Rate limiting lab
Configure the rate limiting contract
Production rule: Configure the runtime contract for a multi-tenant RAG answer API; no stage is complete until another operator can reproduce its evidence and reverse its risky action.
Before you start
Why this matters
In two minutes, write the user-visible outcome this page protects, one numerical threshold, and the first signal you expect to move. Then name an observation that would prove your initial theory wrong. Keep the answer beside your terminal; this lab rewards prediction before inspection rather than explanations invented after the graph changes.
1Learn the idea
Read
Lab target
You own a multi-tenant RAG answer API at POST /v1/answers. The goal is to protect shared model and vector-search capacity without punishing normal interactive users. The measurable target is a 60 requests/minute user bucket with a burst of 10, a 1,200 requests/minute tenant ceiling, and a 4,000 requests/minute global guard; rejected requests return HTTP 429 in under 25 ms with Retry-After. The known production tension is strict per-user fairness prevents a noisy neighbor but can block legitimate batch imports; local fallback buckets improve availability but permit bounded overshoot during Redis partitions.
Read
Build a reproducible environment
The contract for Rate limiting must survive a clean checkout. Pin tool and image versions, provide sample inputs, and fail startup on malformed configuration. The service boundary is POST /v1/answers on a multi-tenant RAG answer API. Before starting dependencies, list required ports, identities, secrets, storage, and cleanup steps. Use synthetic credentials and redacted fixtures; production tokens do not make a staging lab more realistic.
Create the configuration as a reviewed artifact:
limits:
user: { rate_per_minute: 60, burst: 10 }
tenant: { rate_per_minute: 1200, burst: 100 }
global: { rate_per_minute: 4000, burst: 250 }
backend:
redis_timeout_ms: 40
on_timeout: local_bucket
response:
status: 429
retry_after: true
For every field, document type, valid range, default, reload behavior, and failure behavior. Numbers are incomplete without units. A timeout of 40 could mean milliseconds or seconds; a ratio of 0.005 could be a fraction or percentage. Reject unknown keys so a typo cannot silently select a permissive default. If live reload is supported, expose a configuration revision in telemetry and keep the previous valid revision for rollback.
Read
Verify interfaces and state
Run the setup workflow:
docker compose up -d redis api
redis-cli -u redis://localhost:6379 PING
curl -fsS http://localhost:8080/internal/limits | jq .
The expected result is not merely exit code zero. Confirm the process identity, dependency reachability, effective configuration, and one health or introspection response. Then restart the component and prove durable state remains correct. Run the setup twice to expose non-idempotent creation, conflicting ports, or duplicate policy entries. Capture the exact versions in the evidence bundle.
The production objective remains a 60 requests/minute user bucket with a burst of 10, a 1,200 requests/minute tenant ceiling, and a 4,000 requests/minute global guard; rejected requests return HTTP 429 in under 25 ms with Retry-After. Therefore setup must expose rate_limit_decisions_total{scope,outcome}, rate_limit_redis_seconds, http_requests_total{status="429"}, and allowed request p95 latency before meaningful traffic arrives. Query each metric by its stable labels and verify an idle system is distinguishable from a broken scraper. Generate one event and check that the relevant counter changes by exactly one. Reject high-cardinality labels and ensure sensitive configuration values are redacted from startup logs.
Read
Contract review and rollback
Model a bad configuration: remove one required field, set one threshold just outside its range, and reference an unavailable dependency. Each case should fail predictably, explain the field, and avoid partial state. Next, apply the previous good revision and time recovery. A rollback that requires undocumented shell history is not a rollback plan.
The central design tension is strict per-user fairness prevents a noisy neighbor but can block legitimate batch imports; local fallback buckets improve availability but permit bounded overshoot during Redis partitions. Record the chosen default, its operational owner, and a date for reevaluation. Complete setup only after a teammate can run it from the repository instructions, produce the same effective configuration, and cleanly tear it down without affecting shared environments.