Apply Rate Limiting to APIs
Applying rate limiting controls the number of requests sent to your API backend. This protects your backend from too much traffic, both wanted and unwanted (web crawlers, DDoS attacks), which can result in operational inefficiencies and higher costs.
This guide walks you through applying rate limits to control the requests sent to your upstream nodes over time.
Prerequisite(s)
Apply Rate Limiting for All Services (Not Recommended)
You should not configure rate-limiting plugins globally, as different APIs typically require different rate-limiting quotas. If you configure the same plugin globally (in a global rule) and locally (in a route), the API7 Gateway executes both plugin instances sequentially.
Apply Rate Limiting for a Single Route
Limit Request Count
This section configures a route with rate limiting to only allow 3 requests in 60 seconds. When the limit is exceeded, a 429 status code is returned to the consumer.
- Dashboard
- ADC
- Ingress Controller
- Select Published Services of your gateway group from the side navigation bar, then click the service you want to modify, for example,
httpbin APIwith version1.0.0. - Under the published service, select Routes from the side navigation bar.
- Select your target route, for example,
getting-started-anything. - In the Plugin field, click Enable Plugin.
- Search for the
limit-countplugin, then click Enable. - In the dialog box, do the following:
Add the following configuration to the JSON Editor:
{
"count": 3,
"time_window": 60,
"key_type": "var",
"rejected_code": 429,
"rejected_msg": "Too many requests",
"policy": "local",
"allow_degradation": false,
"show_limit_quota_header": true
}Click Enable.
Below is an interactive demo that provides a hands-on introduction to limiting request numbers. You will gain a better understanding of how to use it in API7 Enterprise by clicking and following the steps.
To use ADC to configure the route, create the following configuration:
services:
- name: httpbin API
upstream:
name: default
scheme: http
nodes:
- host: httpbin.org
port: 80
weight: 100
routes:
- uris:
- /ip
name: security-ip
methods:
- GET
plugins:
limit-count:
_meta:
disable: false
allow_degradation: false
count: 3
key: remote_addr
key_type: var
policy: local
rejected_code: 429
rejected_msg: Too many requests
show_limit_quota_header: true
time_window: 60
Synchronize the configuration to API7 Enterprise:
adc sync -f adc.yaml
Create a Kubernetes manifest file for a route, where rate limiting is enabled:
apiVersion: apisix.apache.org/v2
kind: ApisixRoute
metadata:
name: httpbin-route
# namespace: api7 # replace with your namespace
spec:
http:
- name: httpbin-route
match:
paths:
- /ip
methods:
- GET
backends:
- serviceName: httpbin
servicePort: 80
plugins:
- name: limit-count
enable: true
config:
time_window: 60
count: 3
rejected_code: 429
Apply the configurations to your cluster:
kubectl apply -f httpbin-route.yaml
Validate
To validate, send five consecutive requests to the route:
for i in {1..5}; do curl -i '127.0.0.1:9080/ip'; done
The first three requests will be successful and the last two will be rejected with a 429 Too Many Requests status code:
Date: Fri, 01 Jun 2024 04:43:51 GMT
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-RateLimit-Limit: 3
X-RateLimit-Remaining: 0
X-RateLimit-Reset: 0
Server: API7/3.2.13.0
{"error_msg":"Too many requests"}
Limit Requests per Second
This section configures a route with rate-limiting to only allow 1 request per second. When the number of requests per second is between 1 and 3 they will be delayed/throttled. When the number of requests per second is more than 3, a 429 status code is returned.
- Dashboard
- ADC
- Select Published Services of your gateway group from the side navigation bar, then select the service you want to modify, for example,
httpbin APIwith version1.0.0. - Under the published service, select Routes from the side navigation bar.
- Select your target route, for example,
getting-started-anything. - In the Plugin field, click Enable Plugin.
- Search for the
limit-reqplugin, then click Enable. - In the dialog box, do the following:
Add the following configuration to the JSON Editor:
{
"rate": 1,
"burst": 2,
"rejected_code": 429,
"key_type": "var",
"key": "remote_addr",
"rejected_msg": "Requests are too frequent, please try again later."
}Click Enable.
To use ADC to configure the route, create the following configuration:
services:
- name: httpbin API
upstream:
name: default
scheme: http
nodes:
- host: httpbin.org
port: 80
weight: 100
routes:
- uris:
- /ip
name: security-ip
methods:
- GET
plugins:
limit-req:
_meta:
disable: false
burst: 2
key: remote_addr
key_type: var
rate: 1
rejected_code: 429
rejected_msg: Requests are too frequent, please try again later.
Synchronize the configuration to API7 Gateway:
adc sync -f adc.yaml
Validate
To validate, send five requests to the route:
for i in {1..5}; do curl -i '127.0.0.1:9080/ip'; done
You will get back the required response because the requests are sequential. Now send five concurrent requests to the route:
curl -i "http://127.0.0.1:9080/ip" & \
curl -i "http://127.0.0.1:9080/ip" & \
curl -i "http://127.0.0.1:9080/ip" & \
curl -i "http://127.0.0.1:9080/ip" & \
curl -i "http://127.0.0.1:9080/ip"
Three of these requests will have the required response, and the other two will be rejected with the following response:
HTTP/1.1 429 Too Many Requests
Date: Fri, 01 Jun 2024 04:43:51 GMT
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Server: API7/3.2.13.0
{"error_msg":"Requests are too frequent, please try again later."}