Configure Rate Limiting per User

• Select the Multi-Cloud App Connect service.
• Select the desired namespace from the Namespace drop-down menu.
• Navigate to Manage -> Load Balancers -> HTTP Load Balancers.

Figure: Load Balancers

• Select ... -> Manage Configuration and then select Edit Configuration in the upper right corner to open to your load balancer's configuration edit form.
• Scroll down to the Common Security Controls section.
• In the User Identifier field, select User Identification Policy.
• In the User Identification Policy field, select an existing user policy or select Add Item to create a new one.

Figure: HTTP Load Balancer Security Configuration

This example shows creating new user identification rule.

Figure: Create User Identification

• Enter a name for the user identification policy in the Metadata section.
• In the User Identification Rules section, select Configure to build a list of user identification rules.
• Select Add Item to create a rule.

Figure: Create User Identification Rule

• Select an identifier type from the drop-down list in the Identifier Type field and enter a value for that identifier in the field enabled as appropriate for your identifier type selection. For example, select Cookie Name as the identifier type and set Userid as the identifier.
• Select Apply to add the new rule to your rules list.

Figure: User Identification Rule List

• Optionally select Add Item to add more rules to your list.
• Select Apply to complete your list.
• Select Continue to save your rule list into your load balancer configuration.

• Scroll down to the Rate Limiting field (a little below the User Identifier section) and select Custom Rate Limiting Parameters.

• Select View Configuration.

• Enter the maximum number of requests per unit in the Number field.

• Enter a unit of time in the Per Period field. Supported units are Seconds, Minutes, and Hours.

• Enter the number of periods to apply the rate. As an example, If you enter [1, Seconds, 60] or [1, Minutes, 1] for [Number of Requests, Per Period, Periods] both would be the same as 1 request per minute.

• Optionally enter a value for the Burst Multiplier field, which indicates how many times a user can hit the requests/unit limit.

The following example sets 15 requests per second as the rate limit. A user who exceeds that would be blocked until the rate drops below the limit.

Figure: Rate Limit Example for Load Balancer

Select Block from the Mitigation Action drop-down menu if you want a user to be blocked for all requests for some time after exceeding the rate limit.

• Select a duration unit (Seconds, Minutes, and Hours).
• Enter a duration value.

Note: The maximum blocking time is 48 hours.

The following example would block all requests from a user who exceeded the rate limit for 5 minutes regardless of how the request rate changes during the 5 minute mitigation period.

Figure: Rate Limit Mitigation Example for Load Balancer

By default, rate limiting applies to all IPs. Optionally, select Ip Allowed List or Ip Allowed using Ip Prefix Set(s) for the Ip(s) Allowed without Rate Limiting drop-down field and perform one of the following:

• Add IP prefixes if you selected Ip Allowed List. Use Add item to add more prefixes.

• If you selected Ip Allowed using Ip Prefix Set(s), select an existing IP prefix set. If no IP prefix sets are listed, select Add Item in the drop-down list to create a new prefix set.

This example adds the IP prefixes using the Ip Allowed List option.

Figure: Rate Limiter Configuration

Note: Performing this step enables the system to exempt rate limiting for requests from specified IP prefixes.

By default, there are no rate limiting policies (An IP Allowed List is an implicit policy, if specified). Optionally, select Rate Limiter Policies to create an ordered list of policies. (If an IP Allowed List was specified in the previous step, it is effectively the first ordered policy).

• Select an existing policy from the drop-down list or choose Add Item from that list.

For a new policy, continue with the rest of the actions in this step.

• Enter the policy name and optionally labels and a description.
• Select Configure in the Rules section to view the Rules list.
• Select Add Item to add a rule.
• Enter a name for the rule
• Select Configure in the Rule Specification field.

Figure: Rate Limiter Rule Specification

• Choose an Action to take for this rule if the request matches the predicates specified below:

  • Bypass Rate Limiter: Exclude this request from the HTTP rate limiter.
  • Apply Rate Limiter: The HTTP rate limiter applies to this request.
  • Apply Custom Rate Limiter: Apply a custom rate limiter to this request, which you will select or create as part of this option.

• Configure one or more Match Predicates:

  • HTTP Method: Matches against the HTTP method(s) you specify (e.g., GET, PUT, and HEAD).
  • Domain Matcher: Matches against the domain(s) you specify, either by exact match or by regex.
  • HTTP Path: Matches against the path portion of the request, either by prefix value, exact value, or regex value.
  • HTTP Headers: Matches against a list of header names that are either present, not present, or contain specified values.

• Select Apply to save the rate limiter rule specification.

• Select Apply to save the rate limiter rule.

• Select Apply to save the rate limiter rules list.

• Select Continue to save the rate limiter policy.

• Select Apply to create and add the rate limiter to the load balancer. This also returns to the load balancer configuration page.
• Select Save and Exit to create or update the load balancer and enable the rate limiting.

Note: The following apply:

• The rate limit is always evaluated before any configured network security policy sets.
• Evaluation of the configured network policy set is done only if the request is under limit set by the rate limit.
• A service policy rule is automatically created for each HTTP load balancer that has rate limiting enabled and a rate limiter object is also automatically created.
• An IP Prefix set is automatically created if the rate limiting configuration has an allowed IP list.
• Policy rule uses virtual host and IP matcher as match predicates.
• The rate limiter is applied as an action in the service policy rule.

• Select the Multi-Cloud App Connect service.
• Select the desired namespace from the Namespace drop-down menu.
• Navigate to Security -> Shared Objects -> User Identification.

Figure: Navigate to User Identification Creation

• Select Add User Identification. The user identification creation form opens.
• Enter a name for this user identification and optionally labels and a description.
• In the User Identification Rules section, select Configure to create a rules list.
• Select Add Item to create the first rule in the list.
• Select an option from the drop-down list for the Identifier Type field and enter an associated value for the selected option, if required.
• Select Apply to save the rule to the rules list.
• Use the Add Item button to add more rules, if necessary.
• When finished adding rules, select Apply to save the rule list.

This example shows adding cookie name and HTTP header name as identifiers.

Figure: User Identification Rules

Select Save and Exit to create the user identification object.

• Select the Shared Configuration service.
• Select the desired namespace from the Namespace drop-down menu.
• Navigate to Security -> Shared Objects -> Rate Limiters.
• Select Add Rate Limiter. The rate limiter creation form opens.

• Enter a name and optionally set labels and add a description.

• Select View Configuration in the Rate Limit Values section.

• Enter the maximum number of requests per unit in the Number field. The maximum allowed number is 8192.

• Enter a unit of time in the Per Period field. Supported units are Seconds, Minutes, and Hours.

• Enter the number of periods to apply the rate. As an example, If you enter [1, Seconds, 60] or [1, Minutes, 1] for [Number of Requests, Per Period, Periods] both would be the same as 1 request per minute.

• Enter a multiplier value in the Burst Multiplier field. The burst multiplier is the maximum burst of requests allowed, expressed as a multiple of the rate.

• Optionally select Block from the Mitigation Action drop-down menu if you want a user to be blocked for all requests for some time after exceeding the rate limit.

  • Select a duration unit (Seconds, Minutes, and Hours).
  • Enter a duration value.

• Select Apply to save the rate limits.

The following example sets 5 requests per 2 seconds as the rate limit. A user that exceeds that limit will be blocked for 30 seconds regardless of how the request rate changes during the 30 second mitigation period.

Figure: Rate Limits

• Select Select user identification in the User Identification Policy section and select a user identification.

Select Add Rate Limiter to create the rate limiter object.

• Select the Multi-Cloud App Connect service.
• Select the desired namespace from the Namespace drop-down menu.
• Navigate to Virtual Host -> HTP Load Balancers.
• Select ... -> Manage Configuration and then select Edit Configuration in the upper right corner to open the virtual host configuration edit form.

• Scroll down to the Rate Limiting section in the Common Security Controls section.

• Using the Rate Limiting field, select Custom Rate Limiting Parameters.

• In the Custom Rate Limiting Parameters section, select View Configuration.

• Enter the maximum number of requests per unit in the Number field.

• Select a unit for the Per Period field in the Request Rate Limiter section.

• Optionally enter a value for the Burst Multiplier field, which indicates how many times a user can hit the requests/unit limit.

• Optionally allow some IPs to bypass rate limits

  • Select IP Allowed List in the IP(s) Allowed without Rate Limiting field.
  • Enter a prefix that will not be rate limited. Use the Add Item button to add more IP prefixes.

• Optionally create different rules for specific HTTP methods, domains, HTTP paths, HTTP headers, or a combination of these.

Figure: Apply Rate Limiting to Virtual Host

Note: This example sets 15 requests per second with 3 bursts allowed as the rate limit. Requests coming from 10.1.1.3/32 bypass rate limiting. There are no special rules for requests with specific parameters.

Select Save and Exit to enable the rate limiting.