Step 8 - Set up a rate limiting policy

In this lab, we will protect the API endpoint with a rate limiting policy. To do so, we will limit the endpoint per authenticated user.

Steps to enable rate limiting protection on the /colors API endpoint

  1. In NGINX Controller -> Select APIs -> api-sentence -> Edit the api-sentence-v3 published API.
  2. In Routing, edit the security settings for the cp-colors-v3 component.
  3. Select Rate Limiting.
  4. Turn on Enable Rate Limiting. Use the following values:
    1. Key: Authenticated Client
    2. Rate: 5 requests per minute .. note:: 5 req/min does not mean that the client can send 5 requests during the first 5 seconds and then wait 55 seconds. Instead, 5 req/min means the client will be allowed to send a request every 12 seconds (60 / 5 = 12).
    3. Excess Request Processing: Reject Immediately
  5. Click Submit -> Submit again to validate the config and push it to the NGINX instance.
../../../_images/RL.png

Simulate too many requests from the client

  1. RDP to the Win10 VM (user/user).

  2. Open Postman, select the API Sentence Generator v3 collection, and select the GET Colors v3 request. If necessary, request a new token for user matt (password matt).

  3. Send the request, and instantaneously send a second request. Your request is blocked because you are only allowed to send one request every 12 seconds (5 req/min).

    ../../../_images/429.png

  4. Re-do the test, but this time wait 12 seconds between each request. Your requests should succeed.


Improve the user experience with a delay

Note

As you noticed, the second request sent is immediately rejected. There is an option to delay the response when the client sends too many request, and thus provide the client a better experience. You can find more info here: https://www.nginx.com/blog/rate-limiting-nginx/

  1. In NGINX Controller -> Select APIs -> api-sentence -> Edit the api-sentence-v3 published API.

  2. In Routing, edit the security settings for the cp-colors-v3 component.

  3. Select Rate Limiting.

  4. Modify Excess Request Processing from Reject Immediately to Delay. Modify Ignore Initial N requests from 0 to 5.

  5. Click Submit -> Submit again to validate the config and push it to the NGINX instance.

    ../../../_images/delay.png

  6. Send two requests back to back in Postman. This time around, the second request is delayed but not dropped.