Advanced Rate Limiting
🚀 Enterprise Rate Limiting
Advanced rate limiting provides multi-tier, per-tenant, and per-API-key rate limiting to ensure fair usage and protect against abuse in enterprise environments.
🎯 Rate Limiting Strategies
1. Algorithm Types
- Token Bucket: Smooth traffic with burst handling
- Leaky Bucket: Rate limiting with overflow protection
- Fixed Window: Simple time-based limits
- Sliding Window: Precise rate limiting
2. Limiting Scopes
- Per Tenant: Isolated limits per organization
- Per API Key: Individual key-based limits
- Per User: User-specific rate limits
- Per Endpoint: Endpoint-specific limits
🚀 Rate Limiting Configuration
1. Basic Rate Limiting
from recoagent.packages.api.rate_limiting import RateLimiter
# Initialize rate limiter
rate_limiter = RateLimiter(
algorithm="token_bucket",
default_limit=1000, # requests per hour
burst_limit=100, # burst requests
window_size=3600 # 1 hour window
)
# Configure global limits
rate_limiter.configure_global_limits({
"requests_per_hour": 10000,
"requests_per_minute": 1000,
"burst_requests": 100
})
2. Per-Tenant Rate Limiting
# Configure tenant-specific limits
rate_limiter.configure_tenant_limits({
"enterprise_tenant": {
"requests_per_hour": 50000,
"requests_per_minute": 5000,
"burst_requests": 500,
"tier": "enterprise"
},
"standard_tenant": {
"requests_per_hour": 10000,
"requests_per_minute": 1000,
"burst_requests": 100,
"tier": "standard"
}
})
# Set tenant limits
rate_limiter.set_tenant_limit(
tenant_id="enterprise_tenant",
limit=50000,
burst_limit=500,
window_size=3600
)
3. Per-API-Key Rate Limiting
# Configure API key limits
rate_limiter.configure_api_key_limits({
"sk-enterprise-123": {
"requests_per_hour": 100000,
"requests_per_minute": 10000,
"burst_requests": 1000,
"tier": "enterprise"
},
"sk-standard-456": {
"requests_per_hour": 10000,
"requests_per_minute": 1000,
"burst_requests": 100,
"tier": "standard"
}
})
# Set API key limits
rate_limiter.set_api_key_limit(
api_key="sk-enterprise-123",
limit=100000,
burst_limit=1000,
window_size=3600
)
4. Tiered Rate Limiting
# Configure tiered limits
rate_limiter.configure_tiers({
"free": {
"requests_per_hour": 100,
"requests_per_minute": 10,
"burst_requests": 5,
"concurrent_requests": 2
},
"basic": {
"requests_per_hour": 1000,
"requests_per_minute": 100,
"burst_requests": 50,
"concurrent_requests": 10
},
"professional": {
"requests_per_hour": 10000,
"requests_per_minute": 1000,
"burst_requests": 500,
"concurrent_requests": 50
},
"enterprise": {
"requests_per_hour": 100000,
"requests_per_minute": 10000,
"burst_requests": 5000,
"concurrent_requests": 500
}
})
# Assign tier to user
rate_limiter.set_user_tier("user_123", "enterprise")
📊 Rate Limiting Features
1. Algorithm Comparison
| Algorithm | Burst Handling | Fairness | Complexity | Use Case |
|---|---|---|---|---|
| Token Bucket | ✅ Excellent | ✅ Good | Medium | General purpose |
| Leaky Bucket | ✅ Good | ✅ Excellent | Low | Smooth traffic |
| Fixed Window | ❌ Poor | ❌ Poor | Low | Simple limits |
| Sliding Window | ✅ Good | ✅ Good | High | Precise limits |
2. Limiting Scopes
| Scope | Isolation | Complexity | Use Case |
|---|---|---|---|
| Global | ❌ None | Low | System-wide limits |
| Per Tenant | ✅ High | Medium | Multi-tenant isolation |
| Per API Key | ✅ High | Medium | Key-based limits |
| Per User | ✅ Medium | High | User-specific limits |
| Per Endpoint | ✅ High | High | Endpoint-specific limits |
3. Tier Configuration
| Tier | Requests/Hour | Requests/Minute | Burst | Concurrent |
|---|---|---|---|---|
| Free | 100 | 10 | 5 | 2 |
| Basic | 1,000 | 100 | 50 | 10 |
| Professional | 10,000 | 1,000 | 500 | 50 |
| Enterprise | 100,000 | 10,000 | 5,000 | 500 |
🛡️ Rate Limiting Security
1. DDoS Protection
from recoagent.packages.api.rate_limiting import DDoSProtection
# Configure DDoS protection
ddos_protection = DDoSProtection(
max_requests_per_second=100,
max_requests_per_minute=1000,
max_requests_per_hour=10000,
block_duration=3600, # 1 hour
whitelist_ips=["192.168.1.0/24", "10.0.0.0/8"]
)
# Check for DDoS attacks
def check_ddos_protection(request):
client_ip = request.client.host
if ddos_protection.is_blocked(client_ip):
