How to implement a Rate Limiter in C#

March 27 2023 - Read Time: 3 minutes - .NET

Background

A rate limiter is a software mechanism that controls the amount of traffic or requests that can be sent to a server or API within a given time period. It is used to prevent a single user or application from overwhelming the server or consuming excessive resources.

The rate limiter sets a limit on the number of requests that can be made within a certain time frame, and it can also define how long a user or application must wait before sending another request. This helps to ensure that the server remains available to all users and that its performance is not negatively impacted by excessive traffic. The new .NET 7 Framework brought us a built-in implementation of rate limiters.

NuGet package

You don't need it. :)

Rate Limiting is coming from Microsoft.AspNetCore.RateLimiting middleware which is included in .NET 7 by default.

2#: Rate Limiter Algorithms

The RateLimiterOptionsExtensions class provides the following extension methods for rate limiting: • Fixed Window • Sliding Window • Token Bucket • Concurency We will talk about Fixed Window in this issue.

Add RateLimiter Service

We need to add a RateLimiter Service to the service collection. This should be done in Program.cs C# file. Here is an example:

Adding Rate Limiter to Service Collection • AddFixedWindowLimiter - the method uses a fixed time window to limit requests. When the time window expires, a new time window starts and the request limit is reset. • PermitLimit - A maximum of 10 requests • Window - per 5 seconds window. • QueueProcessingOrder - behaviour when not enough resources can be leased (Process oldest requests first). • QueueLimit - Maximum cumulative permit count of queued acquisition requests.

Enable using RateLimiter middleware

After adding a service to the collection of services, it is necessary to enable its use: Enabling Rate Limiter Middleware

Use it

Finally, you can use a rate limiting. For Minimal API, just call a method RequireRateLimiting on defined API route. Argument "fixed" is a policyName of created RateLimiting service (in our case it is Fixed Window). For the Controllers, you need also to tell the middleware to require rate limiting: Require Rate Limiter

Or for each contoller and/or actions you can to specify an attribute: Rate Limiting Controller Atrribute Note: Do not use "magic strings", instead put "fixed" and other values in the configuration file.

How to test?

Load testing with JMeter from Apache. That's all from me for today. Make a coffee and try it on your projects.

dream BIG!

For API security, also consider API Key Authentication and using CORS properly.

Wrapping Up

About the Author

Stefan Djokic is a Microsoft MVP and senior .NET engineer with extensive experience designing enterprise-grade systems and teaching architectural best practices.

There are 3 ways I can help you:

Pragmatic .NET Code Rules Course

Stop arguing about code style. In this course you get a production-proven setup with analyzers, CI quality gates, and architecture tests — the exact system I use in real projects. Join here.

Not sure yet? Grab the free Starter Kit — a drop-in setup with the essentials from Module 01.

Design Patterns Ebooks

Design Patterns that Deliver — Solve real problems with 5 battle-tested patterns (Builder, Decorator, Strategy, Adapter, Mediator) using practical, real-world examples. Trusted by 650+ developers.

Just getting started? Design Patterns Simplified covers 10 essential patterns in a beginner-friendly, 30-page guide for just $9.95.

Join 20,000+ subscribers

Every Monday morning, I share 1 actionable tip on C#, .NET & Architecture that you can use right away. Join here.

Subscribe to
TheCodeMan.net

Subscribe to the TheCodeMan.net and be among the 20,000+ subscribers gaining practical tips and resources to enhance your .NET expertise.