How to implement a Rate Limiter in C#

March 27 2023


A rate limiter is a software mechanism that controls the amount of traffic or requests that can be sent to a server or API within a given time period. It is used to prevent a single user or application from overwhelming the server or consuming excessive resources.

The rate limiter sets a limit on the number of requests that can be made within a certain time frame, and it can also define how long a user or application must wait before sending another request. This helps to ensure that the server remains available to all users and that its performance is not negatively impacted by excessive traffic.

The new .NET 7 Framework brought us a built-in implementation of rate limiters.

NuGet package

You don't need it. :)

Rate Limiting is coming from Microsoft.AspNetCore.RateLimiting middleware which is included in .NET 7 by default.

2#: Rate Limiter Algorithms

The RateLimiterOptionsExtensions class provides the following extension methods for rate limiting:

• Fixed Window
• Sliding Window
• Token Bucket
• Concurency

We will talk about Fixed Window in this issue.

Add RateLimiter Service

We need to add a RateLimiter Service to the service collection. This should be done in Program.cs C# file.

Here is an example:

Adding Rate Limiter to Service Collection

• AddFixedWindowLimiter - the method uses a fixed time window to limit requests. When the time window expires, a new time window starts and the request limit is reset.
• PermitLimit - A maximum of 10 requests
• Window - per 5 seconds window.
• QueueProcessingOrder - behaviour when not enough resources can be leased (Process oldest requests first).
• QueueLimit - Maximum cumulative permit count of queued acquisition requests.

Enable using RateLimiter middleware

After adding a service to the collection of services, it is necessary to enable its use:

Enabling Rate Limiter Middleware

Use it

Finally, you can use a rate limiting.

For Minimal API, just call a method RequireRateLimiting on defined API route. Argument "fixed" is a policyName of created RateLimiting service (in our case it is Fixed Window).

For the Controllers, you need also to tell the middleware to require rate limiting:

Require Rate Limiter

Or for each contoller and/or actions you can to specify an attribute:

Rate Limiting Controller Atrribute

Note: Do not use "magic strings", instead put "fixed" and other values in the configuration file.

How to test?

Load testing with JMeter from Apache.

That's all from me for today.

Make a coffee and try it on your projects.

dream BIG!

Join 10,950+ subscribers to improve your .NET Knowledge.

There are 3 ways I can help you:

Design Patterns Simplified ebook

Go-to resource for understanding the core concepts of design patterns without the overwhelming complexity. In this concise and affordable ebook, I've distilled the essence of design patterns into an easy-to-digest format. It is a Beginner level. Check out it here.


Promote yourself to 10,950+ subscribers by sponsoring this newsletter.

Join .NET Pro Weekly Newsletter

Every Monday morning, I share 1 actionable tip on C#, .NET & Arcitecture topic, that you can use right away.

Subscribe to
.NET Pro Weekly

Subscribe to the .NET Pro Weekly and be among the 10,950+ subscribers gaining practical tips and resources to enhance your .NET expertise.