dkduckkit.dev

Kong rate-limiting plugin

Rate Limiting

The Kong rate-limiting plugin enforces request quotas on routes and services. It supports multiple counting granularities (second, minute, hour, day, month, year), multiple policy backends (local in-process counter, Redis for distributed enforcement, cluster for Kong's native storage), and multiple consumer identification strategies (IP, consumer ID, credential). For distributed deployments, Redis policy ensures consistent counts across all Kong nodes.

Formula

Minimal YAML: plugins: - name: rate-limiting config: second: 10 minute: 500 policy: consumer fault_tolerant: true hide_client_headers: false

Why it matters in practice

Kong is widely deployed as an API gateway in Kubernetes environments (via the KIC ingress controller). The fault_tolerant: true setting is critical for production: it tells the plugin to allow requests through if the rate limiting storage (Redis) is unavailable, rather than blocking all traffic. hide_client_headers: false ensures clients can see their remaining quota, enabling proactive throttling on the client side.

Common mistakes

  • Using policy: local in multi-node deployments — each node tracks its own counter, effectively multiplying the limit by the number of Kong nodes.
  • Not setting fault_tolerant: true — if Redis becomes unavailable, Kong will block all requests instead of allowing them through.
  • Using hide_client_headers: true — clients cannot see their remaining quota and will hit rate limits unexpectedly.

Related Terms

nginx limit_req

Nginx directive implementing token bucket rate limiting.

Global vs per-consumer rate limit

Global limit shared across all clients vs per-consumer independent counters.

API throttling vs rate limiting

Rate limiting rejects excess; throttling delays to preserve availability.

Try it in

Try in Rate Limit Calculator