Yes, 20 TPS (Transactions Per Second) is considered low for most production workloads — unless:
✅ When 20 TPS is reasonable:
- You’re testing or doing a soft launch.
- The API serves high-cost or sensitive operations (e.g., financial transactions).
- You want to protect legacy backends that can’t handle high concurrency.
- You’re applying it per client (per consumer) rather than globally.
❗ When 20 TPS is too low:
- You’re limiting at the global or service level and expect hundreds or thousands of users.
- Your application is public-facing, and users experience 429 errors (rate limit exceeded).
- You’re throttling batch jobs, mobile apps, or systems that burst above 20 TPS.
📊 Typical API Rate Benchmarks:
| Use Case | Typical Rate |
|---|---|
| Internal microservice | 100–10,000+ TPS |
| Public API (freemium) | 50–100 TPS per key |
| Critical API (payments, auth) | 5–50 TPS with burst handling |
| Global rate limit | 1,000+ TPS |
🔁 Recommendation:
- Set burst + sustained limits, e.g.,:
config.second=20config.hour=72_000(20 * 3600)
- Use Redis policy for accurate global limits across nodes.
- Add consumer-based limits if needed.
Would you like a rate-limiting strategy per user tier (e.g., free vs. premium)?
Here’s a practical rate-limiting strategy per user tier (e.g., Free, Standard, Premium) using Kong Gateway, suitable for API plans on AWS or anywhere Kong is deployed.
Here’s a practical rate-limiting strategy per user tier (e.g., Free, Standard, Premium) using Kong Gateway, suitable for API plans on AWS or anywhere Kong is deployed.
🎯 Goal: Per-Consumer Rate Limiting (e.g., Free = 20 TPS, Premium = 100 TPS)
✅ Assumptions:
- You’re using Kong consumers for authentication (e.g., via API key, JWT, OIDC).
- Rate limiting is applied per consumer.
- You want to prevent abuse while allowing scalability by tier.
🏷️ Example Rate Limits by Plan
| Tier | TPS (config.second) | Daily Limit (config.day) | Notes |
|---|---|---|---|
| Free | 20 TPS | 50,000 requests/day | Strict throttling |
| Standard | 60 TPS | 250,000 requests/day | More flexible |
| Premium | 100 TPS | 1,000,000 requests/day | High throughput |
⚙️ Step-by-Step in Kong
1. Create Consumers
curl -X POST http://<admin-api>:8001/consumers \
--data "username=free_user"
curl -X POST http://<admin-api>:8001/consumers \
--data "username=standard_user"
curl -X POST http://<admin-api>:8001/consumers \
--data "username=premium_user"
2. Assign Auth (e.g., API key)
curl -X POST http://<admin-api>:8001/consumers/free_user/key-auth
3. Apply Rate Limit Plugin to Each Consumer
Free (20 TPS, 50k/day)
curl -X POST http://<admin-api>:8001/consumers/free_user/plugins \
--data "name=rate-limiting" \
--data "config.second=20" \
--data "config.day=50000" \
--data "config.policy=local" \
--data "config.limit_by=consumer"
Standard (60 TPS)
curl -X POST http://<admin-api>:8001/consumers/standard_user/plugins \
--data "name=rate-limiting" \
--data "config.second=60" \
--data "config.day=250000" \
--data "config.policy=local" \
--data "config.limit_by=consumer"
Premium (100 TPS)
curl -X POST http://<admin-api>:8001/consumers/premium_user/plugins \
--data "name=rate-limiting" \
--data "config.second=100" \
--data "config.day=1000000" \
--data "config.policy=local" \
--data "config.limit_by=consumer"
🧠 Optional: Use Redis for Distributed Rate Limiting
In multi-node setups, replace policy=local with:
--data "config.policy=redis" \
--data "config.redis_host=<your_redis_host>" \
--data "config.redis_port=6379"
🛠️ Tip: Monitor for 429 Errors
Watch for HTTP 429 Too Many Requests in Kong logs, Splunk, or Prometheus dashboards.
📘 Want Automation?
Let me know if you’d like:
- Ansible playbook
deckYAML for versioned config- Kong Ingress YAML (for EKS)
- Terraform for Kong setup
Just tell me your setup.
Infra Cloud Solutions 