Rate Limiting: Token Bucket vs Leaky Bucket on AWS WAF and API Gateway
Quick summary: Token buckets allow bursts; leaky buckets smooth traffic—WAF rate rules and API Gateway usage plans implement neither perfectly but both matter for layered defense.
Key Takeaways
- Token buckets allow bursts; leaky buckets smooth traffic—WAF rate rules and API Gateway usage plans implement neither perfectly but both matter for layered defense
- June 2026: Layer edge (CloudFront + WAF), API (Gateway throttling), and app (ElastiCache token bucket) limits—attackers hit the cheapest layer first
- 4K/month vs unthrottled Lambda scale-out
- Set account-level API Gateway throttle guardrails
- 2
Table of Contents
June 2026: Layer edge (CloudFront + WAF), API (Gateway throttling), and app (ElastiCache token bucket) limits—attackers hit the cheapest layer first.
Symptom → mechanism → AWS control
| Production symptom | Mechanism | AWS control |
|---|---|---|
| Burst traffic triggers scale storm | No burst allowance | API Gateway throttle burst limit > steady rate |
| Scrapers exhaust backend | Per-IP unlimited requests | WAF rate-based rules, CloudFront geo restrictions |
| Legitimate clients throttled | Leaky bucket too aggressive | Token bucket with per-API-key quotas via Usage Plans |
Opinionated take: Layer token-bucket limits at API Gateway for product quotas and WAF rate rules for abuse—never rely on Lambda concurrency alone.
Benchmark pattern (hypothetical workload) — API Gateway HTTP API throttling 5K steady / 10K burst (token bucket), absorbs 30-second spike to 12K RPS; WAF rate-based rule blocks at 2K req/5min/IP for abuse, combined saves $1.4K/month vs unthrottled Lambda scale-out.
Algorithms
| Algorithm | Behavior | AWS analog |
|---|---|---|
| Token bucket | Allows bursts up to bucket size | API GW burst limits |
| Leaky bucket | Smooth output rate | WAF steady rate-based rule |
| Fixed window | Simple counter per minute | WAF classic rate rule |
Opinionated take: Combine WAF IP rate limit with per-API-key usage plan—do not rely on Lambda concurrency alone.
AWS services map
| Need | Service | Skip when |
|---|---|---|
| Per-API steady + burst limits | API Gateway throttling + Usage Plans | Internal VPC traffic behind NLB |
| Per-IP abuse blocking | WAF rate-based rules | Single-tenant B2B with fixed IP allowlist |
| Edge rate limiting | CloudFront + WAF at edge | gRPC internal mesh traffic |
What to do this week
- Set account-level API Gateway throttle guardrails.
- Add WAF rate rule on
/loginand expensive GraphQL paths. - Implement app-level bucket in Redis for partner APIs.
More in This Track
Part of the Engineering Guides library (June 2026).
- Previous: Part 1
- Next: Part 3
- Browse tracks: Engineering Guides hub
What this guide doesn’t cover
API Gateway REST vs HTTP—canonical API Gateway post.
AWS Cloud Architect & AI Expert
AWS-certified cloud architect and AI expert with deep expertise in cloud migrations, cost optimization, and generative AI on AWS.
