hosting review

ASP.NET Core 7.0.4 Tutorial: Rate Limiting in the Web API for .NET Core 7

Suzan Kara

How does rate-limiting work?
Rate limitation is a technique used to limit the number of requests that can be made to a specific resource during a given window of time. A rate limiter middleware that is included in NET Core 7 allows us to create settings for rate restriction.

Why do you rate limits?

  • Network traffic can be limited by rate-limiting.
  • Rate limiting defends against denial-of-service (DoS) assaults on our application.
  • When we receive a lot of requests, it helps us manage server resources effectively.
  • By eliminating irrational wait times for return responses, rate limiting aids in the performance improvement of our application.
  • Rate-limiting lowers expenses. Assume, for instance, that our API is accessible to the general public and that a lot of requests are made by end users. In that situation, managing the demand might call for more servers and network resources, which would raise infrastructure costs.

Fixed Window Rate Limiting Algorithm

  • A straightforward and memory-saving approach called Fixed Window divides time into fixed windows or intervals that correspond to rate-limiting definitions, and if the maximum number of requests is reached, further requests are throttled.
  • As an illustration, let’s say the fixed window algorithm permits 20 requests per minute. In such a situation, there is a single window that runs from 00.00 to 00.01 and accommodates a maximum of 20 requests. Once the fixed window has run its course, the request count is reset at the start of each subsequent time frame.

Transverse Window
The sliding window algorithm divides the window into several pieces and counts the number of requests within each segment. It combines the fixed and sliding log algorithms. The window slides with each passage, tossing out the previous request counts and allowing the current section of the new one.

Bucket of tokens

  • A bucket is used to hold a predetermined amount of tokens and maintain count in the memory-efficient method known as “Token Bucket.”
  • Assume, for instance, that a bucket has a cap of 100 tokens and that whenever a request is made, the bucket is checked to see if there are any tokens left. The token count will drop, and fresh requests will be filled if there are any tokens left. Requests are throttled if the token limit is exceeded and are not available in that situation.

Vacant Bucket
The Leaky Bucket algorithm stores the number of tokens in a bucket with a hole, and each token identifies an API call. If a new request comes in, it will be added to the end of the queue. If the queue is getting full, the next request will be throttled. It will be kept in a FIFO (first in, first out) queue with a fixed size to contain the number of requests.

Moving Log
Each API request is tracked using the sliding log method, which keeps a timestamp log that is internally kept in the hashed database and ordered by time. This algorithm aids in limiting the volume of data transported and the number of requests made per unit of time. When a new request is handled, the total number of log entries for that specific user is added up to determine the request rate. Subsequent requests are throttled if that rate goes over the cap.

Rate Limiting in .NET Core 7

ASP.NET Core has built support for Rate Limiter and has middleware for the same.

Step 1
Create a .NET Core 7 Web API Application.

Step 2
Create a new controller with different API endpoints as per requirement.

Step 3
Open the Program class and configure the fixed window rate limiter inside the same.

//Fixed Window Rate Litter Configuration
builder.Services.AddRateLimiter(_ => _
    .AddFixedWindowLimiter(policyName: "fixed", options =>
    {
        options.PermitLimit = 3;
        options.Window = TimeSpan.FromSeconds(10);
        options.QueueProcessingOrder = QueueProcessingOrder.OldestFirst;
        options.QueueLimit = 2;
    }));

Line 2: AddRateLimiter function to add rate limiting service inside service collection.

Line 3: AddFixedWindowLimiter to add a fixed window policy with a policy name fixed.

Line 5-6: PermitLimit 3 and Window have a 10-second timespan means 3 requests are allowed within a 10-second window timespan.

Line 7-8: QueueProcessingOrder is the OldestFirst, and QueueLimit is 2 means whenever the window limit is exceeded, in that case, subsequent two requests are throttled and stored inside the queue. When the window count is reset at that time requests are processed from the queue and the oldest request is picked for processing.

Step 4

Add UseRateLimiter middleware inside the program class to enable rate limiting in the request/response pipeline.

//Rate limitter middleware
app.UseRateLimiter();

Step 5

Inside the controller apply the rate limiter with the help of EnableRateLimiting attribute on any endpoint or controller level as per requirement.

If you want to disable the rate limiter on the particular endpoint that is possible using the DisableRateLimiting attribute.

using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.RateLimiting;
using RudderStackDemo.Entities;
using RudderStackDemo.Repositories;

namespace RudderStackDemo.Controllers
{
    [Route("api/[controller]")]
    [ApiController]
    [EnableRateLimiting("fixed")]
    public class ProductsController : ControllerBase
    {
        private readonly IProductService _productService;

        public ProductsController(IProductService productService)
        {
            _productService = productService;
        }

        /// <summary>
        /// Product List
        /// </summary>
        /// <returns></returns>
        [HttpGet]
        [EnableRateLimiting("fixed")]
        public async Task<IActionResult> ProductListAsync()
        {
            var productList = await _productService.ProductListAsync();
            if (productList != null)
            {
                return Ok(productList);
            }
            else
            {
                return NoContent();
            }
        }

        /// <summary>
        /// Get Product By Id
        /// </summary>
        /// <param name="productId"></param>
        /// <returns></returns>
        [HttpGet("{productId}")]
        [DisableRateLimiting]
        public async Task<IActionResult> GetProductDetailsByIdAsync(int productId)
        {
            var productDetails = await _productService.GetProductDetailByIdAsync(productId);
            if (productDetails != null)
            {
                return Ok(productDetails);
            }
            else
            {
                return NotFound();
            }
        }
    }
}

Step 6

Execute and Test API endpoints with the help of Swagger or Postman.

ASP.NET Core 7.0.4 Hosting Recommendation

HostForLIFE.eu

HostForLIFE.eu is a popular recommendation that offers various hosting choices. Starting from shared hosting to dedicated servers, you will find options fit for beginners and popular websites. It offers various hosting choices if you want to scale up. Also, you get flexible billing plans where you can choose to purchase a subscription even for one or six months.