WAF API Ratelimit recommended practice.
Our application operates in a B2B context, allowing us to configure rate limits at the partner/user level. We are considering enhancing our rate-limiting capabilities by combining the Cloudflare Web Application Firewall (CF WAF) rate limit with the API rate limit provided by our application. This approach aims to reduce the burden on our origin server and minimize the occurrence of 429 errors.
We are contemplating two potential solutions:
1. Dynamic Rate Limiting: This involves identifying the partner in the URL, checking the response code for 429, and inspecting the Retry-After header flag. We would then create an entry in a Key-Value (KV) store for each partner with ttl of Retry-After. Every incoming request would check if there's an entry for the partner in the KV store and, if so, respond with a custom 429 message.
2. Edge-Based Partner Configuration: The alternative approach is to push partner-specific rate limit configurations to the edge using the Rules API. This would entail moving the entire application logic to the edge. However, considering we have over 1000 partners, implementing this many rules could potentially introduce latency.
We would appreciate your insights on which approach you recommend or if there are any alternative methods that would achieve our goal with minimal impact on latency.
0 Replies