Skip to main content

Version: 3.2.9.5

Apply Rate Limiting to APIs

Rate limiting allows you to control the rate of requests sent to your API backend. This helps protect your backend from too much traffic and high costs. API requests may also include unwanted traffic generated by web crawlers as well as cyber attacks, such as DDoS.

API7 Enterprise offers rate limiting feature to protect APIs by limiting the number of requests sent to upstream nodes in a given period of time. The count of requests is done efficiently in memory with low latency and high performance.

Rate Limiting

Prerequisites

  1. Obtain a user account with Super Admin or API Provider role.
  2. Publish a service.

Rate limiting plugins are not typically set as global rules since APIs often require different rate limiting quotas. When the same plugin is configured both globally and locally in an object (e.g. a route), both plugin instances are executed sequentially.

Limit the Number of Requests per Time for a Single Route

In this tutorial, the route is limited to be accessed only 3 times within 60 seconds. If the limit is exceeded, a 503 status code is returned.

Since plugin configurations are not considered Runtime Configurations, you should modify it in the service template and then publish a new version to the gateway group.

  1. Select Services from the side navigation bar and then select Swagger Petstore.

  2. Select Plugins from the side navigation bar.

  3. In the Plugins field, search the limit-count plugin.

  4. Click the Plus icon (+) and a dialog box appears.

  5. Apply the following configurations:

    {
    "count": 3,
    "time_window": 60,
    "key_type": "var",
    "rejected_code": 503,
    "rejected_msg": "Too many request",
    "policy": "local",
    "allow_degradation": false,
    "show_limit_quota_header": true
    }
  6. Click Enable.

  7. Select Services from the side navigation bar and then click Publish New Version for the Swagger Petstore service.

  8. Choose the Test Group gateway group and then click Next.

  9. From the dialog box, do the following:

    • In the New Version field, enter 1.0.1.
    • Leave the nodes unchanged and then click Publish.

Validate

Loop the request API five times:

for i in {1..5}; do curl 127.0.0.1:9080/pet/1;  done # Replace 127.0.0.1 with the address of your test group.
`
# Response to the 1, 2,3 requests
HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 323
Connection: keep-alive
X-RateLimit-Limit: 3
X-RateLimit-Remaining: 0
X-RateLimit-Reset: 58
Date: Fri, 01 Sep 2023 03:48:27 GMT
x-srv-trace: v=1;t=fa189e8ae9c6f5f0
x-srv-span: v=1;s=fafd95fb74cd40ff
Access-Control-Allow-Origin: *
X-RateLimit-Limit: 120
X-RateLimit-Remaining: 117
X-RateLimit-Reset: 1693540165
ETag: W/"143-JIrwO+Sx1/7FTTpJ2ljwAfgaRCY"
Vary: Accept-Encoding
Server: APISIX/dev

{
"name": "Dog",
"photoUrls": [
"https://example.com/dog-1.jpg",
"https://example.com/dog-2.jpg"
],
"id": 1,
"category": {
"id": 1,
"name": "pets"
},
"tags": [
{
"id": 1,
"name": "friendly"
},
{
"id": 2,
"name": "smart"
}
],
"status": "available"
}

# Response to the 4,5 requests

HTTP/1.1 503 Service Temporarily Unavailable
Date: Fri, 01 Sep 2023 03:48:27 GMT
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-RateLimit-Limit: 3
X-RateLimit-Remaining: 0
X-RateLimit-Reset: 0
Server: APISIX/dev

{"error_msg":"Too many request"}

Limit the Number of Requests per Second for a Single Route

In this tutorial, the route is limited to only 1 request per second. If the number of requests is between 1 and 3, a delay will be introduced. If the number of requests per second surpasses 3, the requests will be declined with a status code 503.

Since plugin configurations are not considered Runtime Configurations, you should modify it in the service template and then publish a new version to the gateway group.

  1. Select Services from the side navigation bar and then select Swagger Petstore.

  2. Select Plugins from the side navigation bar.

  3. In the Plugins field, search the limit-req plugin.

  4. Click the Plus icon (+) and a dialog box appears.

  5. Apply the following configurations:

    {
    "rate": 1,
    "burst": 2,
    "rejected_code": 503,
    "key_type": "var",
    "key": "remote_addr",
    "rejected_msg": "Requests are too frequent, please try again later."
    }
  6. Click Enable.

  7. Select Services from the side navigation bar and then click Publish New Version for the Swagger Petstore service.

  8. Choose the Test Group gateway group and then click Next.

  9. From the dialog box, do the following:

    • In the New Version field, enter 1.0.1.
    • Leave the nodes unchanged and then click Publish.

Validate

Loop the request API five times:

for i in {1..5}; do curl 127.0.0.1:9080/pet/1;  done 

When looping through requests, all your requests will respond normally:

HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 323
Connection: keep-alive
Date: Fri, 01 Sep 2023 04:16:05 GMT
x-srv-trace: v=1;t=620ffed95fea96cb
x-srv-span: v=1;s=44c7c66dd6b810c8
Access-Control-Allow-Origin: *
X-RateLimit-Limit: 120
X-RateLimit-Remaining: 117
X-RateLimit-Reset: 1693541823
ETag: W/"143-JIrwO+Sx1/7FTTpJ2ljwAfgaRCY"
Vary: Accept-Encoding
Server: APISIX/dev

{
"name": "Dog",
"photoUrls": [
"https://example.com/dog-1.jpg",
"https://example.com/dog-2.jpg"
],
"id": 1,
"category": {
"id": 1,
"name": "pets"
},
"tags": [
{
"id": 1,
"name": "friendly"
},
{
"id": 2,
"name": "smart"
}
],
"status": "available"
}

Concurrent the request API five times:

curl -i "http://127.0.0.1:9080/pet/1" & \
curl -i "http://127.0.0.1:9080/pet/1" & \
curl -i "http://127.0.0.1:9080/pet/1" & \
curl -i "http://127.0.0.1:9080/pet/1" & \
curl -i "http://127.0.0.1:9080/pet/1"

You will have three requests successfully responded to, and two others blocked and responding with the following:

HTTP/1.1 503 Service Temporarily Unavailable
Date: Fri, 01 Sep 2023 04:16:02 GMT
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Server: APISIX/dev

{"error_msg":"Requests are too frequent, please try again later."}

API7.ai Logo

API Management for Modern Architectures with Edge, API Gateway, Kubernetes, and Service Mesh.

Product

API7 Cloud

SOC2 Type IIISO 27001HIPAAGDPRRed Herring

Copyright © APISEVEN Ltd. 2019 – 2024. Apache, Apache APISIX, APISIX, and associated open source project names are trademarks of the

Apache Software Foundation