Skip to main content
Version: 3.2.15.2

Apply Rate Limiting to APIs

Applying rate limiting controls the number of requests sent to your API backend. This protects your backend from too much traffic, both wanted and unwanted (web crawlers, DDoS attacks), which can result in operational inefficiencies and higher costs.

This guide walks you through applying rate limits to control the requests sent to your upstream nodes over time.

Rate Limiting

Prerequisites

  1. Install API7 Enterprise.
  2. Have a running API on the gateway group.

You should not configure rate-limiting plugins globally, as different APIs typically require different rate-limiting quotas. If you configure the same plugin globally (in a global rule) and locally (in a route), the API7 Gateway executes both plugin instances sequentially.

Apply Rate Limiting for a Single Route

Limit Request Count

This section configures a route with rate limiting to only allow 3 requests in 60 seconds. When the limit is exceeded, a 429 status code is returned to the consumer.

  1. Select Published Services of your gateway group from the side navigation bar, then click the service you want to modify, for example, httpbin with version 1.0.0.
  2. Under the published service, select Routes from the side navigation bar.
  3. Select your target route, for example, get-ip.
  4. In the Plugin field, click Enable Plugin.
  5. Search for the Limit Count Plugin, then click Enable.
  6. In the dialog box, do the following:

  • Add the following configuration to the JSON Editor:

    {
      "count": 3,
      "time_window": 60,
      "key_type": "var",
      "rejected_code": 429,
      "rejected_msg": "Too many requests",
      "key": "remote_addr",
      "policy": "local",
      "allow_degradation": false,
      "show_limit_quota_header": true
    }

  • Click Enable.

Below is an interactive demo that provides a hands-on introduction to limiting request numbers. You will gain a better understanding of how to use it in API7 Enterprise by clicking and following the steps.

Validate

To validate, send five consecutive requests :

resp=$(seq 5 | xargs -I{} curl "http://127.0.0.1:9080/ip" -o /dev/null -s -w "%{http_code}\n") && \
  count_200=$(echo "$resp" | grep "200" | wc -l) && \
  count_429=$(echo "$resp" | grep "429" | wc -l) && \
  echo "200": $count_200, "429": $count_429

You should see the following response, showing that out of the 5 requests, 3 requests were successful (status code 200) while the others were rejected (status code 429).

200:    3, 429:    2

Limit Requests per Second

This section configures a route with rate-limiting to only allow 1 request per second. When the number of requests per second is between 1 and 3 they will be delayed/throttled. When the number of requests per second is more than 3, a 429 status code is returned.

  1. Select Published Services of your gateway group from the side navigation bar, then select the service you want to modify, for example, httpbin with version 1.0.0.
  2. Under the published service, select Routes from the side navigation bar.
  3. Select your target route, for example, get-ip.
  4. In the Plugin field, click Enable Plugin.
  5. Search for the Limit Req Plugin, then click Enable.
  6. In the dialog box, do the following:

  • Add the following configuration to the JSON Editor:

    {
      "rate": 1,
      "burst": 2,
      "rejected_code": 429,
      "key_type": "var",
      "key": "remote_addr",
      "rejected_msg": "Requests are too frequent, please try again later."
    }

  • Click Enable.

Validate

To validate, send five requests to the route:

for i in {1..5}; do curl -i '127.0.0.1:9080/ip';  done

You will get back the required response because the requests are sequential. Now send five concurrent requests to the route: 

curl -i "http://127.0.0.1:9080/ip" & \
curl -i "http://127.0.0.1:9080/ip" & \
curl -i "http://127.0.0.1:9080/ip" & \
curl -i "http://127.0.0.1:9080/ip" & \
curl -i "http://127.0.0.1:9080/ip"

Three of these requests will have the required response, and the other two will be rejected with the following response:

HTTP/1.1 429 Too Many Requests
Date: Fri, 01 Jun 2024 04:43:51 GMT
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Server: API7/3.2.13.0

{"error_msg":"Requests are too frequent, please try again later."}

Rate Limit with Consumers

The following example demonstrates how you can configure different rate limiting policies by consumers. While this example uses Key Auth Plugin for authentication, the route can also be configured with Basic Auth Plugin, JWT Auth Plugin, and HMAC Auth Plugin.

Add a Consumer

Create a regular consumer Alice with key authentication credential, and configure the Limit Count Plugin to allow for a quota of 3 within a 60-second window:

  1. Select Consumers of your gateway group from the side navigation bar.
  2. Click Add Consumer.
  3. From the dialog box, do the following:
  • In the Name field, enter Alice.
  • Click Add.
  1. Under the Credentials tab, click Add Key Authentication Credential.
  2. From the dialog box, do the following:
  • In the Name field, enter primary-key.
  • In the Key field, choose Manually Input, then enter alice-primary-key.
  • Click Add.
  1. Got to the Plugins tab, click Enable Plugin.
  2. Search for the Limit Req Plugin, then click Enable.
  3. In the dialog box, do the following:

  • Add the following configuration to the JSON Editor:

    {
      "count": 3,
      "time_window": 60,
      "key_type": "var",
      "rejected_code": 429,
      "rejected_msg": "Too many requests",
      "key": "remote_addr",
      "policy": "local",
      "allow_degradation": false,
      "show_limit_quota_header": true
    }

  • Click Enable.

Configure Route

Create a route and configure the Key Auth Plugin for authentication:

  1. Select Published Services of your gateway group from the side navigation bar, then click the service you want to modify, for example, httpbin with version 1.0.0.
  2. Under the published service, select Routes from the side navigation bar.
  3. Select your target route, for example, get-ip.
  4. In the Plugin field, click Enable Plugin.
  5. Search for the Key Auth Plugin, then click Enable.
  6. In the dialog box, do the following:

  • Add the following configuration to the JSON Editor:

    {
    }

  • Click Enable.

Validate

To validate, send five consecutive requests with Alice's key:

resp=$(seq 5 | xargs -I{} curl "http://127.0.0.1:9080/ip" -H 'apikey: alice-key' -o /dev/null -s -w "%{http_code}\n") && \
  count_200=$(echo "$resp" | grep "200" | wc -l) && \
  count_429=$(echo "$resp" | grep "429" | wc -l) && \
  echo "200": $count_200, "429": $count_429

You should see the following response, showing that out of the 5 requests, 3 requests were successful (status code 200) while the others were rejected (status code 429).

200:    3, 429:    2

Additional Resources

API7.ai Logo

API Management for Modern Architectures with Edge, API Gateway, Kubernetes, and Service Mesh.

Product

API7 Cloud
API7 Enterprise
API Portal
Roadmap

Open Source

Apache APISIX
K8s Ingress Controller
wasm-nginx-module
Contributor Graph

Resources

Blog
Documentation
NGINX + Lua
APISIX vs Kong
APISIX vs NGINX

Company

About
Contact
Compliance Standards
Partners
Terms & Privacy
SOC2 Type IIISO 27001HIPAAGDPRRed Herring

Copyright © APISEVEN Ltd. 2019 – 2024. Apache, Apache APISIX, APISIX, and associated open source project names are trademarks of the

Apache Software Foundation