Lab 5: Rate Limiting

Scenario

An internal application occasionally enters a temporary loop, repeatedly sending requests to a single endpoint. This degrades performance for other clients and, at times, renders the API unusable.

Implement a solution to limit the number of requests an endpoint will accept from a given client “source” within a specific time window to prevent excessive load.

Expected Lab Time: 8 minutes

Task 1: Simulate Unmitigated Excessive Requests

Currently, our Banking Application does not implement, or enforce, rate-limiting to a specific endpoint.

In this task, you will follow steps to send multiple requests witin 1 minute to the /getallcustomers endpoint.

  1. Using another browser tab, navigate to the the following URL.

    http://<namespace>.lab-sec.f5demos.com/swagger

    ../_images/shared-swagger-intro.png

  2. Within the Swagger page, navigate and expand the customerlookup/getallcustomers endpoint, and click Try it out.

    ../_images/lab4-image015.png

  3. Click the Execute button, and observe the Response Body (200 OK):

    ../_images/lab4-image016.png

  4. Click the Execute button 10 times within 1 minute, and observe the Response Body; each request should be allowed.

    ../_images/lab4-image017.png

Task 2: Enabled API Rate-Limiting

In this task’s series of steps, you will enable the API Rate-Limiting feature on the previously built HTTP Load Balancer object delivering the targeted API.

  1. In the left-hand navigation of the Web App & API Protection service, click on Load Balancers > HTTP Load Balancers under the Manage section.

  2. In the resulting Load Balancers window, click on the three dots in the Action column, and the select Manage Configuration.

    ../_images/shared-103.png

  3. Click Edit Configuration in the top-right corner.

    ../_images/shared-104.png

  4. Using the left-hand navigation, click the Common Security Controls link.

    ../_images/lab4-image021.png

  5. Locate the Rate Limiting area of the Common Security Controls and use the drop-down to select API Rate Limit.

    ../_images/lab4-image022.png

  6. In the expanded menu under API Rate Limit, click View Configuration

    ../_images/lab4-image023.png

  7. In the resulting window, under API Endpoints, click Configure.

    ../_images/lab4-image024.png

  8. Select Add Item, within API Endpoints.

    ../_images/lab5-api-endpoint-add.png

  9. In the resulting window, use the drop-down under API Endpoint, and click See Suggestions.

    ../_images/lab4-image055.png

  10. In the suggestion results, use the drop-down and select the /getallcustomers endpoint.

    ../_images/lab4-image026.png

  11. In the resulting configuration window, update the following fields then click Apply.

    • Method List: ANY

    • Threshold: 10

    • Duration: Minute

    Note

    This will rate limit a client after making 10 requests within 1 minute.

    ../_images/lab4-image027.png

  12. Review the API Endpoint rate limiting rule and click, the Apply button.

    ../_images/lab4-image028.png

  13. Click Apply at the API Rate Limit page.

    ../_images/lab4-image029.png

  14. Note the updated configuration for API Rate limiting, Click Other Settings on the the left, navigation on the bottom right then click on Save and Exit

    ../_images/lab4-image030.png

Task 3: Simulate Mitigated Excessive Requests

In this task, you will send more than 10 requests within a Minute

  1. Using another browser tab, navigate to the the following URL.

    http://<namespace>.lab-sec.f5demos.com/swagger

    ../_images/shared-swagger-intro.png

  2. Within the Swagger page, navigate and expand the customerlookup/getallcustomers endpoint, and click Try it out.

    ../_images/lab4-image015.png

  3. Click the Execute button more than 10 times within 1 minutes, and observe the Response Body; each request, through the 10th, should be allowed/accepted. Observe the Response Body once you exceed this threshold.

    ../_images/lab4-image031.png

End of Lab

../_images/labend3.png