Redis distributed rate limiting across multiple instances

<p>I have multiple FastAPI instances behind a load balancer. Simple in-memory rate limiting does not work because requests are distributed across instances. I need Redis-based rate limiting that works across all instances.</p>

<p>Redis-backed sliding window rate limiter:</p> <div class="highlight"><pre><span></span><code><span class="kn">import</span><span class="w"> </span><span class="nn">time</span> <span class="kn">import</span><span class="w"> </span><span class="nn">redis.asyncio</span><span class="w"> </span><span class="k">as</span><span class="w"> </span><span class="nn">redis</span> <span class="n">SLIDING_WINDOW_SCRIPT</span> <span class="o">=</span> <span class="s2">"""</span> <span class="s2">local key = KEYS[1]</span> <span class="s2">local window = tonumber(ARGV[1]) -- window in seconds</span> <span class="s2">local limit = tonumber(ARGV[2]) -- max requests per window</span> <span class="s2">local now = tonumber(ARGV[3]) -- current timestamp (ms)</span> <span class="s2">local window_start = now - window * 1000</span> <span class="s2">-- Remove old entries outside the window:</span> <span class="s2">redis.call('ZREMRANGEBYSCORE', key, '-inf', window_start)</span> <span class="s2">-- Count remaining entries:</span> <span class="s2">local count = redis.call('ZCARD', key)</span> <span class="s2">if count &lt; limit then</span> <span class="s2"> -- Add this request:</span> <span class="s2"> redis.call('ZADD', key, now, now)</span> <span class="s2"> redis.call('EXPIRE', key, window)</span> <span class="s2"> return 1 -- allowed</span> <span class="s2">else</span> <span class="s2"> return 0 -- rate limited</span> <span class="s2">end</span> <span class="s2">"""</span> <span class="k">async</span> <span class="k">def</span><span class="w"> </span><span class="nf">check_sliding_window_limit</span><span class="p">(</span> <span class="n">redis_client</span><span class="p">:</span> <span class="n">redis</span><span class="o">.</span><span class="n">Redis</span><span class="p">,</span> <span class="n">identifier</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">limit</span><span class="p">:</span> <span class="nb">int</span> <span class="o">=</span> <span class="mi">60</span><span class="p">,</span> <span class="n">window_seconds</span><span class="p">:</span> <span class="nb">int</span> <span class="o">=</span> <span class="mi">60</span><span class="p">,</span> <span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">bool</span><span class="p">:</span> <span class="w"> </span><span class="sd">"""Returns True if request is within rate limit."""</span> <span class="n">key</span> <span class="o">=</span> <span class="sa">f</span><span class="s1">'rate:</span><span class="si">{</span><span class="n">identifier</span><span class="si">}</span><span class="s1">'</span> <span class="n">now</span> <span class="o">=</span> <span class="nb">int</span><span class="p">(</span><span class="n">time</span><span class="o">.</span><span class="n">time</span><span class="p">()</span> <span class="o">*</span> <span class="mi">1000</span><span class="p">)</span> <span class="k">try</span><span class="p">:</span> <span class="n">result</span> <span class="o">=</span> <span class="k">await</span> <span class="n">redis_client</span><span class="o">.</span><span class="n">eval</span><span class="p">(</span> <span class="n">SLIDING_WINDOW_SCRIPT</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="n">key</span><span class="p">,</span> <span class="n">window_seconds</span><span class="p">,</span> <span class="n">limit</span><span class="p">,</span> <span class="n">now</span> <span class="p">)</span> <span class="k">return</span> <span class="nb">bool</span><span class="p">(</span><span class="n">result</span><span class="p">)</span> <span class="k">except</span> <span class="ne">Exception</span><span class="p">:</span> <span class="k">return</span> <span class="kc">True</span> <span class="c1"># Fail open</span> <span class="c1"># Dependency:</span> <span class="k">async</span> <span class="k">def</span><span class="w"> </span><span class="nf">require_rate_limit</span><span class="p">(</span> <span class="n">request</span><span class="p">:</span> <span class="n">Request</span><span class="p">,</span> <span class="n">redis_client</span><span class="o">=</span><span class="n">Depends</span><span class="p">(</span><span class="n">get_redis</span><span class="p">),</span> <span class="p">):</span> <span class="n">identifier</span> <span class="o">=</span> <span class="n">request</span><span class="o">.</span><span class="n">headers</span><span class="o">.</span><span class="n">get</span><span class="p">(</span><span class="s1">'X-API-Key'</span><span class="p">,</span> <span class="n">request</span><span class="o">.</span><span class="n">client</span><span class="o">.</span><span class="n">host</span><span class="p">)</span> <span class="n">allowed</span> <span class="o">=</span> <span class="k">await</span> <span class="n">check_sliding_window_limit</span><span class="p">(</span><span class="n">redis_client</span><span class="p">,</span> <span class="n">identifier</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">allowed</span><span class="p">:</span> <span class="k">raise</span> <span class="n">HTTPException</span><span class="p">(</span> <span class="mi">429</span><span class="p">,</span> <span class="s1">'Rate limit exceeded'</span><span class="p">,</span> <span class="n">headers</span><span class="o">=</span><span class="p">{</span><span class="s1">'Retry-After'</span><span class="p">:</span> <span class="s1">'60'</span><span class="p">},</span> <span class="p">)</span> </code></pre></div> <p>Key points: - Sliding window counts actual requests in last N seconds (not fixed window) - Sorted set with timestamp as score enables window-based counting - ZREMRANGEBYSCORE removes old entries -- O(log n + k) where k is removed count - Lua script is atomic -- consistent across concurrent requests from multiple instances - Fail open (return True) when Redis is unavailable</p>