Setting rate limits for public APIs on the management service

Describes the procedure for setting a rate limit for public APIs on the management service. Rate limits provide protection from DDoS (distributed denial of service) attacks.

Before you begin

These instructions assume you have the kubectl command-line tool installed. For more information, see https://kubernetes.io.

About this task

Rate limits can be set for public APIs on the management service. Rate limits on APIs help provide protection from DDoS (distributed denial of service) attacks. Without a rate limit, API calls from public APIs are unlimited.

The rate limit configuration requires that the header contains the actual client IP address. Any load balancer or proxy (for example, HAProxy) that is installed in front of the management service must be configured to pass the actual client IP address.

This procedure must be performed on a running API Connect deployment.

Rate limits are calculated as requests per seconds per client.

Note: If the rate limit has been reached on the management subsystem, the client will get an HTTP error: 429 Too Many Requests.

Procedure

  • Set a rate limit:
    1. Add the following entries to the extra-values-file:
      spec:
        template:
        - name: juhu
          containers:
          - name: juhu
            env:
            - name: RATE_LIMIT_PER_CLIENT
              value: "10"
            - name: LIMIT_REQUEST_OPTION
              value: "burst=10 nodelay"

      In this example, the first option sets the rate to 10 requests per second (10r/s). The second option allows 10 requests boosted without delay within < 1 second. You can customize as needed.

      The rateLimitPerClient property sets rate, and limitRequestOption sets [burst=number] [nodelay | delay=number] in the following nginx configuration:

      limit_req_zone key zone=name:size rate=rate;
      limit_req zone=name [burst=number] [nodelay | delay=number];
      

      Note that zone has been pre-defined and can't be configured. For more details, see the nginx doc http://nginx.org/en/docs/http/ngx_http_limit_req_module.html.

    2. Save the extra-values file with a filename of your choice, but it must have a .yaml or .yml extension.
    3. Use apicup to update the VMware extra-values-file attribute to point to the new or updated management subsystem extra-values file:
      apicup subsys set <mgmt_subsystem_name> extra-values-file <extra_values_file_path_and_name>
      Where:
      • <mgmt_subsystem_name> is the name of the management subsystem that you are configuring.
      • <extra_values_file_path_and_name> is the fully qualified path and name of your extra-values file.
      For example:
      apicup subsys set ds10-management extra-values-file /workspace/v10012/my_extra_values.yaml
    4. Verify that the configuration settings are valid in the apiconect-up-v10.yaml by running the following command:
      apicup subsys get <mgmt_subsystem_name> --validate
      The output lists each setting and adds a check mark after the value once the value is validated. If the setting lacks a check mark and indicates an invalid value, reconfigure the setting.
    5. Run apicup to update the settings in the deployed Management subsystem.
      apicup subsys install <management-subsystem>
      
    6. Enter the following command to connect to the management subsystem using SSH:
      ssh ip_address -l apicadm

      You are logging in with the default ID of apicadm, which is the API Connect ID that has administrator privileges.

    7. Select Yes to continue connecting, and once connected:
      sudo -i
    8. Validate that the juhu pod has restarted by listing the pods:
      kubectl get pods  grep juhu
    9. Check the AGE column to ensure a new juhu pod has started.
    10. If the older juhu pod is still running, delete it with the following command:
      kubectl delete pods <old-juhu-pod>
  • Disable a rate limit:
    1. Remove the values from the extra-values-file.
    2. Run apicup to update the settings in the deployed Management subsystem.
      apicup subsys install <management-subsystem>
      
    3. Enter the following command to connect to the management subsystem using SSH:
      ssh ip_address -l apicadm

      You are logging in with the default ID of apicadm, which is the API Connect ID that has administrator privileges.

    4. Select Yes to continue connecting, and once connected:
      sudo -i
    5. Validate that the juhu pod has restarted by listing the pods:
      kubectl get pods  grep juhu
    6. Check the AGE column to ensure a new juhu pod has started.
    7. If the older juhu pod is still running, delete it with the following command:
      kubectl delete pods <old-juhu-pod>