (Too Many Requests)
because it's more correct. The default value is 503 (Service Unavailable)
.
And you also have to apply the RateLimitingMiddleware
:
app.UseRateLimiter();
That's everything you'll need.
Let's see the rate limiting algorithms we can use.
Fixed Window Limiter
The AddFixedWindowLimiter
method configures a fixed window limiter.
The Window
value determines the time window.
When a time window expires, a new one starts, and the request limit is reset.
builder.Services.AddRateLimiter(rateLimiterOptions =>
{
rateLimiterOptions.AddFixedWindowLimiter("fixed", options =>
{
options.PermitLimit = 10;
options.Window = TimeSpan.FromSeconds(10);
options.QueueProcessingOrder = QueueProcessingOrder.OldestFirst;
options.QueueLimit = 5;
});
});
Sliding Window Limiter
The sliding window algorithm is similar to the fixed window, but it introduces segments in a window.
Here's how it works:
- Each time window is divided into multiple segments
- The window slides one segment each segment interval
- The segment interval is (window_time)/(segments_per_window)
- When a segment expires, the requests taken in that segment are added to the current segment
The AddSlidingWindowLimiter
method configures a sliding window limiter.
builder.Services.AddRateLimiter(rateLimiterOptions =>
{
rateLimiterOptions.AddSlidingWindowLimiter("sliding", options =>
{
options.PermitLimit = 10;
options.Window = TimeSpan.FromSeconds(10);
options.SegmentsPerWindow = 2;
options.QueueProcessingOrder = QueueProcessingOrder.OldestFirst;
options.QueueLimit = 5;
});
});
Token Bucket Limiter
The token bucket algorithm is similar to the sliding window, but instead of adding back the requests from the expired segment, a fixed number of tokens are added after each replenishment period.
The total number of tokens can never exceed the token limit.
The AddTokenBucketLimiter
method configures a token bucket limiter.
builder.Services.AddRateLimiter(rateLimiterOptions =>
{
rateLimiterOptions.AddTokenBucketLimiter("token", options =>
{
options.TokenLimit = 100;
options.QueueProcessingOrder = QueueProcessingOrder.OldestFirst;
options.QueueLimit = 5;
options.ReplenishmentPeriod = TimeSpan.FromSeconds(10);
options.TokensPerPeriod = 20;
options.AutoReplenishment = true;
});
});
When AutoReplenishment
is true
, an internal timer will execute every ReplenishmentPeriod
and replenish the tokens.
Concurrency Limiter
The concurrency limiter is the most straightforward algorithm, and it just limits the number of concurrent requests.
The AddConcurrencyLimiter
method configures a concurrency limiter.
builder.Services.AddRateLimiter(rateLimiterOptions =>
{
rateLimiterOptions.AddConcurrencyLimiter("concurrency", options =>
{
options.PermitLimit = 10;
options.QueueProcessingOrder = QueueProcessingOrder.OldestFirst;
options.QueueLimit = 5;
});
});
There's no time component involved in this case. The only parameter is the number of concurrent requests.
Using Rate Limiting In Your API
Now that we have configured our rate limiting policies, let's see how we can use them in our API.
There are slight differences between controllers and minimal API endpoints, so I'll cover them in separate examples.
Controllers
To add rate limiting on a controller we use the EnableRateLimiting
and DisableRateLimiting
attributes.
EnableRateLimiting
can be applied on the controller or on the individual endpoints.
[EnableRateLimiting("fixed")]
public class TransactionsController
{
private readonly ISender _sender;
public TransactionsController(ISender sender)
{
_sender = sender;
}
[EnableRateLimiting("sliding")]
public async Task<IActionResult> GetTransactions()
{
return Ok(await _sender.Send(new GetTransactionsQuery()));
}
[DisableRateLimiting]
public async Task<IActionResult> GetTransactionById(int id)
{
return Ok(await _sender.Send(new GetTransactionByIdQuery(id)));
}
}
In the previous example:
- All endpoints in the
TransactionsController
will use a fixed window policy - The
GetTransactions
endpoint will use a sliding window policy - The
GetTransactionById
endpoint won't have any rate limiting applied
Minimal APIs
In a Minimal API endpoint you can configure the rate limit policy by calling RequireRateLimiting
and specifying the policy name.
We're using the token bucket policy in this example.
app.MapGet("/transactions", async (ISender sender) =>
{
return Results.Ok(await sender.Send(new GetTransactionsQuery()));
})
.RequireRateLimiting("token");
Closing Thoughts
It's great that we can quickly introduce rate limiting in ASP.NET Core.
You can choose from one of the existing rate limiter algorithms:
- Fixed window
- Sliding window
- Token bucket
- Concurrency
Here are some resources if you want to learn more about rate limiting:
I'm excited to try out rate limiting in my projects.
That's all for today.
Have an awesome Saturday!
P.S. Whenever you're ready, there are 2 ways I can help you:
Pragmatic Clean Architecture: This comprehensive course will teach you the system I use to ship production-ready applications using Clean Architecture. Learn how to apply the best practices of modern software architecture. Join 950+ students here.
Patreon Community: Think like a senior software engineer with access to the source code I use in my YouTube videos and exclusive discounts for my courses. Join 820+ engineers here.
Posted on September 18, 2023
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.