Configure Rate Limiting per User

• Select the Multi-Cloud App Connect service.
• Select the desired namespace from the Namespace drop-down menu.
• Navigate to Manage -> Load Balancers -> HTTP Load Balancers.

• Select ... -> Manage Configuration and then select Edit Configuration in the upper right corner to open to your load balancer's configuration edit form.
• Scroll down to the Common Security Controls section.
• In the User Identifier field, select User Identification Policy.
• In the User Identification Policy field, select an existing user policy or select Add Item to create a new one.

This example shows creating new user identification rule.

• Enter a name for the user identification policy in the Metadata section.
• In the User Identification Rules section, select Configure to build a list of user identification rules.
• Select Add Item to create a rule.

• Select an identifier type from the drop-down list in the Identifier Type field and enter a value for that identifier in the field enabled as appropriate for your identifier type selection. For example, select Cookie Name as the identifier type and set Userid as the identifier.
• Select Apply to add the new rule to your rules list.

• Optionally select Add Item to add more rules to your list.
• Select Apply to complete your list.
• Select Continue to save your rule list into your load balancer configuration.

• Scroll down to the Rate Limiting field (a little below the User Identifier section) and select Custom Rate Limiting Parameters.
• Select Configure.
• Enter a value for the Number field.
• Select a unit for the Per Period field in the Request Rate Limiter section.
• Optionally enter a value for the Burst Multiplier field.

This example sets 15 requests per second as the rate limit.

By default, rate limiting applies to all IPs. Optionally, select Ip Allowed List or Ip Allowed using Ip Prefix Set(s) for the Ip(s) Allowed without Rate Limiting drop-down field and perform one of the following:

• Add IP prefixes if you selected Ip Allowed List. Use Add item to add more prefixes.

• If you selected Ip Allowed using Ip Prefix Set(s), select an existing IP prefix set. If no IP prefix sets are listed, select Add Item in the drop-down list to create a new prefix set.

This example adds the IP prefixes using the Ip Allowed List option.

Note: Performing this step enables the system to exempt rate limiting for requests from specified IP prefixes.

By default, there are no rate limiting policies (An IP Allowed List is an implicit policy, if specified). Optionally, select Rate Limiter Policies to create an ordered list of policies. (If an IP Allowed List was specified in the previous step, it is effectively the first ordered policy).

• Select an existing policy from the drop-down list or choose Add Item from that list.

For a new policy, continue with the rest of the actions in this step.

• Enter the policy name and optionally labels and a description.
• Select Configure in the Rules section to view the Rules list.
• Select Add Item to add a rule.
• Enter a name for the rule
• Select Configure in the Rule Specification field.

• Choose an Action to take for this rule if the request matches the predicates specified below:

  • Bypass Rate Limiter: Exclude this request from the HTTP rate limiter.
  • Apply Rate Limiter: The HTTP rate limiter applies to this request.
  • Apply Custom Rate Limiter: Apply a custom rate limiter to this request, which you will select or create as part of this option.

• Configure one or more Match Predicates:

  • HTTP Method: Matches against the HTTP method(s) you specify (e.g., GET, PUT, and HEAD).
  • Domain Matcher: Matches against the domain(s) you specify, either by exact match or by regex.
  • HTTP Path: Matches against the path portion of the request, either by prefix value, exact value, or regex value.
  • HTTP Headers: Matches against a list of header names that are either present, not present, or contain specified values.

• Select Apply to save the rate limiter rule specification.

• Select Apply to save the rate limiter rule.

• Select Apply to save the rate limiter rules list.

• Select Continue to save the rate limiter policy.

• Select Apply to create and add the rate limiter to the load balancer. This also returns to the load balancer configuration page.
• Select Save and Exit to create or update the load balancer and enable the rate limiting.

Note: The following apply:

• The rate limit is always evaluated before any configured network security policy sets.
• Evaluation of the configured network policy set is done only if the request is under limit set by the rate limit.
• A service policy rule is automatically created for each HTTP load balancer that has rate limiting enabled and a rate limiter object is also automatically created.
• An IP Prefix set is automatically created if the rate limiting configuration has an allowed IP list.
• Policy rule uses virtual host and IP matcher as match predicates.
• The rate limiter is applied as an action in the service policy rule.

• Select the Multi-Cloud App Connect service.
• Select the desired namespace from the Namespace drop-down menu.
• Navigate to Security -> Shared Objects -> User Identification.

• Select Add User Identification. The user identification creation form opens.
• Enter a name for this user identification and optionally labels and a description.
• In the User Identification Rules section, select Configure to create a rules list.
• Select Add Item to create the first rule in the list.
• Select an option from the drop-down list for the Identifier Type field and enter an associated value for the selected option, if required.
• Select Apply to save the rule to the rules list.
• Use the Add Item button to add more rules, if necessary.
• When finished adding rules, select Apply to save the rule list.

This example shows adding cookie name and HTTP header name as identifiers.

Select Save and Exit to create the user identification object.

• Select the Multi-Cloud App Connect service.
• Select the desired namespace from the Namespace drop-down menu.
• Navigate to Security -> Shared Objects -> Rate Limiters.
• Select Add Rate Limiter. The rate limiter creation form opens.

• Enter a name and optionally set labels and add a description.
• Select View Configuration in the Rate Limit Values section.
• Enter a rate value in the Number field. The maximum allowed number is 8192.
  • Enter a unit of time in the Per Period field. Supported units are Second and Minute.
• Enter a multiplier value in the Burst Multiplier field. The burst multiplier is the maximum burst of requests allowed, expressed as a multiple of the rate.
• Select Apply to save the rate limits.

• Select Select user identification in the User Identification Policy section and select a user identification.

This example sets the limit of 5 requests per second.

Select Save and Exit to create the rate limiter object.

• Select the Multi-Cloud App Connect service.
• Select the desired namespace from the Namespace drop-down menu.
• Navigate to Manage -> Virtual Host -> Virtual Hosts.
• Select ... -> Edit to open the virtual host configuration edit form.

• Scroll down to the Rate Limiter section.
• Select Select rate limiter and select the rate limiter previously created.

• In the Rate Limiter Allowed Prefixes section, select Add Item.
• Use the drop-down menu to select a rate limiter IP prefix using the for which you want to skip rate limiting. You can also create new prefix by selecting Add Item in the drop-down menu.
• Use the Add item button (outside the drop-down menu) to add additional rate limiter allowed prefixes.

Note: Performing this step enables the system to exempt rate limiting for requests from specified IP prefixes.

• Select Select user identification in the User Identification Policy section.
• Select user identification objects previously created to apply to virtual host.

Note: User identification rules from the rate limiter applied to virtual host are prioritized over the user identification directly applied to the virtual host.

Select Save and Exit to enable the rate limiting.