Configure Rate Limiting per User

Objective

This guide provides instructions on how to configure rate limiting per user based on the user identification. This limits the number of API requests from user per a time period set by configuration. The rate limiting per user is applied on the Volterra virtual host. For more information, see Rate Limiting Based on User Identification.

Using the instructions provided in this guide, you can configure a set of user identification rules, create rate limiters, and apply them to a virtual host.


Prerequisites

The following prerequisites apply:


Configuration

Enabling rate limiting for your virtual host or load balancer requires you to create rate limiting with optional user identification rules and applying to the virtual host. The following image illustrates the sequence of enabling rate user identification

CnfSeq
Figure:Sequence For Rate Limiting Based on User Identification

Note: The instructions shown in this guide do not cover configuration using the wizards. However, at any time you can use the Switch to wizard option in the configuration form to open a guided wizard form to perform the same actions.

Configuration Sequence

Enabling rate limiting based on user identification can be performed in the following two ways:

  • Using the individual wizards for the user identification, rate limiter, and virtual host.
  • Using the HTTP load balancer wizard.

Enabling rate limiting based on user identification requires you to perform the following sequence of actions.

Phase Description
Create User Identification Create user identification with rules defining what are evaluated for identification.
Create Rate Limiter Create rate limiter and optionally apply user identifier.
Apply Rate Limiter to Virtual Host Create a Fast ACL set with the created Fast ACL.

Note: When using the HTTP load balancer wizard, creation of user identification and rate limiter are part of the wizard itself.


Enable Rate Limit Using Constituent Component Wizards

The constituent components of rate limiting functionality are user identification, rate limiter, and virtual host/load balancer. Perform the instructions provided in the following chapters to configure the constituent components.

Create User Identification

A user identification specifies the list of rules defining the identifier types and their values. The system determines the user identity based on these rules and uses the rate limiter to limit the requests accordingly.

Note: Configure user identifier is optional as the system treats client IP address as the default user identifier.

Step 1: Log into the VoltConsole and navigate to user identity creation.

Select Security from the configuration menu. Select Network Security -> User Identification and click Add user identification. The user identification creation form opens.

UidNav
Figure: Navigate to User Identification Creation

Step 2: Configure identification rules

Enter a name and click Add rule. Select an option from the drop-down list for the Identifier Type field and enter an associated value for the selected option.

This example shows adding cookie name and HTTP header name as identifiers.

UidRules
Figure: User Identification Rules

Note: You can click Add rule and add more identifier types. These rules are evaluated in sequential order to determine the user identifier.

Step 3: Complete creationg user identification

Click Add user identification to create the user identification object.


Create Rate Limiter

A rate limiter specifies the limit for an API request per second or minute and optionally specifies the user identification rules to determine to which API request this limit is applied.

Perform the following to create rate limiter:

Step 1: Log into the VoltConsole and navigate to rate limiters section.

Select Security from the configuration menu. Select Network Security -> Rate Limiters and click Add rate limiter. The rate limiter creation form opens.

rl nav
Figure: Navigate to Rate Limiter Section

Step 2: Set rate limtit configuration.

Enter a name and click Add limit in the Rate Limit Values section. Configure the rate limits as per the following guidelines:

  • Enter a number in the Number field. Maximum allowed number is 8192.
  • Enter a unit of time in the Per Period field. Supported units are Second and Minute.

This example sets the limit of 5 requests per second.

rl limits
Figure: User Identification Rules

Step 3: Apply user identification to the rate limiter.

Click Select user identification in the User Identification Policy section and select user identification objects as per your choice. Click Select user identification again to add the user identification rules to rate limiter.

This example selects the user identification based on the client IP and header name as the identifier types.

rl user id
Figure: User Identification Rules

Step 4: Complete rate limiter creation.

Click Add rate limiter to create the rate limiter object.


Apply Rate Limiter to Virtual Host

After creating the rate limiter, apply it to your virtual host configuration to enforce rate limiting to the API requests served by the virtual host. This example shows how to apply rate limiting to a virtual host that is already created. However, you can also apply the rate limiting while creating a virtual host.

Note: For virtual host setup instructions, see Create and Advertise a Virtual Host.

Perform the following to apply rate limiter to virtual host:

Step 1: Navigate to virtual host configuration section.

Log into the VoltConsole and select Manage from the configuration menu. Select Virtual Hosts from the options and choose your virtual host from the displayed list. Click ... -> Edit to open the virtual host configuration edit form.

Step 2: Apply rate limiters to the virtual host.

Scroll down to the Rate Limiter section and click Select rate limiter. Select rate limiters previously created and click Select rate limiter again to apply the rate limiter.

Step 3: Apply IP prefixes for exempting them from rate limiting.

Click Select rate limiter allowed prefix in the Rate Limiter Allowed Prefixes section and select IP prefix sets for which you want to skip rate limiting. Click Select rate limiter allowed prefix again to exclude the IP prefixes from rate limiting.

Note: Performing this step enables the system to exempt rate limiting for requests from specified IP prefixes.

Step 4: Apply user identification rules to virtual host. Click `Select user identification` in the `User Identification Policy` section. Select user identification objects previously created and click `Select user identification` again to apply to virtual host.

VhRateLimit
Figure: Apply Rate Limiting to Virtual Host

Note: User identification rules from the rate limiter applied to virtual host are prioritized over the user identification directly applied to the virtual host.

Step 5: Complete enabling the rate liming for virtual host.

Click Save changes to enable the rate limiting.


Enable Rate Limit Using HTTP Load Balancer Wizard

The HTTP load balancer wizard provides guided steps to set user identification rules and rate limiter as part of the load balancer creation.

Step 1: Navigate to HTTP load balancer configuration wizard.

Log into the VoltConsole and change to your namespace. Select Virtual Hosts from the left configuration menu. Select Load Balancers -> HTTP Load Balancers and click Add HTTP Load Balancer.

nav http lb
Figure: Navigate to HTTP Load Balancer Wizard

Step 2: Set the basic configuration and navigate to security configuration.

Fill the metadata, basic configuration, routes configuration, and VIP configuration as per your preference. Enable the advanced configuration using the Show Advanced Fields toggle switch. Click Security configuration and the left menu.

http lb adv
Figure: HTTP Load Balancer Security Configuration

Note: For detailed instructions on load balancer creation, see Create and Advertise a Virtual Host.

Step 3: Start user identification creation wizard.

Select user identification objects in the User Identification Policy field if already configured objects are present. Else open the dropdown and click Create new user identification.

This example shows creating new user identification rule.

http lb ui create
Figure: HTTP Load Balancer Security Configuration

Step 4: Set user identification configuration.

Enter a name for the user identification policy in the Metadata section. Select an identifier type from the dropdown list in the Identifier Type field and enter a value for that identifier in the field enabled as per your identifier type selection.

This example selects cookie name as the identifier type and sets the Userid as the identifier.

http lb uid conf
Figure: User Identity Configuration

Note: Click Add item to add more identification types.

Step 5: Complete user identification creation and add to load balancer configuration.

Click Continue to create and add the user identification to the load balancer. The wizard loads back the load balancer Meta data section.

Step 6: Start rate limiter configuration wizard.

Scroll down to the security configuration or click Security Configuration in the left menu. Select Rate Limiting Parameters from the drop down for the Rate Limiting field and click Configure. This opens the rate limiter wizard.

http lb rl create
Figure: Enable Rate Limiter for Load Balancer

Step 7: Set rate limiter rules.

Enter a value for the Number field and select a unit for the Per Period field in the Request Rate Limiter section. This example sets 15 requests per second as the rate limit.

Step 8: Specify IP prefixes for exempting from the rate limiting.

Optionally, select Ip Allowed List or Ip Allowed using Ip Prefix Set(s) for the Ip(s) Allowed without Rate Limiting field and perform one of the following:

  • Add IP prefixes if you selected Ip Allowed List. Use Add item to add more prefixes.
  • Click Add item if you selected Ip Allowed using Ip Prefix Set(s) and select existing IP prefix sets. In case no IP prefix set is available, click Create new rate limiter allowed prefix and create the prefix set using the loaded wizard.

This example adds the IP prefixes using the Ip Allowed List option.

http lb rl conf
Figure: Rate Limiter Configuration

Note: Performing this step enables the system to exempt rate limiting for requests from specified IP prefixes.

Step 9: Complete enabling the rate limiting for the load balancer.

Click Apply to create and add the rate limiter to the load balancer. This also returns to the load balancer wizard's main screen. Click Continue to create or update the load balancer and enable the rate limiting.

Note: The following apply:

  • The rate limit is always evaluated before any configured network security policy sets.
  • Evaluation of the configured network policy set is done only if the request is under limit set by the rate limit.
  • A service policy rule is automatically created for each HTTP load balancer that has rate limiting enabled and a rate limiter object is also automatically created.
  • An IP Prefix set is automatically created if the rate limiting configuration has an allowed IP list.
  • Policy rule uses virtual host and IP matcher as match predicates.
  • The rate limiter is applied as an action in the service policy rule.

Concepts


API References