raise HTTPException(
status_code=429,
detail="IP address blocked due to excessive requests"
)
if ddos_protection.is_attacking(client_ip):
ddos_protection.block_ip(client_ip)
raise HTTPException(
status_code=429,
detail="Rate limit exceeded"
)
2. Adaptive Rate Limiting
from recoagent.packages.api.rate_limiting import AdaptiveRateLimiter
# Configure adaptive rate limiting
adaptive_limiter = AdaptiveRateLimiter(
base_limit=1000,
max_limit=10000,
min_limit=100,
adjustment_factor=0.1,
learning_period=3600 # 1 hour
)
# Adaptive rate limiting
def adaptive_rate_limit(request):
client_id = get_client_id(request)
current_limit = adaptive_limiter.get_current_limit(client_id)
if adaptive_limiter.is_rate_limited(client_id):
# Adjust rate limit based on behavior
adaptive_limiter.adjust_limit(client_id, -0.1) # Reduce limit
raise HTTPException(
status_code=429,
detail=f"Rate limit exceeded. Current limit: {current_limit}"
)
else:
# Increase limit for good behavior
adaptive_limiter.adjust_limit(client_id, 0.05) # Increase limit
📚 Rate Limiting Implementation
1. Middleware Integration
from fastapi import FastAPI, Request, HTTPException
from recoagent.packages.api.rate_limiting import RateLimitMiddleware
# Initialize FastAPI app
app = FastAPI()
# Add rate limiting middleware
app.add_middleware(
RateLimitMiddleware,
rate_limiter=rate_limiter,
error_message="Rate limit exceeded",
error_status_code=429
)
# Rate limited endpoint
@app.get("/api/users")
async def get_users(request: Request):
# Rate limiting is handled by middleware
return {"users": []}
2. Custom Rate Limiting
from recoagent.packages.api.rate_limiting import CustomRateLimiter
# Create custom rate limiter
custom_limiter = CustomRateLimiter(
rules=[
{
"endpoint": "/api/search",
"limit": 100,
"window": 3600,
"algorithm": "token_bucket"
},
{
"endpoint": "/api/recommendations",
"limit": 50,
"window": 3600,
"algorithm": "leaky_bucket"
}
]
)
# Apply custom rate limiting
@custom_limiter.limit_endpoint("/api/search")
async def search_endpoint(request: Request):
return {"results": []}
3. Rate Limiting Analytics
from recoagent.packages.api.rate_limiting import RateLimitAnalytics
# Initialize analytics
analytics = RateLimitAnalytics(
metrics_enabled=True,
alerting_enabled=True,
dashboard_enabled=True
)
# Track rate limiting events
def track_rate_limit_event(event_type, client_id, endpoint, limit_hit):
analytics.track_event({
"event_type": event_type,
"client_id": client_id,
"endpoint": endpoint,
"limit_hit": limit_hit,
"timestamp": datetime.utcnow()
})
# Get rate limiting metrics
def get_rate_limit_metrics():
return analytics.get_metrics({
"time_range": "24h",
"group_by": ["client_id", "endpoint"],
"metrics": ["requests", "rate_limits", "errors"]
})
🎯 Rate Limiting Testing
1. Load Testing
# Test rate limiting under load
def test_rate_limiting_load():
import asyncio
import aiohttp
async def make_request():
async with aiohttp.ClientSession() as session:
async with session.get("http://localhost:8000/api/users") as response:
return response.status
# Make 1000 concurrent requests
tasks = [make_request() for _ in range(1000)]
results = await asyncio.gather(*tasks)
# Check rate limiting behavior
rate_limited = sum(1 for status in results if status == 429)
assert rate_limited > 0, "Rate limiting should be triggered"
2. Tier Testing
# Test different tiers
def test_tier_limits():
# Test free tier
free_client = create_client(tier="free")
free_requests = make_requests(free_client, 150) # Exceed 100 limit
assert any(r.status_code == 429 for r in free_requests)
# Test enterprise tier
enterprise_client = create_client(tier="enterprise")
enterprise_requests = make_requests(enterprise_client, 50000) # Within 100k limit
assert all(r.status_code == 200 for r in enterprise_requests)
🎯 Next Steps
- Choose Rate Limiting Strategy: Select algorithm and scope
- Configure Global Limits: Set system-wide rate limits
- Set Up Tiered Limits: Configure different tiers for different users
- Implement Per-Tenant Limits: Set up tenant isolation
- Add DDoS Protection: Configure attack protection
- Monitor Rate Limiting: Set up analytics and alerting
Protect your API with enterprise-grade rate limiting! 🚀