Rate Limiter — system design by AgileViper46

Consistency model is not defined beyond a preference for availability

Have you considered what happens when rate-limit state is replicated or partitioned across nodes? Saying 'availability >> consistency' is not enough by itself: is the limiter allowed to over-admit briefly, under-admit briefly, or must decisions for a single user be linearizable? Without stating the acceptable inconsistency window, the runtime behavior under node failure or cross-node races is ambiguous.

Latency target is not broken down by decision path

Have you considered what happens when the request needs both a limit check and a runtime config lookup for an admin-updated algorithm? A p99 < 100ms target is reasonable, but it is too coarse unless you define whether this is end-to-end added latency from the limiter, the internal decision time only, and whether the target still holds during config propagation or backend degradation.

Availability target is not connected to failure scenarios

What happens when the backing store for counters or configuration is unavailable? You mention 99.99% availability and configurable fail-open/fail-close, but the NFRs do not spell out which mode applies in which scenario or what error budget is acceptable for each. For example, fail-open protects availability but can violate enforcement; fail-close preserves enforcement but can reject healthy traffic.

Relationships between rules, clients, and counters are underspecified

Have you considered how a request resolves from Client to the applicable Rule and then to the specific Limit being consumed? Right now it is unclear whether Limits are per client, per client+API, or per client+rule. Without that relationship, the system can apply the wrong quota or merge unrelated traffic into the same bucket.

Requests is too vague as a core entity for the happy path

What happens when the same client calls multiple APIs with different policies? A generic Requests entity does not show the domain key used for enforcement, such as an API/resource identifier tied to the request. Without explicitly connecting request context to Rules, per-API rate limiting from the requirements is not fully represented.

Capacity math stops at a single Redis memory estimate

Have you considered the full chain from the stated assumptions to infrastructure sizing? You estimated Redis memory for counters, but there is no back-of-envelope path from 50K RPS and 100K unique clients to expected reads/writes per request, network throughput, peak concurrency, or how many application instances are needed. At senior level, I would expect at least a rough DAU/client -> request rate -> Redis ops/sec -> memory/bandwidth chain.

Redis sizing is not justified against peak load

What happens when traffic spikes above the average 50K RPS or when rate limiting requires multiple Redis operations per request? Saying '2 Redis servers at 25K RPS each' is not enough to show the system is comfortable at this load, because there is no reasoning about per-node throughput, headroom, replication overhead, or whether the chosen algorithm needs 1, 2, or more commands per request. Without that, the node count feels arbitrary.

No capacity impact for runtime config changes

Have you considered what happens when admins change rate-limit logic or algorithm at runtime? That requirement can introduce config fanout, cache invalidation, and potentially a surge of misses or recomputation across the fleet. The capacity section does not estimate how often config is read, whether it is cached, or what load hits the backing store when rules change.

gRPC response mixes HTTP semantics without a clear contract

Have you considered what the client actually receives on the gRPC rateLimit call? The design says the RPC returns '200 ok or 429' plus headers, but in gRPC those are not modeled the same way as REST responses. Without defining whether throttling is represented as a normal response payload, gRPC status, or response metadata/trailers, different clients may handle denials inconsistently. You could improve this by defining an explicit protobuf response shape such as {allowed, limit, remaining, resetAt, retryAfterSec} and, if needed, mapping that to HTTP headers only at an API gateway boundary.

Core decision API is underspecified for rule selection

Have you considered how the rateLimit API determines which rule applies when multiple dimensions matter? The request only says clientId and requestInfo(url, endpoint etc), but the rule object includes method and path. Without a precise request schema for method, normalized path or route key, and possibly API identifier, the service contract is ambiguous and clients may send inconsistent values that lead to incorrect enforcement. You could improve this by defining exact request fields and matching semantics.

No clear error contract for admin APIs

What happens when an admin submits an invalid rule, references a missing rule-id, or tries to switch to an unsupported algorithm? The routes are listed, but there is no status-code or error-body contract. Without this, clients cannot reliably distinguish validation failures from transient server errors or know whether a retry is safe. You could improve this by specifying standard responses like 400 for invalid rule definitions, 404 for unknown rule IDs, 409 for conflicting updates, and a consistent error payload.

Redis appears to be the primary bottleneck and possible SPOF

What happens when one Redis node fails or gets overloaded? The design says two Redis servers serving ~25K RPS each, but it does not explain sharding, replication, or failover behavior. Without a clear partitioning and redundancy model, one hot shard or one node loss could either drop capacity sharply or make rate-limit decisions unavailable for part of the traffic.

Rule changes may become inconsistent across rate limiter instances

Have you considered what happens if one rate limiter instance misses an etcd watch event, restarts, or lags behind others during a rule update? Some instances could enforce old limits while others enforce new ones. For a runtime-configurable limiter, you would want a clear resync/versioning strategy so instances can detect stale local state and reload rules safely.

Client metadata lookup path is under-specified for the hot path

What happens when the rate limiter needs client properties like free/premium and the Client Metadata Cache misses? The diagram implies a read-through/write-through path to Postgres, but if request-time decisions fall back to Postgres, latency and availability could degrade quickly under load. This path needs a clear strategy for cache warmup, TTLs, and behavior on metadata-store failures.

Fail-open and fail-close behavior is mentioned but not fully designed

Have you considered what happens when Redis is partially degraded, timing out, or returning intermittent errors? The design says the gateway or rate limiter can take the default call, but without clear timeout budgets and fallback ownership, requests may hang or different instances may make inconsistent decisions. At 99.99% availability, the failure path needs to be as explicit as the success path.