Rate Limiting & Throttling in Azure API Management (APIM)
Introduction
Rate limiting and throttling in Azure API Management (APIM) protect your APIs from abuse, overuse, and unexpected traffic spikes. These policies improve reliability and prevent backend overload.
Rate Limiting in APIM
- Restricts the number of API calls a consumer can make within a defined time window.
- Blocks requests immediately when the limit is exceeded.
Example: 100 requests per minute per subscription.
Throttling in APIM
- Controls traffic bursts by slowing down or rejecting requests when thresholds are crossed.
- Helps protect backend systems and maintain stability.
Rate Limiting vs Throttling – Key Differences
| Aspect | Rate Limiting | Throttling |
|---|---|---|
| Purpose | Limit total requests | Control traffic bursts |
| Behavior | Blocks immediately | Gradual restriction |
| Use Case | Prevent abuse | Protect backend |
APIM Rate Limiting Policy Example
<inbound>
<base />
<rate-limit-by-key calls="100"
renewal-period="60"
counter-key="@(context.Subscription.Id)" />
</inbound>
APIM Throttling Policy Example
<inbound>
<base />
<quota-by-key calls="1000"
renewal-period="3600"
counter-key="@(context.Subscription.Id)" />
</inbound>
Common Use Cases
- Protect Azure Functions from overload
- Prevent DDoS-like abuse
- Enforce fair usage per client
- Different limits for free vs paid users