[Tutorial] How to Set Multiple Rate Limits per Client ID with Envoy Proxy

Most applications require external users or clients to access a variety of their services and therefore require policies to secure and protect them.  Rate limiting is a strategy implemented in API or Edge Gateways to protect backend services by preventing service outages from being overrun with more requests than it’s resources can process and respond to within the agreed service levels.  

Rate limits can be configured in a variety of ways to limit the volume or requests over a time period to the endpoint, by the client ID, by HTTP method, with integrated security, and more. This article digs a use case case to configure multiple rate limits for the same client ID (remote address).

 

When to use this use case

This rate limiting policy is ideal for scenarios where you want to maintain a consistent usage plan over a long period of time but also prevent against unplanned spikes in traffic from overwhelming the service. 

Because this is configured to a remote address of a client system, it is ideal for scenarios where you have a known system that will always require access to a specific service to send requests to and receive responses from. To configure this rate limit, a real client ID must be used and not the address of a Kubernetes cluster or load balancer. 

 

Try this use case

Follow along using this tutorial to try configuring this type of rate limiting policy.

Set up your environment using these instructions. Any self-hosted or cloud managed Kubernetes (our demo uses GKE) with Gloo API Gateway (latest 1.4) installed will work. Then deploy the demo app, add a virtual service to expose via Gloo, and query the service.

Then you’ll use these instructions to set up remote address forwarding, then setting up rate limits starting with basic and then more complex limits. 

The configuration in the settings-patch-2.yaml file includes two different rate limits for the same client ID; 10 requests per minute and 1 request per second.

spec:
  ratelimit:
    descriptors:
      - key: generic_key
        value: "per-minute"
        descriptors:
          - key: remote_address
            rateLimit:
              requestsPerUnit: 10
              unit: MINUTE
      - key: generic_key
        value: "per-second"
        descriptors:
          - key: remote_address
            rateLimit:
              requestsPerUnit: 1
              unit: SECOND

Watch the demo

This video walks through the use case, from setting up the environment to configuring the rate limits.

 

Learn More

We hope you found this tutorial informative and useful in your exploration of API Gateway functionality. You can watch the full webinar featuring this demo here and sign up for an upcoming webinar here.