- Newest
- Most votes
- Most comments
Think of the burst limit as how many requests per second the API can handle when under burst load. So in your case, 1 request/second. The Rate Limit represents what rate we can handle under normal load. So in a given second, we can handle 1 request (burst). If a second request comes along in a given second, we will only be able to handle this every 1000 seconds. If you get more aggressive with postman can yo hit a limit? What have you tried? I don't have an API gateway currently setup but I would encourage you to try a 0 in the burst limit to achieve your desired outcome. Let me know how this works!
I see your stage is dev, so a simple option is to un-deploy the dev stage when you are not actively developing or testing.
Another option to explore is fronting your API Gateway with AWS WAF. https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-control-access-aws-waf.html
Of the many features of AWS WAF there is a specific Rule called Rate-based to automatically put a temporary block from IP addresses sending excessive requests. https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-rate-based.html
I am using HTTP API endpoint, not REST API. I am not sure if I can use WAF with HTTP API?
OK, HTTP API. You would have to setup a CloudFront distribution in front of your HTTP API, then you get WAF options.
Since your concern is to avoid cost related to malicious spammers, you should know requests to API Gateway that fail authentication/authorization checks are not charged by AWS. However, if you are using a Lambda authorizer you do get charged for the Lambda invocation.
API Gateway doesn't support such a low rate. I think the minimum is 1 / sec.
It does accept it without an error.
And if I use rate limit = 1 rps, Error 429, (too many messages) almost never occurs.
If I use 0.001 50% of messages if sent within a second give the 429 error.
It does accept it without an error.
And if I use rate limit = 1 rps, Error 429, (too many messages) almost never occurs.
If I use 0.001 50% of messages if sent within a second give the 429 error.
Sorry for the delay in getting back to you. I've reviewed some of the service documentation and want to share with you what I have learned. The API Gateway can run across multiple hosts under the hood. This means that when you test the throttling (especially very aggressive throttling) at a short interval (a couple of seconds), you will find the throttling will not work as expected. The individual hosts have to share their state information and will eventually reach consensus and throttle. Over a long run, you will see metrics more in line with your settings. I would encourage you to continue your experiments but try it for a longer duration like 30 to 60 seconds.
Relevant content
- Accepted Answerasked 4 years ago
- Accepted Answerasked 4 years ago
AWS OFFICIALUpdated 2 years ago- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
If I set Burst Limit to 0, I only get 429 error on every request. If BurstLImit of 1 and RateLimit of 0.001 I get 50% 429 errors if I send 8 requests within 2 seconds.
Is there only one function on the API Gateway? or are there other's that are active?