Last Updated:

Implement rate limiting for API Gateways with Spring boot + Zuul


This article is part of a series where we discuss the importance of API Gateways with Spring boot and Netflix Zuul. Previous article How to build an API-Gateway with Netflix Zuul + Spring Boot

When it comes to API Gateways, it is important to keep your services under the load they can bear. This can be done in two ways.

  1. Scale the services and balance load.
  2. Limit the rate of requests.

Both of the above features are possible to implement with API Gateways, but in this article we are discussing about the later. Most surprisingly, Netflix Zuul official documentation does not cover how to implement rate limiting.

How to add rate limiting to Zuul

We found an awesome library called spring-cloud-zuul-ratelimit which you can use to easily implement rate limiting in your Spring boot application. There are six rate limiting stratergies supported by this library.

Authenticated UserUses the authenticated username or 'anonymous'
Request OriginUses the user origin request
URLUses the request path of the downstream service
ROLEUses the authenticated user roles
Request methodUses the HTTP request method
Global configuration per serviceThis one does not validate the request Origin, Authenticated User or URI.
To use this approach just don’t set param 'type'

It is also possible to combine Authenticated User, Request Origin, URL, ROLE and Request Method just adding multiple values to the list.

To start with, add the following dependency to your pom


 Then chose one of the following storage backends which will be used by this library to keep track of the requests.

Depending of the chosen backend, you have to add a different dependency to the pom. All the dependency information can be found in their github README.

Then configure the rates for each endpoint that you want to control. This can be done via either properties file or yml configuration. Sample yml file can be seen below. All the supported properties can be found here.

When one of the endpoints reached their configured rate limit, it will automatically respond with http error code 429 Too Many Requests for subsequent requests until the rate limit comes back to the allowed range. This will prevent the underlying service from being overload in a peak time or under a DoS attack.