Implement Rate Limiting In ASP.NET Core Web API

Introduction

In this article, you'll learn about rate limiting and how to apply it to your ASP.NET Core Web API.

What is Rate Limiting?

If you're building an API, it might be accessed by multiple clients. Sometimes, certain clients use the API excessively without any restrictions. However, if you need to control how often a specific client can use the API within a set timeframe, you can achieve this through Rate Limiting.

Rate Limiting is like setting a speed limit on how many times someone can ask for something from a website or app in a certain amount of time. It means each person or device using the service can only ask for a certain number of things within a particular timeframe.

Why do we need Rate Limiting?

• Rate Limiting is a useful tool for safeguarding against harmful bot attacks. Imagine a hacker sending bots to repeatedly request access to an API endpoint. This flood of requests can overwhelm the system, making it unavailable to legitimate users. A Denial of Service (DoS) attack is the term used to describe this type of attack. Rate Limiting steps in to prevent this by controlling the rate of requests, ensuring fair access for everyone and protecting the service from being overwhelmed.
• Another purpose of rate limiting is to control the flow of traffic to the API.
We can apply rate limiting using the following methods:
• Using a Custom Middleware
• Using the AspNetCoreRateLimit NuGet Package

The AspNetCoreRateLimit NuGet Package will be used to demonstrate how to implement rate limiting in this article.

The AspNetCoreRateLimit NuGet Package is used to implement rate limits in ASP.NET Core.

Prerequisites

• Visual Studio 2019 or Visual Studio 2022

you can Follow these steps to create the ASP.NET Web API using Visual Studio 2022.

Step 1

Please open Visual studio and click on Create a new project.

Step 2

After you select ASP.NET Core Web Application project template and click on next

Step 3

After that you can enter a project name as RateLimit

Step 4

And please select .NET 6.0 and click on create

Step 5

To enable Rate Limiting, install the AspNetCoreRateLimit NuGet Package.

The AspNetCoreRateLimit NuGet package lets you add rate limiting features directly into the ASP.NET Core pipeline. This package includes two main components: IpRateLimitMiddleware and ClientRateLimitMiddleware. The IpRateLimitMiddleware manages limits based on IP addresses, while the ClientRateLimitMiddleware handles limits based on client keys.

In this example, we'll use the IpRateLimitMiddleware to set limits based on IP addresses.

Step 6

Please Create Employee Controller in your appliication

  using Microsoft.AspNetCore.Mvc;
using RateLimit.Model;

namespace RateLimit.Controller
{
    [Route("employee")]
    [ApiController]
    public class EmployeeController : ControllerBase
    {
        [HttpGet("getAllEmployees")]
        [Produces("application/json")]
        [ProducesResponseType(StatusCodes.Status200OK)]
        public IEnumerable<Employee> GetAllEmployees()
        {
            return GetEmployeesDeatils();
        }

        [HttpGet("getEmployeeById/{id}")]
        [Produces("application/json")]
        public Employee GetEmployeeById(int id)
        {
            return GetEmployeesDeatils().Find(e => e.Id == id);
        }

        private List<Employee> GetEmployeesDeatils()
        {
            return new List<Employee>()
        {
            new Employee()
            {
                Id = 1,
                FirstName= "ABC",
                LastName = "XYZ",
                EmailId ="abc.xyz@gmail.com"
            },
            new Employee()
            {
                Id = 2,
                FirstName= "PQR",
                LastName = "DEF",
                EmailId ="pqr.def@gmail.com"
            }
        };
        }
    
    }
}
  

There are two endpoints in the employee API: one to retrieve information about all employees (getAllEmployees) and another to retrieve information about a specific employee (getEmployeeById). We're going to enforce rate limits on the getAllEmployees endpoint.

Step 7

To set up rate limiting with in-memory storage, include the following lines in the the Program.cs file.

  using AspNetCoreRateLimit;

var builder = WebApplication.CreateBuilder(args);

// Add services to the container.
builder.Services.AddRazorPages();
builder.Services.AddMemoryCache();

builder.Services.Configure<IpRateLimitOptions>(options =>
{
    options.EnableEndpointRateLimiting = true;
    options.StackBlockedRequests = false;
    options.HttpStatusCode = 429;
    options.RealIpHeader = "X-Real-IP";
    options.ClientIdHeader = "X-ClientId";
    options.GeneralRules = new List<RateLimitRule>
        {
            new RateLimitRule
            {
                Endpoint = "GET:/employee/getAllEmployees",
                Period = "10s",
                Limit = 2,
            }
        };
}
);
builder.Services.AddSingleton<IIpPolicyStore, MemoryCacheIpPolicyStore>();
builder.Services.AddSingleton<IRateLimitCounterStore, MemoryCacheRateLimitCounterStore>();
builder.Services.AddSingleton<IRateLimitConfiguration, RateLimitConfiguration>();
builder.Services.AddSingleton<IProcessingStrategy, AsyncKeyLockProcessingStrategy>();
builder.Services.AddInMemoryRateLimiting();



var app = builder.Build();


if (!app.Environment.IsDevelopment())
{
    app.UseExceptionHandler("/Error");
    app.UseHsts();
}
app.UseIpRateLimiting();

app.UseHttpsRedirection();
app.UseStaticFiles();

app.UseRouting();

app.UseAuthorization();

app.MapRazorPages();

app.Run();