DRL — Distributed Rate Limiter
DRL is a high-performance, horizontally scalable rate-limiting service designed to run alongside Envoy proxies. It eliminates external-database round-trips by keeping all enforcement state in-process, distributed via a gossip mesh.
How it works
DRL operates in three parallel planes:
| Plane | Mechanism | Latency Impact |
|---|---|---|
| Local enforcement | Fully-replicated in-memory Blocklist (O(1) lookup) | Zero — rejection before the request reaches the upstream |
| Shadow accounting | Hashed, async counter ownership across the cluster | Zero — increments happen in a background goroutine |
| State sync | Warm-bootstrap via Memberlist Push/Pull on startup | One-time startup cost only |
Quick start
Prerequisites
- Go 1.25+
- Docker & Docker Compose (for local testing)
Build
mise run buildRun
# API key is required (minimum 16 characters)
export DRL_PRIVATE_API_KEY="your-secure-api-key-here"
# Start with built-in defaults
./bin/drl
# Start with a custom KDL config file
./bin/drl --config config.kdlMinimum viable configuration
listen {
grpc ":8081"
metrics ":9091"
}
membership {
service-name "drl"
port 7946
bind-addr "0.0.0.0"
}
internal-api {
enabled true
address ":8082"
}
accounting {
settings {
algorithm "sliding-window"
}
rules {
api-v1 {
path-prefix "/api/v1"
headers "X-API-Key"
limit 1000
per "minute"
}
}
}Further reading
| Topic | Description |
|---|---|
| Configuration | Complete KDL config reference and all environment variables |
| Membership | Cluster formation, gossip, warm-bootstrap, and block propagation |
| Cache | In-memory blocklist and accounting cache architecture |
| Accounting | Shadow accounting model, entity hashing, and batched flush |
| gRPC API | Envoy ratelimit.v3 service implementation |
| Internal HTTP API | Management endpoints, digest authentication, and examples |