Rate Limiting
This configuration guide shows how to limit the number of requests handled by Airlock Microgateway using the rate limit filter.
Rate limiting is configured with a RateLimitPolicy. The policy is attached directly to an HTTPRoute and defines one or more rate limit policies for the routed traffic. Rate limits can apply to the entire route, to selected requests based on request conditions, or separately per client IP.
Prerequisites
- A Gateway Deployment.
- An
HTTPRouterouting traffic to your application.
Configuration
Limit all requests on a route
Create a RateLimitPolicy in the same namespace as the HTTPRoute that you want to attach it to.
The following example limits all requests on the referenced HTTPRoute to 1000 requests per second.
Because no requestConditions are configured, the policy applies to all requests on the route. When the configured rate is exceeded, Airlock Microgateway blocks further requests according to the default threat handling mode.
Configure multiple limits and an exception
Use multiple policy entries to apply different limits to different request paths.
The following example configures different limits and an exception:
- Requests to
/app1that exceed 100 requests per second are logged only. - Requests to
/app2are limited to 300 requests per second. - Requests to
/unlimitedare not rate limited. - All other requests are limited to 1000 requests per second.
Place more specific policies before the default policy.
Policy order matters because the first matching policy applies. Therefore, the path-specific policies for /app1, /app2, and /unlimited must be listed before the default policy. The /unlimited policy does not define a local rate limit, so matching requests are not counted by the rate limiter and do not fall through to the default rate limit.
The final policy has no requestConditions and therefore acts as the default policy for all requests that did not match an earlier policy.
Count requests per client IP
Use countBy.ip to apply the configured rate limit separately per client IP.
The following example limits the route to 1000 requests per second per client IP:
Use numberOfCounters to limit the number of distinct client IP addresses tracked by the policy and to prevent unbounded memory usage. If the number of distinct client IPs exceeds the maximum of 10000, the oldest IP counter is discarded.
Set rateLimitHeaders: DraftVersion3 to make Airlock Microgateway write rate-limit response headers according to draft version 3 of the HTTP RateLimit header specification.
Validation
After applying the RateLimitPolicy, verify that it has been accepted by the targeted resource by checking that the Accepted condition in status.ancestors[].conditions has status True.
If rateLimitHeaders: DraftVersion3 is configured, send a request to a path covered by the policy and check the response headers. The X-RateLimit-* headers make the current rate limit state visible on the client side.
You can also use metrics to observe rate limiting behavior. Check the ratelimited_requests_total metric to see whether requests are being rate-limited.
Rate limit memory considerations
Each policy with a configured rate limit uses memory to count requests. For simple counters, the additional memory usage is usually negligible.
For rate limits that count requests per IP, memory usage requires more attention. In this case, Airlock Microgateway keeps separate counters in memory for the tracked client IP addresses.
Use countBy.ip.numberOfCounters to restrict the maximum number of IP counters. When this maximum is exceeded, the Engine forgets the least current counter.
Choose the value carefully:
- If
numberOfCountersis too low, an attacker with enough source IP addresses may bypass the rate limit. - If
numberOfCountersis too high, memory usage may become problematic.
As a rough estimate, assume that one per-IP counter requires about 500 bytes of additional memory.
Example: