Configure API Rate Limiting

Objective
Prerequisites
Configuration
Rate Limiting & Rules Behavior
Server URL Rules vs API Endpoint Rules
Overlapping Rules within Same Category
Concepts

Objective

This guide provides instructions on how to enable API rate limiting feature in the HTTP load balancer. The API rate limiting controls rate of requests made to your API endpoints and uses user identification to identify the clients sending requests to your application APIs. For conceptual information on rate limiting, see Rate Limiting.

Using the instructions provided in this guide, you can apply granular rate limiting to API requests to base path or specific API endpoints.

Prerequisites

The following prerequisites apply:

A Distributed Cloud Services Account. If you do not have an account, see Create an Account.
An HTTP Load Balancer.

Note: See HTTP Load Balancer and vK8s Deployment for more information on load balancer and app deployment.

Configuration

Do the following to enable API rate limiting for your application:

Step 1: Log into Console and go to HTTP Load Balancer Settings.

From the Console homepage, click on Load Balancers service.

Select your namespace.
Navigate to Manage > Load Balancers > HTTP Load Balancers.
Click ... for your load balancer and select Manage Configuration to open load balancer configuration form.
Click Edit Configuration option located in the top right corner of the form.

LoadBalancerEdit — Figure: Edit Load Balancer Configuration

Step 2: Start configuring API rate limits.

Go to Security Configuration and enable Show Advanced Fields option.
Scroll down, click on the Rate Limiting field and select API Rate Limit option.

APIRateLimitView — Figure: Rate Limiting Options

Optionally, click on the IP(s) Allowed without Rate Limiting field and do one of the following to exclude IP addresses from rate limiting:
- Select IP Allowed List and enter IP addresses in the List of IPv4 Prefix List field. You can add more than one using the Add item option.
- Select IP Allowed List using IP Prefix Set(s) and select IP prefix sets in the List of IP Prefix Sets field. You can add more than one using the Add item option. For this, at least one pre-configured IP prefix set is required.

Note: No IP addresses are allowed by default for the IP(s) Allowed without Rate Limiting field.

Step 3: Set server URL rules.

The server URL rules apply rate limiting for an entire domain or base path that contains multiple API endpoints.

Click Add Item in the Server URLs section and do the following in the ServerUrlRule form:

Click on the Domain field and select either Any Domain or Specific Domain. In case of specific domain, enter the domain in the Specific Domain field. Default option is Any Domain.
Click on the Base Path field and enter a base path.

Note: Click on the Base Path field and click See Suggestions to display suggested list of paths. This shows suggestions only if you have configured an API definition. To know how to create and configure API definition, see Import Swagger and Define APIs.

Click on the Rate Limiter Values field and do one of the following:
- Select Specific Valuesand do the following:
  - Enter a number for the Threshold field. This threshold represents the number of allowed requests for the time period set in the Duration field.
  - The Count By field sets the HTTP load balancer user identifier for the client identification. You can change this to use a custom user identification. Select User Identification Policy for the Count By field, click on the User Identification Policy field, and select an existing user identification policy or use the Create new User Identification option to create and apply a new user identification policy.
- Select External Rate Limiter, click on the External Rate Limiter field, and select an existing rate limiter. Alternatively, you can also use the Create new Rate Limiter option to create a new rate limiter and apply it here.

Note: See Configure Rate Limiting guide for instructions on how to create rate limiter and user identifiers.

Click Add Item to add the server URL rule. Use the Add Item in the Server URLs to add more rules.

Note: The rules are processed in the order in which you configure the server rules. The first rule matching the request triggers rate limiting and rest of the rules after that are not executed. Therefore, ensure you set the order of rules as per your requirements.

Step 4: Set API endpoint rules.

The API endpoint rules apply rate limiting for specific endpoints.

