Rate limit your APIs
Why and when do you configure rate limit?Rate limiting considerationsHow to rate limit to an API?API rate limiting is a technique that is used to limit the number of invocations made to an API during the specified time interval. Limiting the number of invocations prevents overloading the API and in turn improves its performance.
Using the Traffic Optimization policy in API Gateway, you can limit the number of API invocations during a specified time interval. When the number of invocations exceeds the configured limit, API Gateway sends alerts to a specified destination.
The Traffic optimization policy generates two types of events when the specified limit is breached:
- Policy violation event. Indicates the violations that occur for an API. If there are 100 violations, then 100 policy violation events are generated.
- Monitor event. Controlled by the alert frequency configuration specified in the policy.
The following illustration explains how the configured ratelimit restricts the API invocation.
Why and when do you configure rate limit?
API providers configure rate limit to:
- Prevent resource abuse. There could be cases in which a single consumer performs an unexpected number of invocations to an API. This overloads the system and affects API’s performance. Hence, as an API provider, you can configure a rate limit to prevent such a usage.
- Manage traffic. As an API provider, you provide certain SLAs to your consumers and if you have a large consumer base for your APIs then it is vital to control the traffic rate of your APIs. You can use rate limiting to manage traffic to an API, ensuring that it is highly available and responsive when handling requests from many consumers.
- Controlling resource usage. Resources cost money. The number of API invocations is directly proportional to the consumption of resources such as hosting provider, third-party agents and so on. By setting rate limits, you can control the number of resources that are used by each client.
- Protect from malicious activities. Restricting requests over a period also helps to minimise the risk of attackers and protects your resources from malicious activities.
Rate limiting considerations
- You can configure rate limit in conjunction with other API policies such as Identify & Authorize policy, Traffic management policy and so on.
- For the proper usage of the rate limit, you can configure for protection and the quota for monetization, you must understand the fundamental difference between both:
| Rate limit ID | Quota |
|---|---|
| Specifies the number of requests that can be made to an API over a relatively shorter period such as second or minute. | Specifies the number of requests that a consumer can make to an API over a longer period, such as per day, per week, or per month. |
| Useful for managing traffic and preventing overload of an API in real-time. | Useful for controlling the usage over a longer period and ensuring fair use of API resources. |
How to rate limit to an API?
In this example, let us see the steps to enforce rate limit as 10 for the API, Petstore. That is, the policy does not allow more that ten invocations to the API.
To configure rate limit
Click APIs in the title navigation bar.
A list of available APIs appears.Click Create API.
Select Import API from URL.
Provide Petstore in the Name field.
Provide the URL, https://petstore.swagger.io/v2/swagger.json.
Click Create. The Petstore API is created, and the API details page appear.
Click Edit.
Click the Policies tab.
Click Traffic Monitoring from the Policy Catalog section and click Traffic optimization. The policy is added. By default, the values Total Request Count and Greater than are selected in the Rule Name and Operator fields respectively.
Provide 5 in the Value field. When the number of invocations go beyond five, the policy is considered violated.
Select Consumer-specific throttling and type *.**, and select Each consumer. This is to specify that the configured invocation limit must apply to each consumer application individually.
Select API Gateway under Destinations. The policy violation alerts are displayed in the API analytics page.
Provide 1 in the Alert Interval field and select Minutes in the Unit field.
Select Every Time in the Alert Frequency field to log a event every time the API is invoked beyond the specified limit.
Provide Number of invocations reached the maximum limit. Please try later in the Alert message field.
Click Save. The policy is enforced to the Petstore API. When the number of invocations go beyond 10, an e-mail with the specified Alert message is sent to the provided e-mail address.
Testing the API ratelimit
No subtopics in thissection
Before you begin
Ensure that you have
- Postman installed in your system, or you can you use the web version of Postman.
To test the GraphQL API using Postman
Invoke the API for more than five times using a REST client. In this example, the API is invoked for more than five times. Notice the change in API response. API response till the rate limit is reached.
API response after the rate limit is reached.
Navigate to the API analytics page.
View the bar graph plotted for the violation events for the Last 15 minutes.
View the Runtime events section to view the alert message that you provided during policy configuration.
