Configure API Rate Limiting
On This Page:
Objective
This guide provides instructions on how to enable API rate limiting feature in the HTTP load balancer. The API rate limiting controls rate of requests made to your API endpoints and uses user identification to identify the clients sending requests to your application APIs. For conceptual information on rate limiting, see Rate Limiting.
Using the instructions provided in this guide, you can apply granular rate limiting to API requests to base path or specific API endpoints.
Prerequisites
The following prerequisites apply:
-
A Distributed Cloud Services Account. If you do not have an account, see Create an Account.
-
An HTTP Load Balancer.
Note: See HTTP Load Balancer and vK8s Deployment for more information on load balancer and app deployment.
Configuration
Do the following to enable API rate limiting for your application:
Step 1: Log into Console and go to HTTP Load Balancer Settings.
- From the Console homepage, click on
Load Balancers
service.
-
Select your namespace.
-
Navigate to
Manage
>Load Balancers
>HTTP Load Balancers
. -
Click
...
for your load balancer and selectManage Configuration
to open load balancer configuration form. -
Click
Edit Configuration
option located in the top right corner of the form.
Step 2: Start configuring API rate limits.
-
Go to
Security Configuration
and enableShow Advanced Fields
option. -
Scroll down, click on the
Rate Limiting
field and selectAPI Rate Limit
option.
-
Optionally, click on the
IP(s) Allowed without Rate Limiting
field and do one of the following to exclude IP addresses from rate limiting:-
Select
IP Allowed List
and enter IP addresses in theList of IPv4 Prefix List
field. You can add more than one using theAdd item
option. -
Select
IP Allowed List using IP Prefix Set(s)
and select IP prefix sets in theList of IP Prefix Sets
field. You can add more than one using theAdd item
option. For this, at least one pre-configured IP prefix set is required.
-
Note: No IP addresses are allowed by default for the
IP(s) Allowed without Rate Limiting
field.
Step 3: Set server URL rules.
The server URL rules apply rate limiting for an entire domain or base path that contains multiple API endpoints.
Click Add Item
in the Server URLs
section and do the following in the ServerUrlRule
form:
-
Click on the
Domain
field and select eitherAny Domain
orSpecific Domain
. In case of specific domain, enter the domain in theSpecific Domain
field. Default option isAny Domain
. -
Click on the
Base Path
field and enter a base path.
Note: Click on the
Base Path
field and clickSee Suggestions
to display suggested list of paths. This shows suggestions only if you have configured an API definition. To know how to create and configure API definition, see Import Swagger and Define APIs.
-
Click on the
Rate Limiter Values
field and do one of the following:-
Select
Specific Values
and do the following:- Enter a number for the
Threshold
field. This threshold represents the number of allowed requests for the time period set in theDuration
field. - The
Count By
field sets the HTTP load balancer user identifier for the client identification. You can change this to use a custom user identification. SelectUser Identification Policy
for theCount By
field, click on theUser Identification Policy
field, and select an existing user identification policy or use theCreate new User Identification
option to create and apply a new user identification policy.
- Enter a number for the
-
Select
External Rate Limiter
, click on theExternal Rate Limiter
field, and select an existing rate limiter. Alternatively, you can also use theCreate new Rate Limiter
option to create a new rate limiter and apply it here.
-
Note: See Configure Rate Limiting guide for instructions on how to create rate limiter and user identifiers.
- Click
Add Item
to add the server URL rule. Use theAdd Item
in theServer URLs
to add more rules.
Note: The rules are processed in the order in which you configure the server rules. The first rule matching the request triggers rate limiting and rest of the rules after that are not executed. Therefore, ensure you set the order of rules as per your requirements.
Step 4: Set API endpoint rules.
The API endpoint rules apply rate limiting for specific endpoints.
Click Add Item
in the API Endpoints
section and do the following in the ApiEndpointRule
form:
-
Click on the
Domain
field and select eitherAny Domain
orSpecific Domain
. In case of specific domain, enter the domain in theSpecific Domain
field. Default option isAny Domain
. -
Click on the
Base Path
field and enter a base path. -
Click on the
API Endpoint
field and enter a specific API endpoint path.
