[Tutorial] How to Prioritize Traffic with Rate Limits by HTTP Method

Most applications require external users or clients to access a variety of their services and therefore require policies to secure and protect them.  Rate limiting is a strategy implemented in API or Edge Gateways to protect backend services by preventing service outages from being overrun with more requests than it’s resources can process and respond to within the agreed service levels.  

Rate limits can be configured in a variety of ways to limit the volume or requests over a time period to the endpoint, by the client ID, by HTTP method, with integrated security, and more. This article digs a use case case to configure multiple rate limits for the same client ID (remote address). In our previous post, we detailed setting up multiple rate limits by client ID and in this post we cover setting up rate limits by HTTP method. 


When to use this use case

Rate limiting by HTTP method helps build resilient systems by implementing different priorities or classes of traffic incoming to the same service that needs to be processed for response. This strategy is strongly related to the concept of load shedding.

The diagram below explains the scenario with an exposed API that supports both GET and POST methods for listing data and creating resources, respectively. Both are important but the POST action is more important to your business and that function needs to be available over the GET function. Multiple rate limits are configured to enable this scenario. 



Try this use case

Follow along using this tutorial to try configuring this type of rate limiting policy.

Set up your environment using these instructions. Any self-hosted or cloud managed Kubernetes (our demo uses GKE) with Gloo API Gateway (latest 1.4) installed will work. Then deploy the demo app, add a virtual service to expose via Gloo, and query the service.

Then you’ll use these instructions to set up and test the global and nested rate limit configuration with 10 requests per minute for POST and 2 request per minutes with GET.

    # allow 5 calls per minute for any unique host
    - key: remote_address
        requestsPerUnit: 10
        unit: MINUTE
    # specifically limit GET requests from unique hosts to 2 per min

    - key: method
      value: GET
      - key: remote_address
          requestsPerUnit: 2
          unit: MINUTE


Watch the demo


Learn More

We hope you found this tutorial informative and useful in your exploration of API Gateway functionality. You can watch the full webinar featuring this demo here and sign up for an upcoming webinar here.