Ocelot - API Rate Limiting

Ocelot Aug 15, 2020

This article is part of Ocelot GW tutorial series which explains need of API Gateway and how to use Ocelot with ASP.net Core application as API gateway.

In previous article we have gone through base setup of ocelot and .net core micro-services. In this article we will discuss Rate limiting and why do we need it.

Before you start this tutorial, make sure you have gone through previous post.

What is Rate Limiting

Rate limiting a.k.a API limiting in API world is an essential guard against DoS attach which can bombard your server with unlimited API requests . Some of popular reasons for using limits on API

  • Manage unexpected spikes in demand - For example around typical automated testing one of Test Enginner increase number of requests/forgot to turn off test, in that case your API will suffer at the end because that would constant request coming which you may have not anticipated resulting in maximizing server utilization and server un-responsive.
  • Contract obligiation - Many times organizations publish thier APIs as freemium model. What does that mean is any one can use API if they utilized under quota if they go beyound assigned limit they have to pay for it. Using rate limiting configuration API publisher can easily manage this scenerio.

Rate limiting with Ocelot

Enough with theoretical knowledge , lets see it in action. Actually Ocelot has in built configuration to quickly setup rate limiting .

From previous article , go to GW project and update OcelotConfiguration.json . We have added a new node RateLimitOptions node.  

{
  "Routes": [
    {
      "DownstreamPathTemplate": "/api/catalog",
      "DownstreamScheme": "https",
      "DownstreamHostAndPorts": [
        {
          "Host": "localhost",
          "Port": 44343
        }
      ],
      "UpstreamPathTemplate": "/catalog",
      "UpstreamHttpMethod": [ "GET" ],
      "RateLimitOptions": {
        "ClientWhitelist": [],
        "EnableRateLimiting": true,
        "Period": "1s",
        "PeriodTimespan": 1,
        "Limit": 1
      }
    },
    {
      "DownstreamPathTemplate": "/api/customer",
      "DownstreamScheme": "https",
      "DownstreamHostAndPorts": [
        {
          "Host": "localhost",
          "Port": 44303
        }
      ],
      "UpstreamPathTemplate": "/customer",
      "UpstreamHttpMethod": [ "GET" ]
    }
  ]
}

Lets look in details what is the use of these attributes

  • ClientWhitelist - This is an array that contains the whitelist of the client. It means that the client in this array will not be affected by the rate limiting.
  • EnableRateLimiting - This value specifies enable endpoint rate limiting.
  • Period - This value specifies the period that the limit applies to, such as 1s, 5m, 1h,1d and so on. If you make more requests in the period than the limit allows then you need to wait for PeriodTimespan to elapse before you make another request.
  • PeriodTimespan - This value specifies that we can retry after a certain number of seconds.
  • Limit - This value specifies the maximum number of requests that a client can make in a defined period.

Testing above configuration

For testing I usually use Postman which acts as client, from there once I hit GW end point I will get response as expected ,

API REQUEST 

Now when I hit API again withing 1 sec , I get following error

Here client is not allowed to make more than 1 call within 1 sec. You can also customized response code and response status code via Global Configuration . Add following code at the end of your OcelotConfiguration.json

"GlobalConfiguration": {
    "RateLimitOptions": {
      "QuotaExceededMessage": "You want more API, pay some money !!!!",
      "HttpStatusCode": 999
    }
  }

As you can see status code and message has been changed per configuration.

To conclude rate limiting will not protect you completely against DDOS attacks but definitely it can help you with scalability and reliability of overall system.

Download working code from https://github.com/DMehro/OcelotAPIGW

Tags