Rate Limiting with Envoy Proxy based API Gateways
In this post, we’ll dig into Rate Limiting and its role in API Gateways.
What is Rate Limiting?
Rate limiting is the ability to specify how many times an end user can call a service within a rate (time interval like per second, minute, hour) and even setting a quota (total number received within a period like day, week, month).
API Gateways help control the incoming traffic from an end user or system (client) to a specified application service. This interaction of exposing services to external users who are unknown to the organization can put the service at risk of potentially (gasp!) malicious behavior. Rate limiting allows you to protect your environment from intentional or unintentional issues that overwhelm your services with incoming traffic that result in failures and service outages.
Examples of issues include denial of service attacks from malicious users, a rogue script or random changes in the traffic mix where a spike in low priority user requests crowd out the higher priority requests into your service.
Gloo Enterprise provides two models for rate limiting to address a wide range of use cases and flexibility from simple to finer grained settings.
- Gloo includes for simplified rate limiting model
- Envoy rate limiting with Gloo for a finer grained settings
Gloo’s built in rate limiting offers a simplified model to specify the number of requests per unit of time that can be made against all routes (incoming traffic paths) defined within a virtual host. Different limits can be set for authorized users (per user basis) and anonymous users (incoming IPs) and are defined on the virtual service specification.
The example below shows the rate limit configuration of 1000 anonymous requests per hour and 200 authorized requests per minute to the same virtual service. This allows you to also better control resource utilization across different types of users.
ratelimitBasic: anonymous_limits: requests_per_unit: 1000 unit: HOUR authorized_limits: requests_per_unit: 200 unit: MINUTE
The Envoy rate limiting API can be used with Gloo to define more granular rate limits. With Envoy rate limiting, you can use custom headers and application meta information to make decisions. This can get quite fine grained and at the same time complex. We recommend starting with the built in rate limiting in Gloo and then adding the Envoy rate limiting as needed.
Give rate limiting a try in Gloo: