In the development of APIs sometimes it’s necessary to control the rate of the traffic received by the network to prevent attacks such as DoS or to limit the number of requests a single user/origin can make to a certain endpoint.

In a microservices architecture the API Gateway is the entry point for the whole application and having a rate limiting in this layer suits perfectly.

Spring Cloud Netflix Zuul

Spring Cloud Netflix Zuul is an Open Source API Gateway that wraps Netflix Zuul and adds quite a few functionalities, sadly rate limiting is something that’s not provided out of the box.

Adding Rate Limit on Zuul

To fix that problem it’s possible to use this OSS Rate Limit library along with Spring Cloud Netflix Zuul in which will add an out of the box support for rate-limiting the requests.

Supported Limiters

The current implementation supports a list of rate limit policies per service as well as a default configuration for every other service if necessary.

Rate Limit Type Description
Authenticated User Uses the authenticated username or ‘anonymous’
Request Origin Uses the user origin request
URL Uses the request path of the downstream service
Global configuration per service This one does not validate the request Origin, Authenticated User or URI. To use this approach just don’t set any type

Supported storage


All the rate-limiting implementation is done using Zuul Filters and applying the validations based on the configuration set per service, in case there’s no policy set then the rate limit filters are not triggered.

When a limit is reached the API Gateway returns 429 Too Many Requests status code to the client.


Everything described above can be configured using properties or YAML files and there’s no need to add any custom code to make it work.

Further Details

For further details on the implementation and usage, please go to the project repo.