Configure Rate Limiting
Rate limiting is a commonly used technique in API management to set quotas for users and safeguard APIs from excessive requests generated by web crawlers and malicious actors. This helps ensure the fair usage of the upstream services and improves availabilities of the infrastructure.
APISIX offers a number of rate limiting plugins that can be easily configured to meet your requirements:
limit-countlimits requests by the number of requests within a given time interval.limit-reqlimits requests by the number of requests within a given time interval and a set capacity.limit-connlimits requests by the number of concurrent connections.graphql-limit-countlimits requests by the depth of GraphQL operations or mutations within a given time interval. This is an enterprise feature.
This guide will show you how to implement different rate limiting quotas for consumers in different API pricing plans, as illustrated in the Consumer Groups. You can substitute the limit-count plugin used in this guide with other available rate limiting plugins to customize for your needs.
Prerequisite(s)
- Install Docker.
- Install cURL to send requests to the services for validation.
- Follow the Getting Started tutorial to start a new APISIX instance in Docker.
Create Consumer Groups
Create a consumer group for the basic plan with a lower API quota:
curl "http://127.0.0.1:9180/apisix/admin/consumer_groups" -X PUT -d '
{
"id": "basic_plan",
"plugins": {
"limit-count": {
"count": 2,
"time_window": 30,
"rejected_code": 429
}
}
}'
❶ count, time_window: allow for 2 requests in a 30-second time interval.
❷ rejected_code: return HTTP 429 Too Many Requests response if requests exceed the quota.
Similarly, create a consumer group for the premium plan with a higher API quota:
curl "http://127.0.0.1:9180/apisix/admin/consumer_groups" -X PUT -d '
{
"id": "premium_plan",
"plugins": {
"limit-count": {
"count": 20,
"time_window": 30,
"rejected_code": 429
}
}
}'
Create Consumers
Create a consumer JohnDoe within the basic plan:
curl "http://127.0.0.1:9180/apisix/admin/consumers" -X PUT -d '
{
"username": "JohnDoe",
"group_id": "basic_plan",
"plugins": {
"key-auth": {
"key": "john-key"
}
}
}'
Create a second consumer JaneDoe within the basic plan:
curl "http://127.0.0.1:9180/apisix/admin/consumers" -X PUT -d '
{
"username": "JaneDoe",
"group_id": "basic_plan",
"plugins": {
"key-auth": {
"key": "jane-key"
}
}
}'
Create a consumer FetchBot within the premium plan:
curl "http://127.0.0.1:9180/apisix/admin/consumers" -X PUT -d '
{
"username": "FetchBot",
"group_id": "premium_plan",
"plugins": {
"key-auth": {
"key": "bot-key"
}
}
}'
Create a Route
Create a route with key authentication enabled:
curl "http://127.0.0.1:9180/apisix/admin/routes" -X PUT -d '
{
"id": "rate-limiting",
"uri": "/internal",
"plugins": {
"key-auth": {}
},
"upstream" : {
"nodes": {
"mock.api7.ai:443": 1
},
"pass_host": "node",
"scheme": "https"
}
}'
Verify Rate Limiting
Verify Quota of Basic Plan
Send 10 simultaneous requests to the route as the consumer JohnDoe:
resp=$(seq 10 | xargs -I{} curl "http://127.0.0.1:9080/internal" -H 'apikey: john-key' -o /dev/null -s -w "%{http_code}\n") && \
count_200=$(echo "$resp" | grep "200" | wc -l) && \
count_429=$(echo "$resp" | grep "429" | wc -l) && \
echo "200": $count_200, "429": $count_429
You should see the following response:
200: 2, 429: 8
You should observe the same rate limiting behavior if you send requests with the key for JaneDoe.
This verifies that the rate limiting quota for the basic plan is in effect.
Verify Quota of Premium Plan
Send 30 simultaneous requests to the route as the consumer FetchBot:
resp=$(seq 30 | xargs -I{} curl "http://127.0.0.1:9080/internal" -H 'apikey: bot-key' -o /dev/null -s -w "%{http_code}\n") && \
count_200=$(echo "$resp" | grep "200" | wc -l) && \
count_429=$(echo "$resp" | grep "429" | wc -l) && \
echo "200": $count_200, "429": $count_429
You should see the following response:
200: 20, 429: 10
This verifies that the rate limiting quota for the premium plan is in effect.
Next Steps
You have now learned about the rate limiting plugins available in APISIX and how to implement different rate limiting quotas for consumers in different consumer groups.
Explore the plugin reference to learn more about how to implement rate limiting for your use cases.