Also, System 2 is much more energy-consuming. Because we are lazy, we tend to favor System 1 - fast and instinctive. Hence, as architects, we will generally favor the following:

• Solutions we are familiar with, e.g., libraries for former software architects
• Rules to apply blindly. As a side comment, it's the main reason for herd mentality in the tech industry, such as "microservices everywhere"

Hence, take the following advice as guidelines and not rules. Now that this has been said, here's my stance.

First, you need to categorize whether the feature is purely technical. For example, classical rate-limiting to prevent DDoS is purely technical. Such technical features belong in the infrastructure: every Reverse-Proxy worth its salt has this kind of rate-limiting.

The more business-related a feature, the closer it must be to the application. Our use-case is slightly business-related because rate-limiting is per user. Still, the API Gateway provides the feature out of the box.

Then, know your infrastructure components. It's impossible to know all the components, but you should have a passing knowledge of the elements that are available inside your org. If you're using a Cloud Provider, get a map of all their proposed services.

Regarding the inability to know all the components, talk to your SysAdmins. My experience has shown me that most organizations must utilize their SysAdmins effectively. The latter would like to be more involved in the overall system architecture design but are rarely requested to. Most SysAdmins love to share their knowledge!

Also, System 2 is much more energy-consuming. Because we are lazy, we tend to favor System 1 - fast and instinctive. Hence, as architects, we will generally favor the following:

• Solutions we are familiar with, e.g., libraries for former software architects
• Rules to apply blindly. As a side comment, it's the main reason for herd mentality in the tech industry, such as "microservices everywhere"

Hence, take the following advice as guidelines and not rules. Now that this has been said, here's my stance.

First, you need to categorize whether the feature is purely technical. For example, classical rate-limiting to prevent DDoS is purely technical. Such technical features belong in the infrastructure: every Reverse-Proxy worth its salt has this kind of rate-limiting.

The more business-related a feature, the closer it must be to the application. Our use-case is slightly business-related because rate-limiting is per user. Still, the API Gateway provides the feature out of the box.

Then, know your infrastructure components. It's impossible to know all the components, but you should have a passing knowledge of the elements that are available inside your org. If you're using a Cloud Provider, get a map of all their proposed services.

Regarding the inability to know all the components, talk to your SysAdmins. My experience has shown me that most organizations must utilize their SysAdmins effectively. The latter would like to be more involved in the overall system architecture design but are rarely requested to. Most SysAdmins love to share their knowledge!

Also, System 2 is much more energy-consuming. Because we are lazy, we tend to favor System 1 - fast and instinctive. Hence, as architects, we will generally favor the following:

• Solutions we are familiar with, e.g., libraries for former software architects
• Rules to apply blindly. As a side comment, it's the main reason for herd mentality in the tech industry, such as "microservices everywhere"

Hence, take the following advice as guidelines and not rules. Now that this has been said, here's my stance.

First, you need to categorize whether the feature is purely technical. For example, classical rate-limiting to prevent DDoS is purely technical. Such technical features belong in the infrastructure: every Reverse-Proxy worth its salt has this kind of rate-limiting.

The more business-related a feature, the closer it must be to the application. Our use-case is slightly business-related because rate-limiting is per user. Still, the API Gateway provides the feature out of the box.

Then, know your infrastructure components. It's impossible to know all the components, but you should have a passing knowledge of the elements that are available inside your org. If you're using a Cloud Provider, get a map of all their proposed services.

Regarding the inability to know all the components, talk to your SysAdmins. My experience has shown me that most organizations must utilize their SysAdmins effectively. The latter would like to be more involved in the overall system architecture design but are rarely requested to. Most SysAdmins love to share their knowledge!