A traffic surge can hit your API in the blink of an eye, resulting in a major
backend outage. One of the most common causes of surges is not malicious
attacks, but accidental misuse. For example, when a trusted partner or
customer inadvertently floods the system with valid traffic, often due to
programming errors like an unintended loop triggered by a useEffect hook in
React.
There are two types of tools that help protect your APIs - DDOS protection via Web Application Firewalls (WAFs) and API Gateways. Although both can be used to limit requests to your backend - they are not interchangeable, and it's paramount to have both in place to secure your API - let's explore why.
Defining WAF/DDOS Rate Limits
WAFs implement DDOS protection by applying rate-based rules that aggregate requests by network-level properties (ex. IP address, headers, cookies, TLS fingerprint) over a fixed interval (typically two minutes). Once the count exceeds your defined threshold—say, 10,000 requests in two minutes - the WAF flags or blocks further traffic from that source. These rules excel at dropping high-volume malicious traffic but they lack any concept of client identity or downstream API semantics.
Defining API Gateway Throttles
API gateways enforce two complementary controls: rate limiting for short-term traffic management and quotas for long-term usage tracking. The algorithm and implementation details vary somewhat between gateways but a core feature of API gateway throttling is the ability to incorporate context about the caller and request to create dynamic rate limits.
Granularity & Context
Unlike DDOS protection systems, API gateways can distinguish between a single rogue script and a high-value partner by utilizing data in the request body, and post-authentication properties.
With an API gateway, you can create limits per API key, per environment, or even per method. In contrast, WAF rate-rules treat all traffic from an IP block the same. If several users share one NAT’d address, one client’s spike can eclipse the threshold and penalize everyone behind that IP.
Zuplo's Fine-Grain & Programmable Rate Limiting
Zuplo offers a much more fine-grained and programmable approach to rate limiting. Zuplo's programmable policy engine enables precise control, allowing rate limiting at a highly detailed level — for instance, per user, per organization, per department, or any other property visible in the request. This is due to Zuplo handling authentication & authorization at the gateway level, allowing it to incorporate context about the user at runtime.
Beyond just counting requests, Zuplo can rate limit based on complex metrics such as:
- the number of items returned
- the amount of crypto burned on gas fees
- the number of tokens consumed in an AI transaction
or virtually any custom metric that the gateway can be informed about. Zuplo, as a fully programmable platform, can reach into other systems and load that data into the gateway for truly dynamic rate limiting. This is immensely powerful when utilizing your API rate limits as part of your API product packaging (more on this later).
Long-term Quotas & API Tiers
Whether you are creating a one-off API for a partner, or monetizing your API through tiered pricing - you will need to enforce a long-term (ex. monthly) cap on the resources consumed by a customer. This is known as a quota, and it is often enforced at the API gateway level.
WAFs simply are not built to incorporate and store context around requests for more than just short sessions, which makes sense given their security-orientation. API gateways often include quota policies to track request counts over long time periods and enforce controls (ex. request blocking) when thresholds are exceeded.
Zuplo's Powerful Quota Enforcement
Zuplo takes quotas to the next-level by allowing you to quota on more than just requests. You can use any of the complex metrics listed in the previous section - or even have separate counters between your rate limiting and quotas (ex. an image upload API that rate limits on requests, but quotas based on storage consumption).
This granularity becomes especially powerful when utilized alongside API monetization - allowing you to maintain and enforce different limits per pricing tier (ex. Enterprise plans can have higher rate limits and quotas). Your rate limits and quotas become a selling point rather than just a security feature.
Visibility & Analytics
API gateways provide dashboards that break down calls by client, endpoint, response code, even geographic region. When combined with monitoring tools, you can get alerts when individual customers approach 80 percent of their quota (a strategic reach-out opportunity). WAF metrics show aggregate ‘allowed’ and ‘blocked’ counts per rule but rarely identify which API operation or developer caused the flood.
Why WAF-Based API Throttling Hits a Dead End
WAFs catch SQL injections, cross-site scripting, malformed bots and other attack signatures at layer 7. They stop exploit traffic before it reaches your backend - and are important to have. The problem is that they treat any over-limit source as malicious, which makes traffic management near-impossible.
You can try to layer dozens of custom WAF rules in an attempt to mimic per-client controls in API gateways, but soon enough, ACL maintenance will overwhelm your security team. That doesn't even account for the other limitations/overhead you'll run into:
- DDOS protection in WAFs will typically not inspect request bodies - constraining the properties you can rate limit on
- Duration threshold customization in DDOS protection is often very limited (ex. a burst-mode threshold with a configurable range of 1-5 seconds, and a regular threshold with a configurable range of 1-5 minutes)
- Having to manually generate user-level reports around usage and quota exhaustion
- Looping in the security team and redeploying your WAF to make minor tweaks to a single API's rate limits
An API gateway, by contrast, enforces throttling policies without compromising developer experience. Zuplo's API gateway is a clear choice for implementing rate limiting and quotas in APIs - with its programmable runtime allowing you to have the highest degree of control over your traffic management and end-user experience.
Defense In Depth
DDOS protection & WAFs excel in preventing exploitation of API vulnerabilities while API gateways specialize in governing sanctioned users of your API. Both are a part of a strong 'Defense in Depth' strategy to ensure you're minimizing vulnerabilities and downtime without sacrificing your API user experience. That's why the partnership between Zuplo and Akamai is so powerful - you can easily keep the bad guys out and the good guys well behaved!