Note: Click on the
Base Path
andAPI Endpoint
fields and clickSee Suggestions
to display suggested list of paths and endpoints respectively. The suggestions are shown only if you have configured an API definition. To know how to create and configure API definition, see Import Swagger and Define APIs.
-
Click on the
Method List
field underHTTP Methods
and select the methods for which the rate limiting is to be applied. You can select more than one method. -
Click on the
Rate Limiter Values
field and do one of the following:-
Select
Specific Values
and do the following:- Enter a number for the
Threshold
field. This threshold represents the number of allowed requests for the time period set in theDuration
field. - The
Count By
field sets the HTTP load balancer user identifier for the client identification. You can change this to use a custom user identification. SelectUser Identification Policy
for theCount By
field, click on theUser Identification Policy
field, and select an existing user identification policy or use theCreate new User Identification
option to create and apply a new user identification policy.
- Enter a number for the
-
Select
External Rate Limiter
, click on theExternal Rate Limiter
field, and select an existing rate limiter. Alternatively, you can also use theCreate new Rate Limiter
option to create a new rate limiter and apply it here.
-
Note: See Configure Rate Limiting guide for instructions on how to create rate limiter and user identifiers.
- Click
Add Item
to add the server URL rule. Use theAdd Item
in theApiEndpointRule
to add more rules.
Note: The rules are processed in the order in which you configure the API endpoint rules. The first rule matching the request triggers rate limiting and rest of the rules after that are not executed. Therefore, ensure you set the order of rules as per your requirements.
Step 5: Complete configuration and save the new settings.
- Check the order of the rules you added.
- After you finish, click
Save and Exit
.
Rate Limiting & Rules Behavior
It is important that you plan the order of the rules based on the behavior of rate limiting. Go through the following scenarios to understand the behavior:
Server URL Rules vs API Endpoint Rules
In case of a server URL rule for a generic path and another API endpoint rule for a specific endpoint extending out of the same generic path, then the limit for the specific endpoint is separately counted. The following is an example scenario:
-
Server URL rule sets 100 requests per second as limit for path
/api/v1
-
API endpoint rule sets 10 requests per second as limit for specific endpoint
/api/v1/checkout
and methodPOST
.
In this case, a user accessing /api/v1
is limited to 100 requests per second and in case the user accesses POST /api/v1/checkout
, the limit is 10 requests per second. Meaning, if a user sends 10 requests for POST /api/v1/checkout
, then that user reached the limit for that path but can still send 90 requests for path /api/v1
.
Overlapping Rules within Same Category
In case of different rules within same category but they overlap, ensure that you add more specific rule before a general rule. This is because specific rule gets matched first and will be skipped matching the general rule.
The following is an example for server URL rules:
-
A specific rule sets 10 requests per second as limit for path
/api/v1
and is added first. -
A general rule sets 20 requests per second as limit for general path
/api
and added after the specific rule.
In this case, a user accessing /api/v1
is limited to 10 requests per second. Once a request matches /api/v1
, rate limiting starts for it for that user. The general rule for /api
will not count the request for path /api/v1
. This essentially means any path starting with /api
except /api/v1
is applied with 20 requests per second as the limit and /api/v1
has 10 requests per second as limit.
The following is an example for API endpoint rules:
-
A specific rule setting 10 requests per second as limit for endpoint
/product/{productId}
and methodGET
is added first. -
A general rule setting 20 requests per second as limit for endpoint
/product/{productId}
and methodALL
is added after the specific rule.
In this case, a user accessing GET /product/{productId}
is limited to 10 requests per second. Once a request matches GET /product/{productId}
, rate limiting starts for it for that user. The general rule for that endpoint with any method will not count the GET
requests. This essentially means any method for the endpoint except GET
is applied with 20 requests per second as the limit and GET
has 10 requests per second as limit for the same endpoint for the same user.