Load balancers can enforce rate limits before requests reach your application.
Benefits:
- Protects backend from traffic spikes
- Blocks abusive clients early
- Simple configuration
Typical limits:
- Per IP: requests/second
- Per user: requests/minute
- Per endpoint: Different limits for expensive operations
Response: Return HTTP (Too Many Requests) with Retry-After header.
Rate limiting at the load balancer is coarse-grained. Fine-grained limiting (per user, per API key) typically happens at the application layer.
Mention this as a defense against DDoS and abusive clients.