How to implement rate limiting in API gateway per user?

Question

Hi, If I am understanding correctly, the throttling limit in API gateway stage is for the endpoint. So, a limit of 100 request per sec will mean the endpoint will only respond to the first 100 request from anyone accessing it and will throw error after the 10 requests. What I need is to restrict the endpoint to have only 5 requests per second per user and no overall quota limit for the endpoint. So how can I implement it?

cyrk-aws · Answer

You can rate limit per client (user) in API Gateway using Usage Plans with API Keys.  The options are described in this document, page 9 (pdf page 12) :

[https://d1.awsstatic.com/whitepapers/api-gateway-security.pdf]()

This developer guide describes setting it up in the AWS Console:

[https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-create-usage-plans-with-console.html]()

Please note, there are two options for API Keys.  First your API consumers can pass in the API Key you share with them in the `X-API-Key`  header.  Second option is to use a Lambda authorizer to return the API key as part of the authorization response.

[https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-api-key-source.html]()

Hans-Arne Hånes · Answer

We would like to implement this approach in my org, but there seems to be a quite noticable hard limitation of 10 000 API keys per AWS account. How can this solution be implemented if you have more than 10 000 clients/users? 
Will you support more than 10 000 API keys in the near future?

How to implement rate limiting in API gateway per user?

Add your answer

Relevant content