AWS API Gateway - throttle requests based on minute(s), not seconds.

I would like to know if anyone has managed to get around this issue;

  • I can confirm that AWS have confirmed that this is not currently a feature in place and unlikely to be on any near future roadmaps.

AWS API Gateway has current Method Throttling functionality that allows you to throttle all method requests as;

  • X requests per second.

I would like to find a way to throttle requests on a X requests per Y minutes.

In other words and to serve as an example;

I would like my method to be accessible once every 5 min.

Things I am already aware of and not an option:

  • We can do this via infrastructure
  • We can do this with request manipulation (add custom headers)
  • We can use a usage plan, throw API Keys into it and assign usage plans to it (no point)

So, ideally - we'd want something like this:

enter image description here

Anyone had any ways to get something like this done?

Or is it wishful thinking and something that I'll need to keep waiting on AWS for?

1 answer

  • answered 2018-09-17 07:45 Snickers3192

    I think what you might be after is to enable caching on your API Gateway and set the TTL to be 600 (5 minutes). A user could then hit your API as many times as they wanted within their given quota but they won't really be able to request new data for 5 minutes because the TTL will need to expire first. This is assuming your method is a GET method though - maybe you can just change it to be GET if not?

    If this does not suit your needs you will unfortunately need to push this logic up to you to manage as you already stated in your question. It's actually very uncommon what you are looking to do, (I'm not saying it isn't valid) but throttling users that they can only make a request every 5 minutes is extremely slow, and probably very uncommon. It would be more common to have a value accessible for many requests but is only updated every few minutes using the TTL method.

    Keep in mind the purpose of throttling is to protect your services from too much load or DDos attack etc. If you have parts of your application which have workflows in which their is business logic requiring users only perform an action at most every 5 minutes this should rather sit in a workflow management area of your application, such as in a BPM - business process manager, or if you want to go AWS you can use SWF or Step Functions. Reason being that business logic shouldn't be put into your infrastructure at least IMO.