Skip to content

Create a separate rate limit for unauthenticated API traffic

Our current rate limits allow for setting:

  • Unauthenticated traffic (both web and api)
  • Authenticated api
  • Authenticated web

We cannot currently lower the unauthenticated api limit because it includes both web and api. Because of this, it will be difficult for us to tune our authenticated api rate limit as we are proposing in !65334 (closed)

Rate limiting is currently our best tool to prevent a single noisy neighbor from impacting performance, especially on storage shards as it was with gitlab-com/gl-infra/production#5037 (closed) and https://gitlab.com/gitlab-com/gl-infra/production/-/issues/5031

There should also be very little need to the api anonymously and by isolating it as a separate rate limit, we can lower it much lower than the current authenticated api limit.

Our current limit for all unauthenticated traffic is 500 req/min which includes the unauthenticated API.