Configure Rate Limiting per User

Objective

This guide provides instructions on how to configure rate limiting per user based on the user identification in the F5® Distributed Cloud Console. This limits the number of API requests from user per a time period set by configuration. The rate limiting per user is applied on the Distributed Cloud virtual host. For more information, see Rate Limiting Based on User Identification.

Using the instructions provided in this guide, you can configure a set of user identification rules, create rate limiters, and apply them to a HTTP load balancer or virtual host.

Prerequisites

The following prerequisites apply:

  • F5 Distributed Cloud Services virtual host providing front end for your application.

Configuration

Enabling rate limiting for your virtual host or load balancer requires you to create rate limiting with optional user identification rules and applying to the virtual host or load balancer. The following image illustrates the sequence of enabling rate user identification:

Figure:Sequence For Rate Limiting Based on User Identification

Figure:Sequence For Rate Limiting Based on User Identification

Configuration Sequence

Enabling rate limiting based on user identification can be performed in the following two ways:

  • Using the HTTP load balancer wizard.
  • Using the individual wizards for the user identification, rate limiter, and virtual host.

Enabling rate limiting based on user identification requires you to perform the following sequence of actions.

PhaseDescription
Create User IdentificationCreate user identification with rules defining what are evaluated for identification.
Create Rate LimiterCreate rate limiter and optionally apply user identifier.
Apply Rate Limiter to Virtual HostCreate a Fast ACL set with the created Fast ACL.

Note: When using the HTTP load balancer wizard, creation of user identification and rate limiter are part of the wizard itself.

Enable Rate Limit

Step 1: Navigate to the HTTP Load Balancers page.
  • Select the Multi-Cloud App Connect service.
  • Select the desired namespace from the Namespace drop-down menu.
  • Navigate to Manage -> Load Balancers -> HTTP Load Balancers.
Figure: Load Balancers

Figure: Load Balancers

Step 2: Start creating a user identifier for rate limiting.
  • Select ... -> Manage Configuration and then select Edit Configuration in the upper right corner to open to your load balancer's configuration edit form.
  • Scroll down to the Common Security Controls section.
  • In the User Identifier field, select User Identification Policy.
  • In the User Identification Policy field, select an existing user policy or select Add Item to create a new one.
Figure: HTTP Load Balancer Security Configuration

Figure: HTTP Load Balancer Security Configuration

This example shows creating new user identification rule.

Figure: Create User Identification

Figure: Create User Identification

  • Enter a name for the user identification policy in the Metadata section.
  • In the User Identification Rules section, select Configure to build a list of user identification rules.
  • Select Add Item to create a rule.
Figure: Create User Identification Rule

Figure: Create User Identification Rule

  • Select an identifier type from the drop-down list in the Identifier Type field and enter a value for that identifier in the field enabled as appropriate for your identifier type selection. For example, select Cookie Name as the identifier type and set Userid as the identifier.
  • Select Apply to add the new rule to your rules list.
Figure: User Identification Rule List

Figure: User Identification Rule List

  • Optionally select Add Item to add more rules to your list.
  • Select Apply to complete your list.
  • Select Continue to save your rule list into your load balancer configuration.
Step 3: Enable rate limiting and set the limiter values.
  • Scroll down to the Rate Limiting field (a little below the User Identifier section) and select Custom Rate Limiting Parameters.
  • Select Configure.
  • Enter a value for the Number field.
  • Select a unit for the Per Period field in the Request Rate Limiter section.
  • Optionally enter a value for the Burst Multiplier field.

This example sets 15 requests per second as the rate limit.

Figure: Rate Limit Example for Load Balancer

Figure: Rate Limit Example for Load Balancer

Step 4: Specify IP prefixes for exempting from the rate limiting.

By default, rate limiting applies to all IPs. Optionally, select Ip Allowed List or Ip Allowed using Ip Prefix Set(s) for the Ip(s) Allowed without Rate Limiting drop-down field and perform one of the following:

  • Add IP prefixes if you selected Ip Allowed List. Use Add item to add more prefixes.

  • If you selected Ip Allowed using Ip Prefix Set(s), select an existing IP prefix set. If no IP prefix sets are listed, select Add Item in the drop-down list to create a new prefix set.

This example adds the IP prefixes using the Ip Allowed List option.

Figure: Rate Limiter Configuration

Figure: Rate Limiter Configuration

Note: Performing this step enables the system to exempt rate limiting for requests from specified IP prefixes.

Step 5: Specify rate limiter policies.

By default, there are no rate limiting policies (An IP Allowed List is an implicit policy, if specified). Optionally, select Rate Limiter Policies to create an ordered list of policies. (If an IP Allowed List was specified in the previous step, it is effectively the first ordered policy).

  • Select an existing policy from the drop-down list or choose Add Item from that list.

For a new policy, continue with the rest of the actions in this step.

  • Enter the policy name and optionally labels and a description.
  • Select Configure in the Rules section to view the Rules list.
  • Select Add Item to add a rule.
  • Enter a name for the rule
  • Select Configure in the Rule Specification field.
Figure: Rate Limiter Rule Specification

Figure: Rate Limiter Rule Specification

  • Choose an Action to take for this rule if the request matches the predicates specified below:

    • Bypass Rate Limiter: Exclude this request from the HTTP rate limiter.
    • Apply Rate Limiter: The HTTP rate limiter applies to this request.
    • Apply Custom Rate Limiter: Apply a custom rate limiter to this request, which you will select or create as part of this option.

  • Configure one or more Match Predicates:

    • HTTP Method: Matches against the HTTP method(s) you specify (e.g., GET, PUT, and HEAD).
    • Domain Matcher: Matches against the domain(s) you specify, either by exact match or by regex.
    • HTTP Path: Matches against the path portion of the request, either by prefix value, exact value, or regex value.
    • HTTP Headers: Matches against a list of header names that are either present, not present, or contain specified values.

