My goal is to have a rate limit of max 2 requests per second per IP address for an API service we are hosting.
So I kept average as 2 and burst as 100 with default period of 1, but I could make more than 2 req/s from one IP (tested using Apache JMeter and Siege). I tried lowering the burst value to 2 and made 6 concurrent requests from same IP. Now it only allowed 2 requests and gave 429 for the rest 4. I increased burst to 6 and made 10 concurrent request from same IP and now it allowed 6 requests and gave 429 for remaining 4.
According to the docs for average value:
average is the maximum rate, by default in requests per second, allowed from a given source.
So why did an average value of 2 allow more than 2 req/s from the same IP address?