Basic rate limiting
Set up basic rate limiting for your API products before you expose the API products in the developer portal. The rate limits control how many requests within a time period are allowed to your API products, such as 100 requests per minute. The rate limits form a key part of the usage plan for your API products.
Before you begin
-
Create your APIs, including the Gloo ApiDocs that describe the stitched schema.
-
Bundle your APIs into API products by using a route table.
-
Optional: Review the Usage plan overview to understand how the various Gloo custom resources work together to create usage plans for your developer portal.
-
Get the labels of your routes to use to apply policies to, such as with the example query.
kubectl get rt -n gloo-mesh-gateways -o=jsonpath='{range .items[*]}[{.metadata.name}, {.spec.http[*].name}, {.spec.http[*].labels}]{"\n"}{end}'Example output:
- The
tracks-rtroute table has ausagePlans: dev-portallabel on itstracks-apiroute. - The other route tables do not have route-level labels. To apply policies, you can add labels to those routes.
[api-example-com-rt, , ] [petstore-rt, pets-api users-api store-api, ] [tracks-rt, tracks-api, {"usagePlans":"dev-portal"}] - The
Rate limiting policy
Control how many requests within a time period are allowed to your APIs, such as 100 requests per minute.
Review the following example rate limiting resources.
-
Select the rate limiting server to use. The example uses the default rate limiting server that you created when you installed Gloo Platform. For more information, see Rate limit server settings.
kubectl apply -f - << EOF apiVersion: admin.gloo.solo.io/v2 kind: RateLimitServerSettings metadata: name: rl-server namespace: gloo-mesh-addons labels: portal: rate-limit spec: destinationServer: port: name: grpc ref: cluster: $CLUSTER_NAME name: rate-limiter namespace: gloo-mesh-addons EOF -
Set up the rate limit client config to define the
usagePlandescriptor key and extract details from thex-solo-planheader that is set up in your matching external auth policy. The configuration varies depending on the type of external auth policy that you applied: API key or OAuth. For more information, see Rate limit client config.kubectl apply -f - <<EOF apiVersion: trafficcontrol.policy.gloo.solo.io/v2 kind: RateLimitClientConfig metadata: name: usage-plans namespace: gloo-mesh-addons labels: portal: rate-limit spec: raw: rateLimits: - setActions: - requestHeaders: descriptorKey: usagePlan headerName: x-solo-plan - metadata: descriptorKey: userId metadataKey: key: envoy.filters.http.ext_authz path: - key: userId EOFkubectl apply -f - <<EOF apiVersion: trafficcontrol.policy.gloo.solo.io/v2 kind: RateLimitClientConfig metadata: name: usage-plans namespace: gloo-mesh-addons labels: portal: rate-limit spec: raw: rateLimits: - setActions: - metadata: descriptorKey: usagePlan metadataKey: key: envoy.filters.http.ext_authz path: - key: usagePlan - metadata: descriptorKey: userId metadataKey: key: envoy.filters.http.ext_authz path: - key: userId EOF -
Use the RateLimitServerConfig to define the values of the descriptors that are the usage plan names, that match the
usagePlandescriptor key that you configured in the RateLimitClientConfig. TheuserIdandusagePlandetails are extracted from the API key details in the request header that is required by the API key external auth policy. The following rate limit server config example creates three usage plans as follows:- Bronze: Requests to your APIs are limited to 1 per minute.
- Silver: Requests to your APIs are limited to 3 per minute.
- Gold: Requests to your APIs are limited to 5 per minute.
For more information, see Rate limit server config.
kubectl apply -f - << EOF apiVersion: admin.gloo.solo.io/v2 kind: RateLimitServerConfig metadata: name: usage-plans namespace: gloo-mesh-addons labels: portal: rate-limit spec: destinationServers: - port: name: grpc ref: cluster: $CLUSTER_NAME name: rate-limiter namespace: gloo-mesh-addons raw: setDescriptors: - simpleDescriptors: - key: userId - key: usagePlan value: bronze rateLimit: requestsPerUnit: 1 unit: MINUTE - simpleDescriptors: - key: userId - key: usagePlan value: silver rateLimit: requestsPerUnit: 3 unit: MINUTE - simpleDescriptors: - key: userId - key: usagePlan value: gold rateLimit: requestsPerUnit: 5 unit: MINUTE EOF -
Apply the rate limit policy to the
tracks-apiroute that you previously created in the API product's route table. You apply policies by labels. Thetracks-apiroute has theusagePlans: dev-portallabel.kubectl apply -f - << EOF apiVersion: trafficcontrol.policy.gloo.solo.io/v2 kind: RateLimitPolicy metadata: name: tracks-rate-limit namespace: default labels: portal: rate-limit spec: applyToRoutes: - route: labels: usagePlans: dev-portal config: ratelimitServerConfig: name: usage-plans namespace: gloo-mesh-addons cluster: $CLUSTER_NAME ratelimitClientConfig: name: usage-plans namespace: gloo-mesh-addons cluster: $CLUSTER_NAME serverSettings: name: rl-server namespace: gloo-mesh-addons cluster: $CLUSTER_NAME phase: postAuthz: priority: 1 EOF -
Verify that your rate limiting is in place by repeating the following request 6 times in a row. Because your user ID is limited to the
goldusage plan's limit of 5 requests per minute, the sixth time your request is blocked. Note that this step requires you to have set up API key external auth already.curl -v -H 'api-key: apikey1' --resolve api.example.com:80:${INGRESS_GW_IP} http://api.example.com/trackapi/tracksExample output:
< HTTP/1.1 429 Too Many Requests < x-envoy-ratelimited: true
Next steps
- Set up dynamic rate limiting for more fine-grained rate limit control.
- If you haven't already, require API key external auth.
- Configure the developer portal.