---
title: "API Gateway Throttling vs WAF DDOS Protection"
description: "A guide to the advantages of API Gateways over WAFs that goes beyond DDOS Prevention Rate Limiting (keeping the bad guys out) vs. API Gateway Quota Management (keeping the good guys well behaved)."
canonicalUrl: "https://zuplo.com/learning-center/api-gateway-throttling-vs-waf-ddos-protection"
pageType: "learning-center"
authors: "adrian"
tags: "API Gateway"
image: "https://zuplo.com/og?text=API%20Gateway%20Throttling%20vs%20WAF%20DDOS%20Protection"
---
A traffic surge can hit your API in the blink of an eye, resulting in a major
backend outage. One of the most common causes of surges is **not malicious
attacks**, but **accidental misuse**. For example, when a trusted partner or
customer inadvertently floods the system with valid traffic, often due to
programming errors like an unintended loop triggered by a `useEffect` hook in
React.

There are two types of tools that help protect your APIs - DDOS protection via
Web Application Firewalls (WAFs) and API Gateways. Although both can be used to
limit requests to your backend - they are not interchangeable, and it's
paramount to have both in place to secure your API - let's explore why.

## Defining WAF/DDOS Rate Limits

WAFs implement DDOS protection by applying rate-based rules that aggregate
requests by network-level properties (ex. IP address, headers, cookies, TLS
fingerprint) over a fixed interval (typically two minutes). Once the count
exceeds your defined threshold—say, 10,000 requests in two minutes - the WAF
flags or blocks further traffic from that source. These rules excel at dropping
high-volume malicious traffic but **they lack any concept of client identity or
downstream API semantics**.

## Defining API Gateway Throttles

API gateways enforce two complementary controls: _rate limiting_ for short-term
traffic management and _quotas_ for long-term usage tracking. The algorithm and
implementation details vary somewhat between gateways but a core feature of API
gateway throttling is the **ability to incorporate context about the caller and
request to create dynamic rate limits**.

## Granularity & Context

Unlike DDOS protection systems, API gateways can distinguish between a single
rogue script and a high-value partner by utilizing data in the request body, and
post-authentication properties.

With an API gateway, you can create limits per API key, per environment, or even
per method. In contrast, WAF rate-rules treat all traffic from an IP block the
same. If several users share one NAT’d address, one client’s spike can eclipse
the threshold and penalize everyone behind that IP.

### Zuplo's Fine-Grain & Programmable Rate Limiting

**Zuplo** offers a much more fine-grained and programmable approach to rate
limiting. Zuplo's programmable policy engine enables precise control, allowing
rate limiting at a highly detailed level — for instance, per user, per
organization, per department, or any other property visible in the request. This
is due to Zuplo handling authentication & authorization at the gateway level,
allowing it to incorporate context about the user at runtime.

Beyond just counting requests, Zuplo can rate limit based on _complex metrics_
such as:

- the number of items returned
- the amount of crypto burned on gas fees
- the number of tokens consumed in an AI transaction

or virtually any custom metric that the gateway can be informed about. Zuplo, as
a fully programmable platform, can reach into other systems and load that data
into the gateway for truly dynamic rate limiting. This is immensely powerful
when utilizing your API rate limits as part of your API product packaging (more
on this later).

## Long-term Quotas & API Tiers

Whether you are creating a one-off API for a partner, or monetizing your API
through tiered pricing - you will need to enforce a long-term (ex. monthly) cap
on the resources consumed by a customer. This is known as a quota, and it is
often enforced at the API gateway level.

WAFs simply are not built to incorporate and store context around requests for
more than just short sessions, which makes sense given their
security-orientation. API gateways often include quota policies to track request
counts over long time periods and enforce controls (ex. request blocking) when
thresholds are exceeded.

### Zuplo's Powerful Quota Enforcement

Zuplo takes quotas to the next-level by allowing you to quota on more than just
requests. You can use any of the complex metrics listed in the previous
section - or even have separate counters between your rate limiting and quotas
(ex. an image upload API that rate limits on requests, but quotas based on
storage consumption).

This granularity becomes especially powerful when **utilized alongside API
monetization** - allowing you to maintain and enforce different limits per
pricing tier (ex. Enterprise plans can have higher rate limits and quotas). Your
rate limits and quotas become a selling point rather than just a security
feature.

## Visibility & Analytics

API gateways provide dashboards that break down calls by client, endpoint,
response code, even geographic region. When combined with monitoring tools, you
can get alerts when individual customers approach 80 percent of their quota (a
strategic reach-out opportunity). WAF metrics show aggregate ‘allowed’ and
‘blocked’ counts per rule but rarely identify which API operation or developer
caused the flood.

## Why WAF-Based API Throttling Hits a Dead End

WAFs catch SQL injections, cross-site scripting, malformed bots and other attack
signatures at layer 7. They stop exploit traffic before it reaches your
backend - and are important to have. The problem is that they treat any
over-limit source as malicious, which makes traffic management near-impossible.

You can try to layer dozens of custom WAF rules in an attempt to mimic
per-client controls in API gateways, but soon enough, **ACL maintenance will
overwhelm your security team**. That doesn't even account for the other
limitations/overhead you'll run into:

- DDOS protection in WAFs will typically not inspect request bodies -
  constraining the properties you can rate limit on
- Duration threshold customization in DDOS protection is often very limited (ex.
  a burst-mode threshold with a configurable range of 1-5 seconds, and a regular
  threshold with a configurable range of 1-5 minutes)
- Having to manually generate user-level reports around usage and quota
  exhaustion
- Looping in the security team and redeploying your WAF to make minor tweaks to
  a single API's rate limits

An API gateway, by contrast, enforces throttling policies **without compromising
developer experience**. Zuplo's API gateway is a clear choice for implementing
rate limiting and quotas in APIs - with its programmable runtime allowing you to
have the highest degree of control over your traffic management and end-user
experience.

### Defense In Depth

![Defense in Depth](/media/posts/2025-05-01-api-gateway-throttling-vs-waf-ddos-protection/image-2.png)

DDOS protection & WAFs excel in preventing exploitation of API vulnerabilities
while API gateways specialize in governing sanctioned users of your API. Both
are a part of a strong 'Defense in Depth' strategy to ensure you're minimizing
vulnerabilities and downtime without sacrificing your API user experience.
That's why the partnership between Zuplo and Akamai is so powerful - you can
easily keep the bad guys out and the good guys well behaved!