Skip to main content

Version: 3.11.0

Configure Rate Limiting

Rate limiting is a commonly used technique in API management to set quotas for users and safeguard APIs from excessive requests generated by web crawlers and malicious actors. This helps ensure the fair usage of the upstream services and improves availabilities of the infrastructure.


Routes Diagram

APISIX offers a number of rate limiting plugins that can be easily configured to meet your requirements:

  • limit-count limits requests by the number of requests within a given time interval.
  • limit-req limits requests by the number of requests within a given time interval and a set capacity.
  • limit-conn limits requests by the number of concurrent connections.
  • graphql-limit-count limits requests by the depth of GraphQL operations or mutations within a given time interval. This is an enterprise feature.

This guide will show you how to implement different rate limiting quotas for consumers in different API pricing plans, as illustrated in the Consumer Groups. You can substitute the limit-count plugin used in this guide with other available rate limiting plugins to customize for your needs.

Prerequisite(s)

Create Consumer Groups

Create a consumer group for the basic plan with a lower API quota:

curl "http://127.0.0.1:9180/apisix/admin/consumer_groups" -X PUT -d '
{
"id": "basic_plan",
"plugins": {
"limit-count": {
"count": 2,
"time_window": 30,
"rejected_code": 429
}
}
}'

count, time_window: allow for 2 requests in a 30-second time interval.

rejected_code: return HTTP 429 Too Many Requests response if requests exceed the quota.

Similarly, create a consumer group for the premium plan with a higher API quota:

curl "http://127.0.0.1:9180/apisix/admin/consumer_groups" -X PUT -d '
{
"id": "premium_plan",
"plugins": {
"limit-count": {
"count": 20,
"time_window": 30,
"rejected_code": 429
}
}
}'

Create Consumers

Create a consumer JohnDoe within the basic plan:

curl "http://127.0.0.1:9180/apisix/admin/consumers" -X PUT -d '
{
"username": "JohnDoe",
"group_id": "basic_plan"
}'

Create a second consumer JaneDoe within the basic plan:

curl "http://127.0.0.1:9180/apisix/admin/consumers" -X PUT -d '
{
"username": "JaneDoe",
"group_id": "basic_plan"
}'

Create a consumer FetchBot within the premium plan:

curl "http://127.0.0.1:9180/apisix/admin/consumers" -X PUT -d '
{
"username": "FetchBot",
"group_id": "premium_plan"
}'

Configure Credentials

Configure the consumer key-auth credential for JohnDoe:

curl "http://127.0.0.1:9180/apisix/admin/consumers/JohnDoe/credentials" -X PUT \
-H "X-API-KEY: ${ADMIN_API_KEY}" \
-d '{
"id": "cred-john-key-auth",
"plugins": {
"key-auth": {
"key": "john-key"
}
}
}'

Configure the consumer key-auth credential for JaneDoe:

curl "http://127.0.0.1:9180/apisix/admin/consumers/JaneDoe/credentials" -X PUT \
-H "X-API-KEY: ${ADMIN_API_KEY}" \
-d '{
"id": "cred-jane-key-auth",
"plugins": {
"key-auth": {
"key": "jane-key"
}
}
}'

Configure the consumer key-auth credential for FetchBot:

curl "http://127.0.0.1:9180/apisix/admin/consumers/FetchBot/credentials" -X PUT \
-H "X-API-KEY: ${ADMIN_API_KEY}" \
-d '{
"id": "cred-bot-key-auth",
"plugins": {
"key-auth": {
"key": "bot-key"
}
}
}'

Create a Route

Create a route with key authentication enabled:

curl "http://127.0.0.1:9180/apisix/admin/routes" -X PUT -d '
{
"id": "rate-limiting",
"uri": "/internal",
"plugins": {
"key-auth": {}
},
"upstream" : {
"nodes": {
"mock.api7.ai:443": 1
},
"pass_host": "node",
"scheme": "https"
}
}'

Verify Rate Limiting

Verify Quota of Basic Plan

Send 10 simultaneous requests to the route as the consumer JohnDoe:

resp=$(seq 10 | xargs -I{} curl "http://127.0.0.1:9080/internal" -H 'apikey: john-key' -o /dev/null -s -w "%{http_code}\n") && \
count_200=$(echo "$resp" | grep "200" | wc -l) && \
count_429=$(echo "$resp" | grep "429" | wc -l) && \
echo "200": $count_200, "429": $count_429

You should see the following response:

200: 2, 429: 8

You should observe the same rate limiting behavior if you send requests with the key for JaneDoe.

This verifies that the rate limiting quota for the basic plan is in effect.

Verify Quota of Premium Plan

Send 30 simultaneous requests to the route as the consumer FetchBot:

resp=$(seq 30 | xargs -I{} curl "http://127.0.0.1:9080/internal" -H 'apikey: bot-key' -o /dev/null -s -w "%{http_code}\n") && \
count_200=$(echo "$resp" | grep "200" | wc -l) && \
count_429=$(echo "$resp" | grep "429" | wc -l) && \
echo "200": $count_200, "429": $count_429

You should see the following response:

200: 20, 429: 10

This verifies that the rate limiting quota for the premium plan is in effect.

Next Steps

You have now learned about the rate limiting plugins available in APISIX and how to implement different rate limiting quotas for consumers in different consumer groups.

Explore the plugin reference to learn more about how to implement rate limiting for your use cases.


API7.ai Logo

API Management for Modern Architectures with Edge, API Gateway, Kubernetes, and Service Mesh.

Product

API7 Cloud

SOC2 Type IIISO 27001HIPAAGDPRRed Herring

Copyright © APISEVEN PTE. LTD 2019 – 2024. Apache, Apache APISIX, APISIX, and associated open source project names are trademarks of the

Apache Software Foundation