Rate limiting is an advanced security protection concept. It is a method of protecting backend applications by controlling the rate of traffic coming into or out of an application. The rate is specified by how many times a Virtual Host Route can be called within a specific time interval (per second or minute). If the number of requests exceeds the defined limit, the incoming requests can overwhelm the capacity of the services resulting in deficient performance, reduced functionality, and downtime. These can be the result of either intentional (DDoS) or unintentional events (misconfiguration of applications/clients). Rate Limiting allows the administrator to limit the number of API requests per second or minute.
Each incoming request can be monitored using ONE of the following:
Client IP Address: The client IP source address as identifier.
Cookie Name: An HTTP cookie value as the user identifier.
HTTP Header Name: User a specific HTTP header value as the user identifier.
Query Parameter Key: Use the query parameter value for the given key as the user identifier.
Rate Limiter is a combination of the following:
Number: The total number of allowed requests in the specified period.
Per Period: Unit for a period per which the rate limit is applied.
For ex. One of the customers website provides services to premium and free customers and this website gets overloaded frequently. We might increase the capacity temporarily as per need, but we want to ensure the user experience for premium users is not affected due to increased load from the free users.
An alternative approach would be to simply prioritize the traffic. We can implement a http-header-name or cookie-name based rate limiting. Premium vs. free user’s traffic can be tagged at the client side with a premium-user-http-header or premium-user-cookie-name or free-user-http-header or free-user-cookie-name. And then you can rate limit the free user’s traffic to your website, ensuring the premium user’s user-experience is not affected by the free users.
Step by step process:
Version: Cloud Console at the time of article:crt-20220217-1449
Access to F5 Distributed cloud account (contact sales for account access)
Customer domain is configured and delegated properly (check reference links for more details)
Kubernetes cluster and load balancer created in account (check getting started links for creation of cluster and load balancer)
Login to F5 cloud account with valid credentials and then click on “Load Balancers” in Common Services section.
Navigate to Manage section, click on “Load Balancers” and then select HTTP load balancers.
Click on 3 dots in Actions column for any load balancer and then select “Manage configuration” option.
Next click on “Edit Configuration” then select Security configuration in Left menu.
Now toggle “Advanced Fields button” as below-
Select “Rate-limiting parameters” option in “Rate limiting” field drop-down options and then click on configure.
Toggle “Show Advanced fields” button, provide some valid number & period from drop-down options (secs or minutes) and leave burst multiplier field to default value of 1 as below-
Apply the above configuration, then click on “Save and Exit” button.
Copy the domain name of load balancer, open a browser, enter the domain name, and check if the demo application is accessible as below.
Try to access the same application multiple times and once rate limit configuration is reached, we will see error below.
Below are some more options available in rate limiting feature for more requests granularity:
Allowed list: users added in this field will not hit these rate limiting constraints and application is always accessible to these users.
Custom rate limiter policies – Users can also create their own custom rate limiters, add them to rate limiter policies and then apply these policies to load balancers.
Admins can also add rate limiter rules in rate limiter policies matching specific methods (POST, GET, etc.), domain names, headers or paths and apply policy to load balancer.
Rate Limiting protects applications against brute force attacks and limits access to forum searches, API calls, or resources that involve database-intensive operations at your origin. It provides the ability to limit the number of requests originating from a particular user.
For further information or to get started click the links below: