Case Study

Handling 600 Requests/Min: IP Rate Limiting with AWS WAF & ALB

Learn how to set up IP rate limiting with AWS WAF & ALB to keep your app fast and secure.
2 min read

This post walks you through how to set up IP-based rate limiting in AWS WAF to manage high-traffic requests behind our service URL on an AWS Load Balancer.

What is Rate Limiting?

Rate limiting is a crucial mechanism for blocking excessive API calls, mitigating Brute Force and DDoS attacks, and ensuring fair usage of resources. In AWS, when an application is behind an Application Load Balancer (ALB), one of the best ways to enforce rate limits is by using AWS Web Application Firewall (AWS WAF).

Architecture:

How to implement IP Rate Limiting on Application's URL?

Step 1: Create an AWS WAF WebACL

Step 2: Create a rate-based rule and set up a custom response code - 429 if the rate limit is exceeded.

Step 3: Attach the Web ACL to the App. Load Balancer

Step 4: Using hey (the load-testing tool) to send multiple requests and confirmed the rate limit.

root@hari-ubuntu:/home/hari# ~/go/bin/hey -n 60 -c 10 https://<url>
Summary:
  Total:	3.0492 secs
  Slowest:	1.0015 secs
  Fastest:	0.2637 secs
  Average:	0.5081 secs
  Requests/sec:	19.6775

Response time histogram:
  0.264 [1]	|■■
  0.338 [24]	|■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■
  0.411 [15]	|■■■■■■■■■■■■■■■■■■■■■■■■■
  0.485 [0]	|
  0.559 [0]	|
  0.633 [0]	|
  0.706 [0]	|
  0.780 [10]	|■■■■■■■■■■■■■■■■■
  0.854 [0]	|
  0.928 [0]	|
  1.001 [10]	|■■■■■■■■■■■■■■■■■


Latency distribution:
  10% in 0.2794 secs
  25% in 0.3085 secs
  50% in 0.4053 secs
  75% in 0.7188 secs
  90% in 1.0011 secs
  95% in 1.0013 secs
  0% in 0.0000 secs

Details (average, fastest, slowest):
  DNS+dialup:	0.1173 secs, 0.2637 secs, 1.0015 secs
  DNS-lookup:	0.0020 secs, 0.0000 secs, 0.0121 secs
  req write:	0.0000 secs, 0.0000 secs, 0.0009 secs
  resp wait:	0.3906 secs, 0.2636 secs, 0.7187 secs
  resp read:	0.0001 secs, 0.0000 secs, 0.0004 secs

Status code distribution:
  [429]	60 responses

root@hari-ubuntu:/home/hari#

Congratulations—you made it to the last!! Stay ahead; subscribe to the EzyInfra Knowledge Base for more DevOps wisdom.

Conclusion

By setting up AWS WAF with rate-based rules for our app URL, we were able to effectively prevent excessive traffic, avoid Brute Force and DDoS attacks, and enhance the security of our application. This solution is scalable, cost-effective, and integrates seamlessly with AWS Load Balancers.

EzyInfra.dev – Expert DevOps & Infrastructure consulting! We help you set up, optimize, and manage cloud (AWS, GCP) and Kubernetes infrastructure—efficiently and cost-effectively. Need a strategy? Get a free consultation now!

Share this post

Want to discuss about DevOps practices, Infrastructure Audits or Free consulting for your AWS Cloud?

Prasanna would be glad to jump into a call
Loading...
Copyright © 2025, EzyInfra Knowledge Base - DevOps, AWS, Kubernetes. All rights reserved