Click Add Item in the API Endpoints section and do the following in the ApiEndpointRule form:

Click on the Domain field and select either Any Domain or Specific Domain. In case of specific domain, enter the domain in the Specific Domain field. Default option is Any Domain.
Click on the Base Path field and enter a base path.
Click on the API Endpoint field and enter a specific API endpoint path.

Note: Click on the Base Path and API Endpoint fields and click See Suggestions to display suggested list of paths and endpoints respectively. The suggestions are shown only if you have configured an API definition. To know how to create and configure API definition, see Import Swagger and Define APIs.

Click on the Method List field under HTTP Methods and select the methods for which the rate limiting is to be applied. You can select more than one method.
Click on the Rate Limiter Values field and do one of the following:
- Select Specific Valuesand do the following:
  - Enter a number for the Threshold field. This threshold represents the number of allowed requests for the time period set in the Duration field.
  - The Count By field sets the HTTP load balancer user identifier for the client identification. You can change this to use a custom user identification. Select User Identification Policy for the Count By field, click on the User Identification Policy field, and select an existing user identification policy or use the Create new User Identification option to create and apply a new user identification policy.
- Select External Rate Limiter, click on the External Rate Limiter field, and select an existing rate limiter. Alternatively, you can also use the Create new Rate Limiter option to create a new rate limiter and apply it here.

Note: See Configure Rate Limiting guide for instructions on how to create rate limiter and user identifiers.

Click Add Item to add the server URL rule. Use the Add Item in the ApiEndpointRule to add more rules.

Note: The rules are processed in the order in which you configure the API endpoint rules. The first rule matching the request triggers rate limiting and rest of the rules after that are not executed. Therefore, ensure you set the order of rules as per your requirements.

Step 5: Complete configuration and save the new settings.

Check the order of the rules you added.

APIRateLimitRules — Figure: API Rate Limit Rules

After you finish, click Save and Exit.

Rate Limiting & Rules Behavior

It is important that you plan the order of the rules based on the behavior of rate limiting. Go through the following scenarios to understand the behavior:

Server URL Rules vs API Endpoint Rules

In case of a server URL rule for a generic path and another API endpoint rule for a specific endpoint extending out of the same generic path, then the limit for the specific endpoint is separately counted. The following is an example scenario:

Server URL rule sets 100 requests per second as limit for path /api/v1
API endpoint rule sets 10 requests per second as limit for specific endpoint /api/v1/checkout and method POST.

In this case, a user accessing /api/v1 is limited to 100 requests per second and in case the user accesses POST /api/v1/checkout, the limit is 10 requests per second. Meaning, if a user sends 10 requests for POST /api/v1/checkout, then that user reached the limit for that path but can still send 90 requests for path /api/v1.

Overlapping Rules within Same Category

In case of different rules within same category but they overlap, ensure that you add more specific rule before a general rule. This is because specific rule gets matched first and will be skipped matching the general rule.

The following is an example for server URL rules:

A specific rule sets 10 requests per second as limit for path /api/v1 and is added first.
A general rule sets 20 requests per second as limit for general path /api and added after the specific rule.

In this case, a user accessing /api/v1 is limited to 10 requests per second. Once a request matches /api/v1, rate limiting starts for it for that user. The general rule for /api will not count the request for path /api/v1. This essentially means any path starting with /api except /api/v1 is applied with 20 requests per second as the limit and /api/v1 has 10 requests per second as limit.

The following is an example for API endpoint rules:

A specific rule setting 10 requests per second as limit for endpoint /product/{productId} and method GET is added first.
A general rule setting 20 requests per second as limit for endpoint /product/{productId} and method ALL is added after the specific rule.

In this case, a user accessing GET /product/{productId} is limited to 10 requests per second. Once a request matches GET /product/{productId}, rate limiting starts for it for that user. The general rule for that endpoint with any method will not count the GET requests. This essentially means any method for the endpoint except GET is applied with 20 requests per second as the limit and GET has 10 requests per second as limit for the same endpoint for the same user.