Render rate-limit or DDOS protection for web services?

Does Render provide DDOS protection for web servers or should we implement rate-limiting on web services on our end?

Both.

DDoS protection is included as part of all Render Web Services ( DDoS Protection | Render Docs ), but DDoS scale for the platform may still be problematic to your service(s) specifically.

  1. Rate Limiting is a necessary part of all applications eventually. You may be able to kick this can down the road at first, but it will undoubtedly become relevant eventually.
  2. You should make use of your own CDN/WAF/etc. in order to have your own management details external to your service as well. You may want to define more stringent rules for your needs, note that you cannot set looser rules overriding our platform wide protections.

You can sign up with any service provider you want, including Cloudflare, Cloudflare supports this situation in their documentation listed as “Orange-To-Orange” (O2O) mode.