Skip to content

shahnotes/aws-rate-limiter-arch

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

2 Commits
README.md
README.md
Β 
Β 

Repository files navigation

🚦 Designing a Scalable Rate Limiter System on AWS

πŸ’‘ Problem

Design a rate limiter for:

  • Login attempts: Max 3 in 10 minutes
  • Video views: Max 20/day
  • Comments: Max 100/day
    Must support millions of users with low latency and high availability.

🎯 Functional Requirements

  • Per-user and per-IP request limiting
  • Configurable rules per API endpoint
  • Real-time blocking if limit exceeded

🚫 Non-Functional Requirements

  • Latency ≀ 20ms
  • High throughput (10K+ RPS)
  • 99.99% availability
  • Low operational cost
  • Horizontal scalability

πŸ—οΈ High-Level Design

[ Client ]
   β”‚
   β–Ό
[ API Gateway ]
   β”‚
   β–Ό
[ Rate Limiter (Lambda or ECS/Fargate) ]
   β”‚       β–²
   β”‚       β”‚
   β–Ό       β”‚
[ Redis (ElastiCache) ] ← stores counters
   β”‚
   β–Ό
[ DynamoDB ] ← stores config (limits per API)

βš™οΈ AWS Services Used

Component Purpose
API Gateway Entry point, optional usage plans
AWS Lambda (or Fargate) Stateless compute for checking limits
ElastiCache Redis Fast, atomic counters with TTL
DynamoDB Stores API limit rules, fallback store
CloudWatch + X-Ray Monitoring + tracing

πŸ“Š Data Design

Redis Keys (Per user/API)

user:123:/comments β†’ Sorted Set [timestamp1, timestamp2...]
TTL: 24h

DynamoDB (Rules Table)

PK: API:/comment  | SK: default
Limit: 100        | TimeWindow: 24h

🧠 Algorithms

  • Fixed Window Counter for login
  • Sliding Window (Sorted Set) for comment and view tracking
  • Token Bucket for smoother burst control (optional)

πŸ“ˆ Scaling and Resilience

  • Redis is multi-AZ (clustered)
  • Lambda scales automatically
  • Fail-open for non-critical APIs (e.g., video view)
  • Fail-close for critical ones (e.g., login attempts)

πŸ” Observability

  • CloudWatch custom metrics:
    • Requests blocked
    • Rule violations
  • X-Ray for tracing Lambda execution

βœ… Trade-offs Considered

Option Trade-off
IP vs User ID IP is anonymous but prone to collisions
Redis vs DB Redis fast but volatile; fallback to DB
Fail-open Better UX, worse protection
Sliding vs Token Sliding is precise, token is burst-friendly

πŸ“Œ Conclusion

This architecture:

  • Handles real-time request limiting
  • Is fully serverless (or containerized if needed)
  • Leverages Redis + DynamoDB for speed and persistence
  • Scales easily and is cost-efficient

⏱️ Pro Tip:

If you have 30 minutes for this question:

  • Spend first 5 mins clarifying scope
  • Next 10 mins sketch out architecture & flow
  • Last 15 mins write structured answer like above
    (Include trade-offs and AWS reasoning β€” this is what bar-raisers look for!)

About

Designing a Scalable Rate Limiter System on AWS

Topics

aws architecture rate-limiter

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository