Rate Limiting
Rate Limiting policy limit or restrict the number of request an API can accept in a defined window of time. It rejects the request when the number exceed in defined window of time. We can define multiple limits with window size ranging from milliseconds to years.
So we can have limit like
- Limit 1 – 120 requests per 60 minutes
- Limit 2 – 20 requests per 10 seconds
And both can hold true and policy will make sure that both limits will be respected
To Start with we will create a mule application and connect it with API manager – please see how we can connect the mulesoft application to API Manager
After deployment in Cloudhub the API manager configuration will come as Active
Now we will apply the Rate Limiting policy
Select Rate Limiting
Now update the policy configuration
We can see below properties
- Identifier – for each identifier set of limits defined in policy will be enforced independently e.g. for every customer id or client id we can run the limits independently – define in dataweave expression
- Limits – window of time
- Clusterizable – to apply at cluster level
- Expose header – Ratelimit related headers will be passed back to caller.
- These headers are:
- x-ratelimit-remaining – remaining hits in a window of time
- x-ratelimit-limit – max limit in a window of time
- x-ratelimit-reset – window of time in milliseconds
- These headers are:
Lets populate the field as per our need
Click apply
Now if we test this API in SOAP UI
We can see the different ratelimit header
For sixth request in 30 seconds window we will get HTTP 429 Too Many Request error like below
HTTP Response:
HTTP/1.1 429 Too Many Requests Content-Type: application/json; charset=UTF-8 Date: Tue, 02 Jun 2020 05:29:07 GMT Server: nginx x-ratelimit-limit: 5 x-ratelimit-remaining: 0 x-ratelimit-reset: 12017 Content-Length: 40 Connection: keep-alive { "error": "Quota has been exceeded" }
If we change the query param destination to something else then we can see the new rate limit will come up which will be independent of other param destination’s values.
Sample application – sample-rest-service-rate-limiting
Sample SOAP UI project – sample-rest-service-rate-limiting-soapui-project
Is same sla based ratelimiting is distributed to multiple clients?