Rate Limiting using Kong API Gateway

Applying a rate limit for requests prevents your API from being overloaded by constraining the number of requests within a given time frame. This blog will cover how you can configure and test rate limiting using Kong API Gateway.

What is Rate Limiting?

Rate limiting is a strategy for limiting network traffic. Limits on social media activity is a typical instance of rate limiting. Social media websites including Instagram, Facebook and LinkedIn restrict the number of activities a user can perform in a day. Such as sending messages, liking photos or commenting on posts. For example, if a user comments on too many posts, the rate limit kicks in. This blocks the user from commenting on any more posts for a certain period of time. You can also apply rate limits for a business rules, for instance the number of password resets in a set time.

Rate Limiting not only protects your services and infrastructure against unintended or malicious activities, it also ensures the service to be available for all its clients. Without rate limiting, each user can make a request as often as they like, leading to spikes of requests that could cease other consumers. The impact of this could be catastrophic, resulting in financial loss and reputational damage. In an on-demand society it is important to maintain high performance and secure applications. If your website and mobile app are slow or insecure this will drive your customers to competitors.

API Gateway

There are many API gateway providers available on the market, they allow you to manage, configure and route requests to your APIs. All gateways perform the same kinds of functions. Enterprise gateway service providers such as Amazon API Gateway sit nicely with EC2 and Lambdas. Google Cloud API Gateway is also well known, however cloud providers can cause vendor lock meaning you can not easily migrate to another platform. For this reason, open-source API gateways are recommended.

Kong is an open source, scalable API Gateway. It sits between the client and runs in front of any RESTful API and can be extended through plugins. Problems such as rate limiting are simple to solve using the Kong rate limiting plugin. You can secure and govern APIs, as well as improve visibility across the entire company.

How to determine a rate limit

In order to protect your components, you will firstly need to prove how much traffic your API can handle. To do this you can carry out a load test, using tools such as JMeter and Taurus. If you are working in a microservice architecture and your API has dependencies, ensure other teams are notified beforehand as this could cause alerts, slowness, spikes in traffic or tests to fail. Once your load test has determined the throughput your service can handle, you can set your rate limit below that, with the consideration of scaling.

Using the rate limiting advanced plugin configuration, rate limiting can be applied to the service or route. There are various different rate limit algorithms, this blog covers the benefits and drawbacks of each one.

Route example:

{
"name": "weatherapi",
.
.
.
"routes": [
{
"protocols": [
"http",
"https"
],
"methods": [
"GET"
],
"paths": [
"/forecast"
]
}
],
.
.
.
{
"name": "rate-limiting-advanced",
"config": {
"strategy": "cluster",
"limit": [{{rateLimit 20}}],
"window_size": [ 1 ],
"sync_rate": -1,
"window_type": "fixed",
}
}
.
.
.
}

Looking at the example above, the forecast route on the weather API will allow 20 requests in the 1 second time window.

How can you test your rate limiting?

To test the configured rate limit, you can create load tests. Based on the configured rate limit, you want to test that the rate limiting kicks in when you hit X number of requests within a given time frame. When your rate limiting is triggered you should be returned a “Too Many Requests” (429) status code with the message “API rate limit exceeded”. After your rate limit has been reset, you should test that you can make a successful request again.

Summary

When creating a new application it is important to implement rate limiting to protect your API, services and infrastructure to deliver a secure and reliable experience to customers. The above is a basic example of applying rate limiting to a route. As mentioned, there are various methods you can use to implement rate limiting whether it be at the service, consumer or even down to the credential level. To learn more I recommend reading the Kong documentation.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store