Global rate limiting
Why Rate Limit in API Gateway Environments
API Gateways act as a control point for the outside world to access the various application services (monoliths, microservices, serverless functions) running in your environment. In microservices or hybrid application architecture, any number of these workloads will need to accept incoming requests from external end users (clients). Incoming requests can be numerous and varied – protecting backend services and globally enforcing business limits can become incredibly complex being handled at the application level. Using an API gateway we can define client request limits to these varied services in one place.
Rate Limiting in Gloo Gateway
Gloo Gateway exposes Envoy’s rate-limit API, which allows users to provide their own implementation of an Envoy gRPC rate-limit service. Lyft provides an example implementation of this gRPC rate-limit service here. To configure Gloo Gateway to use your rate-limit server implementation, install Gloo Gateway and then modify the settings to use your rate limit server upstream:
Open editor to modify the settings:
kubectl --namespace gloo-system edit settings default
Update the highlighted portion to point to your rate limit server:
apiVersion: gloo.solo.io/v1
kind: Settings
metadata:
labels:
app: gloo
gloo: settings
name: default
namespace: gloo-system
spec:
discoveryNamespace: gloo-system
extauth:
extauthzServerRef:
name: extauth
namespace: gloo-system
gateway:
validation:
alwaysAccept: true
proxyValidationServerAddr: gloo:9988
gloo:
xdsBindAddr: 0.0.0.0:9977
kubernetesArtifactSource: {}
kubernetesConfigSource: {}
kubernetesSecretSource: {}
ratelimitServer:
ratelimitServerRef:
name: ... # rate-limit server upstream name
namespace: ... # rate-limit server upstream namespace
requestTimeout: ... # optional, default 100ms
denyOnFail: ... # optional, default false
rateLimitBeforeAuth: ... # optional, default false
enableXRatelimitHeaders: ... # optional, default false
refreshRate: 60s
Setting the value rateLimitBeforeAuth
to true will cause the rate limiting filter to run before the Ext Auth filter.
This necessarily means the loss of extauth-aware rate limiting features, like providing different rate limits for authenticated
vs non-authenticated users.
Gloo Gateway Enterprise provides an enhanced version of Lyft’s rate limit service that supports the full Envoy rate limit server API (with some additional enhancements, e.g. rule priority), as well as a simplified API built on top of this service. Gloo Gateway uses this rate-limit service to enforce rate-limits. The rate-limit service can work in tandem with the Gloo Gateway external auth service to define separate rate-limit policies for authorized & unauthorized users. The Gloo Gateway Enteprise rate-limit service is enabled and configured by default, no configuration is needed to point Gloo Gateway toward the rate-limit service.
Logging
If Gloo Gateway is running on kubernetes, the rate limiting logs can be viewed with:
kubectl logs -n gloo-system deploy/rate-limit -f
When it starts up correctly, you should see a log line similar to:
"caller":"server/server_impl.go:48","msg":"Listening for HTTP on ':18080'"
Rate Limit Configuration
Enabling Envoy’s X-RateLimit Headers
Setting the value enableXRatelimitHeaders
to true will configure Envoy to return the headers defined in their rate limit API
to the downstream.
Check out the guides for each of the Gloo Gateway rate-limit APIs and configuration options for Gloo Gateway Enterprise’s rate-limit service:
-
Rate limiting setup: Set up and verify your rate limiting environment
-
Envoy API: Fine-grained rate limit API.
-
Set-Style API (Enterprise): Set-style rate limiting API to better limit on descriptor subsets
-
RateLimitConfigs (Enterprise): Powerful, reusable configuration for Gloo Gateway Enterprise's rate-limit service.
-
Gloo Gateway API (Enterprise): Simplified rate-limit API that covers most use cases.
-
Server Config (Enterprise): Advanced configuration for Gloo Gateway Enterprise's rate-limit service.
-
Metrics (Enterprise): Use prometheus metrics to determine when requests are near or over rate-limits.
-
Access logs: Use access logs to determine request characteristics of rate-limit rule breaches.