Apply Rate Limiting to APIs

Applying rate limits controls the number of requests sent to your API backend. This protects your backend from too much traffic, both wanted and unwanted (web crawlers, DDoS attacks), which can result in operational inefficiencies and higher costs.

This guide walks you through applying rate limits to control the requests sent to your upstream nodes over time.

Prerequisite(s)

1. Have a published service.

Apply Rate Limiting for All Services (Not Recommended)

You should not configure rate limiting plugins globally, as different APIs typically require different rate limiting quotas. If you configure the same plugin globally (in a global rule) and locally (in a route), the API7 Gateway executes both plugin instances sequentially.

Apply Rate Limiting for a Single Route

Limit Request Count

This section configures a route with rate limiting to only allow 3 requests in 60 seconds. When the limit is exceeded, a 429 status code is returned to the consumer.

Dashboard

1. Select the service where the route to apply rate limiting is published.

2. Select Routes from the side navigation bar and select your target route.

3. Search for the limit-count plugin.

4. Click the Plus icon (+).

5. In the dialog box that appeared, add the following configuration to the JSON Editor:

   {
     "count": 3,
     "time_window": 60,
     "key_type": "var",
     "rejected_code": 429,
     "rejected_msg": "Too many requests",
     "policy": "local",
     "allow_degradation": false,
     "show_limit_quota_header": true
   }

6. Click Enable.

ADC

To use ADC to configure the route, create the following configuration:

adc.yaml

services:
  - name: httpbin API
    upstream:
      name: default
      scheme: http
      nodes:
        - host: httpbin.org
          port: 80
          weight: 100
    routes:
      - uris:
          - /ip
        name: security-ip
        methods:
          - GET
        plugins:
          limit-count:
            _meta:
              disable: false
            allow_degradation: false
            count: 3
            key: remote_addr
            key_type: var
            policy: local
            rejected_code: 429
            rejected_msg: Too many requests
            show_limit_quota_header: true
            time_window: 60

Synchronize the configuration to API7 Enterprise:

adc sync -f adc.yaml

Validate

To validate, send five consecutive requests to the route:

for i in {1..5}; do curl -i '127.0.0.1:9080/ip';  done

The first three requests will be successful and the last two will be rejected with a 429 Too Many Requests status code:

Date: Fri, 01 Jun 2024 04:43:51 GMT
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-RateLimit-Limit: 3
X-RateLimit-Remaining: 0
X-RateLimit-Reset: 0
Server: API7/3.2.13.0

{"error_msg":"Too many requests"}

Limit Requests per Second

This section configures a route with rate limiting to only allow 1 request per second. When the number of requests per second is between 1 and 3 they will be delayed/throttled. And when the number of requests per second is more than 3, a 429 status code is returned.

Dashboard

1. Select the service where the route to apply rate limiting is published.

2. Select Routes from the side navigation bar and select your target route.

3. Search for the limit-req plugin.

4. Click the Plus icon (+).

5. In the dialog box that appeared, add the following configuration to the JSON Editor:

   {
     "rate": 1,
     "burst": 2,
     "rejected_code": 429,
     "key_type": "var",
     "key": "remote_addr",
     "rejected_msg": "Requests are too frequent, please try again later."
   }

6. Click Enable.

ADC

To use ADC to configure the route, create the following configuration:

adc.yaml

services:
  - name: httpbin API
    upstream:
      name: default
      scheme: http
      nodes:
        - host: httpbin.org
          port: 80
          weight: 100
    routes:
      - uris:
          - /ip
        name: security-ip
        methods:
          - GET
        plugins:
          limit-req:
            _meta:
              disable: false
            burst: 2
            key: remote_addr
            key_type: var
            rate: 1
            rejected_code: 429
            rejected_msg: Requests are too frequent, please try again later.

Synchronize the configuration to API7 Enterprise:

adc sync -f adc.yaml

Validate

To validate, send five requests to the route:

for i in {1..5}; do curl -i '127.0.0.1:9080/ip';  done 

You will get back the required response because the requests are sequential. Now send five concurrent requests to the route:

curl -i "http://127.0.0.1:9080/ip" & \
curl -i "http://127.0.0.1:9080/ip" & \
curl -i "http://127.0.0.1:9080/ip" & \
curl -i "http://127.0.0.1:9080/ip" & \
curl -i "http://127.0.0.1:9080/ip"   

Three of these requests will have the required response, and the other two will be rejected with the following response:

HTTP/1.1 429 Too Many Requests
Date: Fri, 01 Jun 2024 04:43:51 GMT
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Server: API7/3.2.13.0

{"error_msg":"Requests are too frequent, please try again later."}

Additional Resource(s)

• Key Concepts
  • Services
  • Routes
  • Plugins