How to Implement Rate Limiting in Your C# REST API

This guide will walk you through the process of applying rate limiting to improve the performance of your C# REST API.

By Tim TrottC# ASP.Net MVC • April 15, 2024
Writing C# REST APIs

This article is part of a series of articles. Please use the links below to navigate between the articles.

  1. A Beginner's Guide to Building a REST API in C#
  2. Using Swagger to Document and Test Your C# REST API
  3. How to Add Authentication and Authorisation to C# REST APIs
  4. Error Handling and Exception Management in C# REST APIs
  5. Data Validation and Error Handling in REST APIs using C#
  6. Versioning Your C# REST API: Best Practices and Approaches
  7. Caching Strategies for Improved Efficiency in C# REST APIs
  8. How to Implement Rate Limiting in Your C# REST API
How to Implement Rate Limiting in Your C# REST API

Implementing rate limiting can be an excellent way to increase the performance of your C# REST API. Rate limitation allows you to limit the amount of API requests performed in a certain period, reducing overload and optimising performance.

Understand the Concept of Rate Limiting

Busy highway packed ith cars, traffic jam, queues, road block
Rate limiting is a strategy for controlling the amount of API calls made in a given period

You must understand the notion of rate limitation before implementing it in your C# REST API. Rate limitation is a strategy for controlling the amount of API calls made in a given period. You may prevent API overload and ensure optimal performance by limiting the amount of queries. This is very handy when dealing with APIs with a high traffic volume or requiring many resources. Rate restriction can be accomplished in various ways, including establishing a limited number of requests per minute or hour or creating a token-based system.

Choose a Rate Limiting Strategy

When implementing rate limitations in your C# REST API, selecting the best strategy for your specific requirements is essential. You have several rate-limiting options, including a fixed window, sliding window, token bucket, and leaky bucket.

The fixed window technique limits the amount of requests that can be made within a given time frame. You can, for example, set a restriction of 100 requests per minute. When the limit is reached, any further requests will be refused until the next time frame begins.

The sliding window technique also limits the number of requests inside a time window, but it provides more flexibility. Instead of a fixed window, the sliding window advances indefinitely, allowing a limited number of requests at each time interval. This means that if there is a sudden influx of requests, they can be granted as long as they fall within the sliding window.

Tokens are assigned to each request as part of the token bucket strategy. Each request to the API consumes a token, and once the tokens have been emptied, all further requests will be refused until new tokens are added to the bucket. As long as enough tokens are available this technique allows for bursts of requests.

The leaky bucket approach works by emptying requests from a bucket at a constant rate. Any additional requests will be refused if the bucket is full. This method smooths out spikes of requests while maintaining a steady processing rate.

Steps To Implement Rate Limiting In Your C# REST API

Setting limits and thresholds for different API endpoints is important in developing rate limits for your C# REST API. This allows you to limit the requests made to each endpoint within a given time range. You may prevent abuse and ensure fair use of your API resources by defining limits and thresholds.

You can use different methods to create limitations and thresholds, such as setting maximum requests per minute or hour for each endpoint. Limits can also be imposed based on the user's authentication level or subscription tier. You can also set different restrictions for requests, such as GET, POST, PUT, and DELETE.

Install the 'AspNetCoreRateLimit' Package

Install the AspNetCoreRateLimit NuGet package in your project using Visual Studio or your choice code editor.

powershell
dotnet add package AspNetCoreRateLimit

Configure Rate Limiting

Configure rate limitation in the ConfigureServices and Configure methods of your Startup.cs file. Rate-limiting policies can be defined, as well as rate limits for specific endpoints.

C#
using AspNetCoreRateLimit;
using Microsoft.Extensions.Options;

public void ConfigureServices(IServiceCollection services)
{
    // Add the rate-limiting configuration
    services.AddOptions();
    services.AddMemoryCache();
    services.Configure<IpRateLimitOptions>(Configuration.GetSection("IpRateLimiting"));
    services.AddSingleton<IIpPolicyStore, MemoryCacheIpPolicyStore>();
    services.AddSingleton<IRateLimitCounterStore, MemoryCacheRateLimitCounterStore>();
    
    // Other service configurations...
}

public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
    // Other middleware...

    // Configure rate limiting middleware
    app.UseIpRateLimiting();

    // Other middleware...
}

Define Rate Limit Policies in appsettings.json

In your `appsettings.json`, define rate-limiting policies.

json
{
  "IpRateLimiting": {
    "ClientWhitelist": ["127.0.0.1"], // Optional: Whitelist certain clients
    "EnableEndpointRateLimiting": true,
    "StackBlockedRequests": true,
    "RealIpHeader": "X-Real-IP", // Optional: To read real client IP from proxy
    "ClientIdHeader": "X-ClientId", // Optional: To identify clients based on header
    "HttpStatusCode": 429, // Status code to return for exceeded limits (Rate Limit Exceeded)
    "GeneralRules": [
      {
        "Endpoint": "*",
        "Period": "1m", // 1 minute
        "Limit": 60
      }
    ],
    "EndpointRules": [
      {
        "Endpoint": "api/secure-data",
        "Period": "1h", // 1 hour
        "Limit": 100
      },
      {
        "Endpoint": "api/other-endpoint",
        "Period": "1d", // 1 day
        "Limit": 1000
      }
    ]
  }
}

These policies establish the rate restrictions for various API endpoints. You can tailor the rules to your own needs.

Apply Rate Limiting to Endpoints

Add [RateLimit] properties to your controller actions to apply rate restriction to specific endpoints.

C#
[ApiController]
[Route("api")]
[RateLimit]
public class MyController : ControllerBase
{
    [HttpGet("secure-data")]
    [RateLimit(Name = "secure-data", Order = 1, Seconds = 60)]
    public IActionResult GetSecureData()
    {
        // Your secured endpoint logic here
    }

    [HttpGet("other-endpoint")]
    [RateLimit(Name = "other-endpoint", Order = 2, Seconds = 3600)]
    public IActionResult GetOtherEndpoint()
    {
        // Your other endpoint logic here
    }
}

At the controller level, the [RateLimit] element implements the default rate restrictions defined in appsettings.json. The [RateLimit] attribute can be used to alter these defaults for individual activities.

About the Author

Tim Trott is a senior software engineer with over 20 years of experience in designing, building, and maintaining software systems across a range of industries. Passionate about clean code, scalable architecture, and continuous learning, he specialises in creating robust solutions that solve real-world problems. He is currently based in Edinburgh, where he develops innovative software and collaborates with teams around the globe.

Related ArticlesThese articles may also be of interest to you

Windows Vista Style Glass Buttons in .Net Forms
How to Create Zip Archives in C# Without 3rd Party Libraries
How to Create Single File Deployments in .Net 6 / VS2022

CommentsShare your thoughts in the comments below

My website and its content are free to use without the clutter of adverts, popups, marketing messages or anything else like that. If you enjoyed reading this article, or it helped you in some way, all I ask in return is you leave a comment below or share this page with your friends. Thank you.

There are no comments yet. Why not get the discussion started?

New comments for this post are currently closed.