41

Does AWS API Gateway allows limiting a number of requests from a single IP?

I'm building a public API and would like to prevent it from being abused by establishing a limit on a number of times the API can be called from a single IP address (like 100 requests per minute).

Thanks,

spoonboy
  • 2,570
  • 5
  • 32
  • 56

1 Answers1

30

AWS API Gateway does not offer the functionality that you are looking for but there is a workaround.

What you can do is Integrate AWS API gateway with AWS Cloud Front and use AWS Web Application Firewall Rules to limit the API call from a Specific IP address.

Check this Guide for implementing the WAF. http://docs.aws.amazon.com/waf/latest/developerguide/tutorials-rate-based-blocking.html

Piyush Patil
  • 14,512
  • 6
  • 35
  • 54
  • Can this be done using the WAF Rules only, or you actually need to use Lambda, Cloud Watch, logs on S3 etc as per the example: http://docs.aws.amazon.com/waf/latest/developerguide/tutorials-rate-based-blocking.html ? – spoonboy Jul 18 '16 at 22:50
  • Yes you will have to implement Lambda, Cloud Watch and Logs on S3 or how else will WAF know the IP address that is sending many requests. I will add the above guide to the answer. – Piyush Patil Jul 18 '16 at 22:54
  • 5
    As of Nov 2018, API Gateway now integrates with WAF: https://aws.amazon.com/blogs/compute/amazon-api-gateway-adds-support-for-aws-waf/ – David Birks Jan 21 '20 at 19:12