  • Select Apply to save the rate limiter rule specification.

  • Select Apply to save the rate limiter rule.

  • Select Apply to save the rate limiter rules list.

  • Select Continue to save the rate limiter policy.

Step 6: Complete enabling the rate limiting for the load balancer.
  • Select Apply to create and add the rate limiter to the load balancer. This also returns to the load balancer configuration page.
  • Select Save and Exit to create or update the load balancer and enable the rate limiting.

Note: The following apply:

  • The rate limit is always evaluated before any configured network security policy sets.
  • Evaluation of the configured network policy set is done only if the request is under limit set by the rate limit.
  • A service policy rule is automatically created for each HTTP load balancer that has rate limiting enabled and a rate limiter object is also automatically created.
  • An IP Prefix set is automatically created if the rate limiting configuration has an allowed IP list.
  • Policy rule uses virtual host and IP matcher as match predicates.
  • The rate limiter is applied as an action in the service policy rule.

Enable Rate Limit Using Constituent Component Wizards

The constituent components of rate limiting functionality are user identification, rate limiter, and virtual host/load balancer. Perform the instructions provided in the following chapters to configure the constituent components.

Create User Identification

A user identification specifies the list of rules defining the identifier types and their values. The system determines the user identity based on these rules and uses the rate limiter to limit the requests accordingly.

Note: Configure user identifier is optional as the system treats client IP address as the default user identifier.

Step 1: Log into the F5 Distributed Cloud Console and navigate to user identity creation.
  • Select the Multi-Cloud App Connect service.
  • Select the desired namespace from the Namespace drop-down menu.
  • Navigate to Security -> Shared Objects -> User Identification.
Figure: Navigate to User Identification Creation

Figure: Navigate to User Identification Creation

Step 2: Configure identification rules
  • Select Add User Identification. The user identification creation form opens.
  • Enter a name for this user identification and optionally labels and a description.
  • In the User Identification Rules section, select Configure to create a rules list.
  • Select Add Item to create the first rule in the list.
  • Select an option from the drop-down list for the Identifier Type field and enter an associated value for the selected option, if required.
  • Select Apply to save the rule to the rules list.
  • Use the Add Item button to add more rules, if necessary.
  • When finished adding rules, select Apply to save the rule list.

This example shows adding cookie name and HTTP header name as identifiers.

Figure: User Identification Rules

Figure: User Identification Rules

Step 3: Complete creating user identification

Select Save and Exit to create the user identification object.

Create Rate Limiter

A rate limiter specifies the limit for an API request per second or minute and optionally specifies the user identification rules to determine to which API request this limit is applied.

Perform the following to create rate limiter:

Step 1: Log into the Console and navigate to rate limiters section.
  • Select the Multi-Cloud App Connect service.
  • Select the desired namespace from the Namespace drop-down menu.
  • Navigate to Security -> Shared Objects -> Rate Limiters.
  • Select Add Rate Limiter. The rate limiter creation form opens.
Step 2: Set rate limit configuration.
  • Enter a name and optionally set labels and add a description.
  • Select View Configuration in the Rate Limit Values section.
  • Enter a rate value in the Number field. The maximum allowed number is 8192.
    • Enter a unit of time in the Per Period field. Supported units are Second and Minute.
  • Enter a multiplier value in the Burst Multiplier field. The burst multiplier is the maximum burst of requests allowed, expressed as a multiple of the rate.
  • Select Apply to save the rate limits.
Figure: Rate Limits

Figure: Rate Limits

  • Select Select user identification in the User Identification Policy section and select a user identification.

This example sets the limit of 5 requests per second.

Figure: Rate Limiter

Figure: Rate Limiter

Step 3: Complete rate limiter creation.

Select Save and Exit to create the rate limiter object.

Apply Rate Limiter to Virtual Host

After creating the rate limiter, apply it to your virtual host configuration to enforce rate limiting to the API requests served by the virtual host. This example shows how to apply rate limiting to a virtual host that is already created. However, you can also apply the rate limiting while creating a virtual host.

Note: For virtual host setup instructions, see Create and Advertise a Virtual Host.

Perform the following to apply a rate limiter to a virtual host:

Step 1: Navigate to virtual host configuration section.
  • Select the Multi-Cloud App Connect service.
  • Select the desired namespace from the Namespace drop-down menu.
  • Navigate to Manage -> Virtual Host -> Virtual Hosts.
  • Select ... -> Edit to open the virtual host configuration edit form.
Step 2: Apply rate limiters to the virtual host.
  • Scroll down to the Rate Limiter section.
  • Select Select rate limiter and select the rate limiter previously created.
Step 3: Apply IP prefixes for exempting them from rate limiting.
  • In the Rate Limiter Allowed Prefixes section, select Add Item.
  • Use the drop-down menu to select a rate limiter IP prefix using the for which you want to skip rate limiting. You can also create new prefix by selecting Add Item in the drop-down menu.
  • Use the Add item button (outside the drop-down menu) to add additional rate limiter allowed prefixes.

Note: Performing this step enables the system to exempt rate limiting for requests from specified IP prefixes.

Step 4: Apply user identification rules to virtual host.
  • Select Select user identification in the User Identification Policy section.
  • Select user identification objects previously created to apply to virtual host.
Figure: Apply Rate Limiting to Virtual Host

Figure: Apply Rate Limiting to Virtual Host

Note: User identification rules from the rate limiter applied to virtual host are prioritized over the user identification directly applied to the virtual host.

Step 5: Complete enabling the rate liming for virtual host.

Select Save and Exit to enable the rate limiting.

Concepts

API References

On this page: