Design a distributed rate limiter for an API gateway
Reported in SumUp European engineering loops. System design testing token bucket, sliding window, and Redis coordination.
Interview scenario
Often asked in SumUp loops at European offices (London, Berlin, Amsterdam, Paris, Stockholm, Dublin, and remote EU). Prepare a clear spoken answer plus key trade-offs.
Model answer
Try answering aloud first
Cover trade-offs, structure, and a concrete example before revealing the baseline response.
How to frame this at SumUp: Connect your answer to measurable impact, clarity of thought, and trade-offs the team cares about. Below is a strong baseline response you can adapt with your own project examples.
Goal: cap requests per user/API key (e.g., 1000/min) across many stateless gateway nodes with minimal latency.
Algorithms: Token bucket (smooth burst allowance), fixed window (simple but boundary spikes), sliding window log (accurate, memory heavy), sliding window counter (hybrid).
Architecture: Gateway checks local cache → Redis central store for cross-node counts. Use Lua scripts or Redis Cell for atomic increment+TTL. Fail open vs closed is a product decision during Redis outages.
Return HTTP 429 with Retry-After header. Sharded Redis by user hash for scale. Mention global vs per-endpoint limits, tiered quotas, and async enforcement for background jobs.
Discussion
Comments (0)
Share how this question came up in your loop, or add tips for others preparing.
Log in to comment on this question.