29-Mar-2022 09:00 - edited 23-Aug-2022 07:04
Introduction:
Rate limiting is a method of protecting backend applications by keeping constraints on the rate of traffic coming into or out of an application. The rate is specified by how many times a route was used within a specific time interval (per second or minute). If the number of requests exceeds the configured limit, the incoming requests can overload the capacity of the services resulting in poor performance, reduced functionality, and sometimes downtime. These can be the result of either intentional (DDoS) or unintentional events (misconfiguration of applications/clients). Rate Limiting allows the administrator to limit the number of API requests per second or minute.
Each incoming request can be monitored using ONE of the following:
Rate Limiter is a combination of the following:
Use-Case:
For ex. One of the customers website provides services to premium and free customers and this website gets overloaded frequently. We might increase the capacity temporarily as per need, but we want to ensure the user experience for premium users is not affected due to increased load from the free users.
Solution:
An alternative approach would be to simply prioritize the traffic. We can implement a http-header-name or cookie-name based rate limiting. Premium vs. free user’s traffic can be tagged at the client side with a premium-user-http-header or premium-user-cookie-name or free-user-http-header or free-user-cookie-name. And then you can rate limit the free user’s traffic to your website, ensuring the premium user’s user-experience is not affected by the free users.
Step by step process:
Version: Cloud Console at the time of article: crt-20220217-1449
Prerequisites:
Step1:
Login to F5 cloud account with valid credentials and then click on “Load Balancers” in Common Services section.
Step2:
Navigate to Manage section, click on “Load Balancers” and then select HTTP load balancers.
Click on 3 dots in Actions column for any load balancer and then select “Manage configuration” option.
Step3:
Next click on “Edit Configuration” then select Security configuration in Left menu.
Now toggle “Advanced Fields button” as below-
Step4:
Select “Rate-limiting parameters” option in “Rate limiting” field drop-down options and then click on configure.
Step5:
Toggle “Show Advanced fields” button, provide some valid number & period from drop-down options (secs or minutes) and leave burst multiplier field to default value of 1 as below-
Step6:
Apply the above configuration, then click on “Save and Exit” button.
Step7:
Copy the domain name of load balancer, open a browser, enter the domain name, and check if the demo application is accessible as below.
Step8:
Try to access the same application multiple times and once rate limit configuration is reached, we will see error below.
Below are some more options available in rate limiting feature for more requests granularity:
Conclusion:
Rate Limiting protects applications against brute force attacks and limits access to searches, API calls, or resources that involve database-intensive operations at your origin. It also provides the ability to limit the number of requests originating from a particular user.
For further information or to get started click the links below: