System Design: Global, High-Throughput Rate Limiter

Context

You are designing a global, multi-region rate-limiting service that enforces quotas:

• Per-user (across all APIs)
• Per-API (across all users)
• Per-user-per-API (composite)

The system must be low-latency, tolerate bursts, and operate across multiple regions.

Requirements

Design and justify:

1. Algorithm choice (e.g., token bucket vs. leaky bucket) with burst tolerance and latency considerations.
2. Data model for quotas, runtime state, and metrics.
3. Partitioning and sharding strategy for a global deployment.
4. Clock/time-window semantics (fixed vs. sliding windows, monotonic time handling).
5. Consistency trade-offs (global correctness vs. latency) and how you bound overages.
6. Hot-key handling strategies.
7. Scaling strategies and capacity planning math, including how many machines are required if traffic doubles (2×), with clear assumptions and formulas.
8. Failure modes and mitigations.
9. Backpressure behavior and client guidance.
10. Observability: metrics, tracing, dashboards, and alerts.
11. APIs for configuration and metrics.

Assume a mixed workload with both regional and global traffic patterns, and that some users may send traffic from multiple regions concurrently.