API Rate Limiting

Another common concern for exposed APIs to external traffic is how to rate-limit consumers of those APIs, such as to those used to enforce Service Level Access policies and prevent Denial of Service attacks. Rate Limiting solutions can provide per-identity access limits corresponding to different levels of access privilege.

The Gloo Gateway already ships with a Rate Limiting Server to rate-limit API calls. Istio, on the other hand, does not provide such a server out-of-the box; for this reason, when targeting the Istio Gateway, the Developer Portal deploys its own Rate Limiting Server.

Configuration of the Rate Limit Server is performed automatically by the Developer Portal based on the configuration provided in the Usage Plans defined in each API Product.

When Usage Plans are enabled for an API Product, API client requests issued to that product will be rate limited under a predefined Usage Plan. When a user is authorized to consume an API, the rate limiting policies defined in the associated Usage Plan are applied.