Apply API Rate Limit Policies
API7 Enterprise Edition is a unified control point, managing the ingress and egress of APIs and microservices traffic. In addition to the legitimate client requests, these requests may also include unwanted traffic generated by web crawlers as well as cyber attacks, such as DDoS.
API7 Enterprise Edition offers rate-limiting capabilities to protect APIs by limiting the number of requests sent to upstream services in a given period of time. The count of requests is done efficiently in memory with low latency and high performance.
Prerequisite(s)
- Obtain a User Account with Super Admin or API Provider Role.
- Complete Add Service from API Definition.
Set Up Rate Limiting for All Services (Not Recommended)
Rate limiting plugins are not typically set as global rules since APIs often require different rate limiting quotas. When the same plugin is configured both globally in a global rule and locally in an object (e.g. a route), both plugin instances are executed sequentially.
Limit the Number of Requests per Time Period for a Single Route
In this tutorial, the route is limited to be accessed only 3 times within 60 seconds. If the limit is exceeded, a 503 status code is returned.
- Select Services > your target service. In this tutorial, the
Swagger Petstoreservice (See Add Service from API Definition) will be used as an example. - Select Routes > your target route. In this tutorial, the
getPetByIdroute will be used as an example. - On the Plugins table of the route, click Add Plugin.
- Choose
limit-countas the plugin. - Apply the following configuration to the JSON Editor:
{
"count": 3,
"time_window": 60,
"key_type": "var",
"rejected_code": 503,
"rejected_msg": "Too many request",
"policy": "local",
"allow_degradation": false,
"show_limit_quota_header": true
}
- Click Add.
Validate
Loop request API five times:
for i in {1..5}; do curl 127.0.0.1:9080/pet/1; done
# Response to the 1, 2,3 requests
HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 323
Connection: keep-alive
X-RateLimit-Limit: 3
X-RateLimit-Remaining: 0
X-RateLimit-Reset: 58
Date: Fri, 01 Sep 2023 03:48:27 GMT
x-srv-trace: v=1;t=fa189e8ae9c6f5f0
x-srv-span: v=1;s=fafd95fb74cd40ff
Access-Control-Allow-Origin: *
X-RateLimit-Limit: 120
X-RateLimit-Remaining: 117
X-RateLimit-Reset: 1693540165
ETag: W/"143-JIrwO+Sx1/7FTTpJ2ljwAfgaRCY"
Vary: Accept-Encoding
Server: APISIX/dev
{
"name": "Dog",
"photoUrls": [
"https://example.com/dog-1.jpg",
"https://example.com/dog-2.jpg"
],
"id": 1,
"category": {
"id": 1,
"name": "pets"
},
"tags": [
{
"id": 1,
"name": "friendly"
},
{
"id": 2,
"name": "smart"
}
],
"status": "available"
}
# Response to the 4,5 requests
HTTP/1.1 503 Service Temporarily Unavailable
Date: Fri, 01 Sep 2023 03:48:27 GMT
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-RateLimit-Limit: 3
X-RateLimit-Remaining: 0
X-RateLimit-Reset: 0
Server: APISIX/dev
{"error_msg":"Too many request"}
Limit the Number of Requests per Second for a Single Route
In this tutorial, the route is limited to 1 request per second. If the number of requests is between 1 and 3, a delay will be introduced. If the number of requests per second surpasses 3, they will be declined with a status code 503.
- Select Services > your target service. In this tutorial, the Swagger Petstore service (See Add Service from API Definition) will be used as an example.
- Select Routes > your target route. In this tutorial, the
getPetByIdroute will be used as an example. - On the Plugins table of the route, click Add Plugin.
- Choose
limit-reqas the plugin. - Apply the following configuration to the JSON Editor:
{
"rate": 1,
"burst": 2,
"rejected_code": 503,
"key_type": "var",
"key": "remote_addr",
"rejected_msg": "error_msg":"Requests are too frequent, please try again later."
}
- Click Add.
Validate
Loop request API five times:
for i in {1..5}; do curl 127.0.0.1:9080/pet/1; done
When looping through requests, all five of your requests will respond normally:
HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 323
Connection: keep-alive
Date: Fri, 01 Sep 2023 04:16:05 GMT
x-srv-trace: v=1;t=620ffed95fea96cb
x-srv-span: v=1;s=44c7c66dd6b810c8
Access-Control-Allow-Origin: *
X-RateLimit-Limit: 120
X-RateLimit-Remaining: 117
X-RateLimit-Reset: 1693541823
ETag: W/"143-JIrwO+Sx1/7FTTpJ2ljwAfgaRCY"
Vary: Accept-Encoding
Server: APISIX/dev
{
"name": "Dog",
"photoUrls": [
"https://example.com/dog-1.jpg",
"https://example.com/dog-2.jpg"
],
"id": 1,
"category": {
"id": 1,
"name": "pets"
},
"tags": [
{
"id": 1,
"name": "friendly"
},
{
"id": 2,
"name": "smart"
}
],
"status": "available"
}
Concurrent request API five times:
curl -i "http://127.0.0.1:9080/pet/1" & \
curl -i "http://127.0.0.1:9080/pet/1" & \
curl -i "http://127.0.0.1:9080/pet/1" & \
curl -i "http://127.0.0.1:9080/pet/1" & \
curl -i "http://127.0.0.1:9080/pet/1"
You will have three requests successfully responded to, and two others blocked and responding with the following:
HTTP/1.1 503 Service Temporarily Unavailable
Date: Fri, 01 Sep 2023 04:16:02 GMT
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Server: APISIX/dev
{"error_msg":"'error_msg':'Requests are too frequent, please try again later.'"}