State of the Art

• Use Sprine Cloud Gateway (opens in a new tab) + Bucket4j + Redis

  Benefits:

  • Distributed rate limiting

Rate Limit (server)

• Use cases

  • Prevent DDoS attacks
  • Ensure all users can access fairly
  • Enforce access limit for users of different pricing levels

• Strategies

  • Token bucket (opens in a new tab)

  • Leaky bucket (opens in a new tab)

• Implementations

  • Spring Cloud Gateway

    • Spring blog - API Rate Limiting with Spring Cloud Gateway (opens in a new tab)

      Code - Haybu/blog-spring-cloud-gateway (opens in a new tab)

  • Bucket4j

    • Bucket4j 8.15.0 Reference (opens in a new tab)
    • GitHub - MarcGiffing/bucket4j-spring-boot-starter (opens in a new tab)

  • Redis

    • Redis Rate Limiting
    • Redis - Dev Hub - How to build a Rate Limiter using Redis (opens in a new tab)

Load Balancing

Load Balancing (client)

• Spring Cloud Commons - Spring Cloud Load Balancer (opens in a new tab)

Circuit Breaker (client)

Circuit Breaker - Spring Cloud Circuit Breaker (opens in a new tab)

Retry (client)

Resilience4j

Retry ( CircuitBreaker ( RateLimiter ( TimeLimiter ( Bulkhead ( Function ) ) ) ) )

Resilience4j - Circuit Breaker

• Gist

  For the first minimum-number-of-calls requests, the circuit breaker does not calculate the failure rate and will allow all actions to proceed.

  Once the minimum-number-of-calls is reached, if it's count-based, the circuit breaker will calculate the failure-rate (number-of-calls / sliding-window-size) and if it is above the failure-rate-threshold, it will open the circuit.

  When the circuit breaker is in the open state, all calls are rejected during wait-duration-in-open-state, and the circuit breaker throws a CallNotPermittedException.

  Once wait-duration-in-open-state expires, the circuit breaker changes to the half-open state and allows permitted-number-of-calls-in-half-open-state to see if the service is still unavailable.

  In the half-open state, the circuit breaker uses another configurable ring bit buffer to evaluate the failure rate. If this new failure rate is above the permitted-number-of-calls-in-half-open-state, the circuit breaker changes back to open; otherwise, it changes back to closed.

• The circuit breaker pattern is implemented on the consumer (caller), to avoid overwhelming a service which may be struggling to handle calls.

• minimumNumberOfCalls should be >= permittedNumberOfCallsInHalfOpenState

• Resources

  • Afraid you don't understand Reslience4j state changes: Read this missing manual on Ring Bit Buffer – Home (opens in a new tab)

Circuit Breaker - Debug state transition

• Spring Boot Actuator

  Use /actuator/circuitbreakerevents or CircuitBreakerEventsEndpoint.getAllCircuitBreakerEvents() to get all circuit breaker events.

Bulkhead

The bulkhead pattern is implemented on the service (callee), to prevent a failure during the handling of a single incoming call impacting the handling of other incoming calls.