Create a separate rate limit for unauthenticated API traffic
Our current rate limits allow for setting:
- Unauthenticated traffic (both web and api)
- Authenticated api
- Authenticated web
We cannot currently lower the unauthenticated api limit because it includes both web and api. Because of this, it will be difficult for us to tune our authenticated api rate limit as we are proposing in !65334 (closed)
Rate limiting is currently our best tool to prevent a single noisy neighbor from impacting performance, especially on storage shards as it was with gitlab-com/gl-infra/production#5037 (closed) and https://gitlab.com/gitlab-com/gl-infra/production/-/issues/5031
There should also be very little need to the api anonymously and by isolating it as a separate rate limit, we can lower it much lower than the current authenticated api limit.
Our current limit for all unauthenticated traffic is 500 req/min which includes the unauthenticated API.