Set rate limits to APIs

Edit online

API rate limit is a technique that is used to limit the number of invocations that are made to an API during the specified time interval. Limiting the number of invocations prevents overloading the API and in turn improves its performance.

About this task

Using the Traffic Optimization policy in webMethods API Gateway, you can limit the number of API invocations during a specified time interval. When the number of invocations exceeds the configured limit, webMethods API Gateway sends alerts to a specified destination.

The Traffic optimization policy generates two types of events when the specified limit is breached.

  • Policy violation event- Indicates the violations that occur for an API. If you have 100 violations, then 100 policy violation events are generated.
  • Monitor event- Controlled by the alert frequency configuration specified in the policy.

API providers configure rate limit for the following reasons.

  • Prevent resource abuse.

    You can come across cases in which a single consumer performs an unexpected number of invocations to an API. This overloads the system and affects API’s performance. Hence, as an API provider, you can configure a rate limit to prevent such a usage.

  • Manage traffic.

    As an API provider, you provide certain SLAs to your consumers. If you have a large consumer base for your APIs, then it is vital to control the traffic rate of your APIs. You can use rate-limiting to manage traffic to an API, making sure that it is highly available and responsive when you handle requests from many consumers.

  • Controlling resource usage.

    Resources cost money. The number of API invocations is directly proportional to the consumption of resources, for example, hosting provider, and third-party agents. By setting rate limits, you can control the number of resources that are used by each client.

  • Protect from malicious activities.

    Restricting requests over a period also helps to minimise the risk of attackers and protects your resources from malicious activities.

Rate limiting considerations

  • You can configure rate limit along with other API policies such as Identify & Authorize policy, Traffic management policy and so on.
  • For the proper usage of the rate limit, which you can configure for protection and the quota for monetization, you must understand the fundamental difference between both.
    Rate limit ID Quota
    Specifies the number of requests that can be made to an API over a relatively shorter period such as a second or minute. Specifies the number of requests that a consumer can make to an API over a longer period, such as per day, per week, or per month.
    Useful for managing traffic and preventing overload of an API in real time. Useful for controlling the usage over a longer period and making sure fair use of API resources.

The following example illustrates the steps to enforce the rate limit as 10 for the API, Petstore. That is, the policy does not allow more that ten invocations to the API.

Procedure

  1. Open the menu options and select APIs.
  2. Click Create API.
  3. Select Import API from URL.
  4. Provide Petstore in the Name field.
  5. Provide the URL, https://petstore.swagger.io/v2/swagger.json.
  6. Click Create. The Petstore API is created, and the API details page appears.
  7. Click Edit.
  8. Click the Policies tab.
  9. Click Traffic Monitoring from the Policy Catalog section and click Traffic Monitoring. The policy is added. By default, the values Total Request Count and Greater than are selected in the Rule Name and Operator fields.
  10. Provide 5 in the Value field. When the number of invocations goes beyond five, the policy is considered violated.
  11. Select Consumer-specific throttling and type .*, and select Each consumer. This action is done to specify that the configured invocation limit must apply to each consumer application individually.
  12. Select webMethods API Gateway under Destinations. The policy violation alerts are displayed in the API analytics page.
  13. Provide 1 in the Alert Interval field and select Minutes in the Unit field.
  14. Select Every Time in the Alert Frequency field to log an event every time the API is called beyond the specified limit.
  15. Provide Number of invocations reached the maximum limit. Try later in the Alert message field.
  16. Click Save. The policy is enforced to the Petstore API.
    When the number of invocations goes beyond 10, an email with the specified Alert message is sent to the provided email address.