Apply Rate Limiting to APIs
Rate limiting allows you to control the rate of requests sent to your API backend. This helps protect your backend from too much traffic and high costs. API requests may also include unwanted traffic generated by web crawlers as well as cyber attacks, such as DDoS.
API7 Enterprise offers rate limiting feature to protect APIs by limiting the number of requests sent to upstream nodes in a given period of time. The count of requests is done efficiently in memory with low latency and high performance.
Prerequisites
- Obtain a user account with Super Admin or API Provider role.
- Publish a service.
Apply Rate Limiting for All Services (Not Recommended)
Rate limiting plugins are not typically set as global rules since APIs often require different rate limiting quotas. When the same plugin is configured both globally and locally in an object (e.g. a route), both plugin instances are executed sequentially.
Limit the Number of Requests per Time for a Single Route
In this tutorial, the route is limited to be accessed only 3 times within 60 seconds. If the limit is exceeded, a 503 status code is returned.
Since plugin configurations are not considered Runtime Configurations, you should modify it in the service template and then publish a new version to the gateway group.
Select Services from the side navigation bar and then select Swagger Petstore.
Select Plugins from the side navigation bar.
In the Plugins field, search the
limit-countplugin.Click the Plus icon (+) and a dialog box appears.
Apply the following configurations:
{
"count": 3,
"time_window": 60,
"key_type": "var",
"rejected_code": 503,
"rejected_msg": "Too many request",
"policy": "local",
"allow_degradation": false,
"show_limit_quota_header": true
}Click Enable.
Select Services from the side navigation bar and then click Publish New Version for the
Swagger Petstoreservice.Choose the
Test Groupgateway group and then click Next.From the dialog box, do the following:
- In the New Version field, enter
1.0.1. - Leave the nodes unchanged and then click Publish.
- In the New Version field, enter
Validate
Loop the request API five times:
for i in {1..5}; do curl 127.0.0.1:9080/pet/1; done # Replace 127.0.0.1 with the address of your test group.
`
# Response to the 1, 2,3 requests
HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 323
Connection: keep-alive
X-RateLimit-Limit: 3
X-RateLimit-Remaining: 0
X-RateLimit-Reset: 58
Date: Fri, 01 Sep 2023 03:48:27 GMT
x-srv-trace: v=1;t=fa189e8ae9c6f5f0
x-srv-span: v=1;s=fafd95fb74cd40ff
Access-Control-Allow-Origin: *
X-RateLimit-Limit: 120
X-RateLimit-Remaining: 117
X-RateLimit-Reset: 1693540165
ETag: W/"143-JIrwO+Sx1/7FTTpJ2ljwAfgaRCY"
Vary: Accept-Encoding
Server: APISIX/dev
{
"name": "Dog",
"photoUrls": [
"https://example.com/dog-1.jpg",
"https://example.com/dog-2.jpg"
],
"id": 1,
"category": {
"id": 1,
"name": "pets"
},
"tags": [
{
"id": 1,
"name": "friendly"
},
{
"id": 2,
"name": "smart"
}
],
"status": "available"
}
# Response to the 4,5 requests
HTTP/1.1 503 Service Temporarily Unavailable
Date: Fri, 01 Sep 2023 03:48:27 GMT
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-RateLimit-Limit: 3
X-RateLimit-Remaining: 0
X-RateLimit-Reset: 0
Server: APISIX/dev
{"error_msg":"Too many request"}
Limit the Number of Requests per Second for a Single Route
In this tutorial, the route is limited to only 1 request per second. If the number of requests is between 1 and 3, a delay will be introduced. If the number of requests per second surpasses 3, the requests will be declined with a status code 503.
Since plugin configurations are not considered Runtime Configurations, you should modify it in the service template and then publish a new version to the gateway group.
Select Services from the side navigation bar and then select Swagger Petstore.
Select Plugins from the side navigation bar.
In the Plugins field, search the
limit-reqplugin.Click the Plus icon (+) and a dialog box appears.
Apply the following configurations:
{
"rate": 1,
"burst": 2,
"rejected_code": 503,
"key_type": "var",
"key": "remote_addr",
"rejected_msg": "Requests are too frequent, please try again later."
}Click Enable.
Select Services from the side navigation bar and then click Publish New Version for the
Swagger Petstoreservice.Choose the
Test Groupgateway group and then click Next.From the dialog box, do the following:
- In the New Version field, enter
1.0.1. - Leave the nodes unchanged and then click Publish.
- In the New Version field, enter
Validate
Loop the request API five times:
for i in {1..5}; do curl 127.0.0.1:9080/pet/1; done
When looping through requests, all your requests will respond normally:
HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 323
Connection: keep-alive
Date: Fri, 01 Sep 2023 04:16:05 GMT
x-srv-trace: v=1;t=620ffed95fea96cb
x-srv-span: v=1;s=44c7c66dd6b810c8
Access-Control-Allow-Origin: *
X-RateLimit-Limit: 120
X-RateLimit-Remaining: 117
X-RateLimit-Reset: 1693541823
ETag: W/"143-JIrwO+Sx1/7FTTpJ2ljwAfgaRCY"
Vary: Accept-Encoding
Server: APISIX/dev
{
"name": "Dog",
"photoUrls": [
"https://example.com/dog-1.jpg",
"https://example.com/dog-2.jpg"
],
"id": 1,
"category": {
"id": 1,
"name": "pets"
},
"tags": [
{
"id": 1,
"name": "friendly"
},
{
"id": 2,
"name": "smart"
}
],
"status": "available"
}
Concurrent the request API five times:
curl -i "http://127.0.0.1:9080/pet/1" & \
curl -i "http://127.0.0.1:9080/pet/1" & \
curl -i "http://127.0.0.1:9080/pet/1" & \
curl -i "http://127.0.0.1:9080/pet/1" & \
curl -i "http://127.0.0.1:9080/pet/1"
You will have three requests successfully responded to, and two others blocked and responding with the following:
HTTP/1.1 503 Service Temporarily Unavailable
Date: Fri, 01 Sep 2023 04:16:02 GMT
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Server: APISIX/dev
{"error_msg":"Requests are too frequent, please try again later."}