The Importance of Rate Limiting
In today’s API economy, rate limiting plays a crucial role in system stability, security, and cost efficiency. Here’s a detailed explanation of its importance.
Server Load Management
APIs can receive unpredictable amounts of requests. For example, a sudden surge in popularity or unexpected traffic spikes can overload servers. By setting rate limits, you can control the maximum number of requests and ensure the server maintains proper performance.
Ensuring Fairness
Rate limiting is an important way to ensure all users can access the API fairly. It prevents specific users or applications from monopolizing resources and protects the experience of other users.
Enhancing Security
Rate limiting is effective against malicious requests, DoS (Denial of Service) attacks, and unauthorized bot access. By detecting and limiting abnormal request patterns, you can protect your API and the entire system.
Cost Management
Many cloud providers and infrastructure services charge based on the number of requests or data transfer. Allowing unlimited requests can lead to unexpected cost spikes. By setting rate limits, you can better predict costs and avoid unnecessary expenses.
Basic Mechanism of Rate Limiting in Kong
Kong Gateway is an open-source API gateway that makes it easy to manage and protect APIs. It is used by companies and developers to improve API security, performance, and reliability. Rate limiting in Kong Gateway is a feature for controlling traffic to API endpoints. This feature is provided as a plugin and can be easily enabled and configured.
Kong’s rate limiting plugin works as follows:
- Request Counting The plugin counts requests and applies limits if the number of requests exceeds the allowed range within a specified time frame (seconds, minutes, hours, days, etc.).
- Behavior When Exceeding Thresholds Requests that exceed the allowed range are rejected with an HTTP status code (usually 429 Too Many Requests). You can also set a custom message.
- Use of Storage To store count information, local memory or external storage like Redis is used. This ensures consistency in distributed environments.
- Flexible Scope of Application
- Per Service: Set limits for specific APIs
- Per Consumer: Apply different limits for individual users or applications
- Per Route: Set limits only for specific API endpoints
Basic Setup: Kong Rate Limiting Plugin
Kong provides two rate limiting plugins. Both limit the number of requests per time unit. For example, you can easily set a limit of 3 requests per minute.
- [OSS]
https://docs.konghq.com/hub/kong-inc/rate-limiting/
- [Enterprise]
https://docs.konghq.com/hub/kong-inc/rate-limiting-advanced/
Plugin Setup
This blog will first explain the OSS version. First, create a test Service and Route.
|
|
Without any limits, you can generate unlimited UUIDs.
|
|
Next, create a Rate Limiting plugin for the Service.
|
|
This command registers the following settings for the uuid_service
Service:
- Plugin: Rate Limiting
- Limit: Maximum 5 accesses per minute
If you want to apply the limit to a Route or Consumer, change the services/uuid_service
part accordingly.
Operation Check
The first 5 accesses are allowed:
|
|
From the 6th request, you get an error:
|
|
Advanced Settings
Error Message and Response Code
To customize the error message and error code, set the following:
|
|
If you access more than 5 times, you’ll get the customized response.
|
|
Request Counter and Using Redis
Kong’s Rate Limiting plugin provides a flexible mechanism for storing request counters in a database, memory, or Redis. Each storage method has its characteristics, and you should choose based on your environment.
Storing in Database
If you store counters in a database, all Kong nodes must connect to the database. This allows consistent count sharing between nodes. However, it does not work in dbless or hybrid mode.
Storing in Memory
This is suitable for single-node environments where speed is required. It is limited in distributed environments.
Storing in Redis
Using Redis allows counters to be shared across the entire cluster. All Kong nodes refer to the same Redis instance, enabling accurate counting across the cluster. Redis’s performance also supports large-scale traffic. However, using Redis requires setup effort and countermeasures for Redis failures.
Example: Using Redis
Use the following file to set up a Redis environment with docker compose. The "--requirepass kong"
part sets the Redis password.
|
|
Set up Rate Limiting with the following command:
|
|
config.policy=redis
: Store counters in Redisconfig.host
: Redis hostnameconfig.port
: Redis portconfig.username
: Username for Redis access (default isdefault
)config.password
: Password for Redis access (here,kong
)
After sending some requests, you can check the counters in Redis with the following commands:
|
|
Changing Limits by Time
By combining Pre-function and Rate Limiting, you can change the rate limit count based on the time. In practice, you create two Routes for one Service, each with different header conditions. By using a Pre-function to set different headers based on the time, you can achieve this functionality.
First, create a test Service.
|
|
Next, create two Routes. The paths are the same, but the header conditions differ.
|
|
Then, set up Rate Limiting plugins for each Route.
|
|
Finally, use a Pre-function to set headers so that traffic is routed to the correct Route based on the time.
Save the following as ratelimit.lua
. This function determines the time based on the OS clock and sets the appropriate header (X-Peak
or X-Off-Peak
) based on the time (08:00 - 17:00).
|
|
Set this code to run in the rewrite phase:
|
|
With this, you can achieve 10 requests/minute during business hours (08:00 - 17:00) and 60 requests/minute outside business hours.
Differences Between OSS and Enterprise
The Rate Limiting Advanced documentation describes the differences from the OSS plugin:
- Multiple Limits and Window Sizes
- For example, if you set a limit of 1000 requests per day, but all 1000 are sent in the last minute, it can overload the API. With multiple limits (e.g., 1000/day + 60/minute), you can solve this problem.
- Support for Redis Sentinel, Redis cluster, and Redis SSL
- Better throughput and accuracy
- More rate limiting algorithms
- Support for Consumer groups
Conclusion
This article explained the importance of rate limiting in Kong Gateway, its basic mechanism, and how to configure it. Rate limiting is a key technology for stable API operation, security, and cost management. Thanks to Kong’s flexible plugin design, you can use this feature easily and efficiently.
The OSS version of Kong is sufficient for most needs, but for more complex requirements, consider using the Enterprise version, which offers additional features and improved performance for enterprise needs.
I hope this article helps you manage APIs with Kong. Stay tuned for more technical blog posts on API and microservices operations!