Limiting the Number of Requests to API Gateway Back Ends
Find out how to use a request policy to limit the number of requests sent to back-end services with API Gateway.
Having created an API gateway and deployed one or more APIs on it, you'll typically want
to limit the rate at which API clients can make requests to back-end services. For
example, to:
maintain high availability and fair use of resources by protecting back ends from being overwhelmed by too many requests
prevent denial-of-service attacks
constrain costs of resource consumption
restrict usage of APIs by your customers' users in order to monetize APIs
You apply a rate limit globally to all routes in an API deployment specification.
If a request is denied because the rate limit has been exceeded, the response header specifies when the request can be retried.
In the API Request Policies section of the Basic Information page, click the Add button beside Rate Limiting and specify:
Number of Requests per Second: The maximum number of requests per second to send to the API deployment.
Type of Rate Limit: How the maximum number of requests per second
threshold is applied. You can specify that the maximum applies either to the
number of requests sent from any one API client (identified by its IP
address), or to the total number of requests sent from all API clients.
Click Save Changes.
Click Next and specify authentication options on the Authentication page.
Click Next to enter details for individual routes in the API deployment on the Routes page. Note that you cannot apply rate-limiting policies to individual routes in the API deployment specification.
Click Next to review the details you entered for the API deployment.
Click Create or Save Changes to create or update the API deployment.
Editing a JSON File to Add Rate-Limiting Request Policies 🔗
To add a rate-limiting request policy to an API deployment specification in a JSON file:
Using your preferred JSON editor, edit the existing API deployment specification to which you want to add a request limit, or create a new API deployment specification (see Creating an API Deployment Specification).
For example, the following basic API deployment specification defines a simple Hello World serverless function in OCI Functions as a single back end:
<ratekey-value> specifies whether the maximum number
of requests threshold applies to the number of requests from individual API clients
(each identified by their IP address) or to the total number of requests sent to the
back-end service. Valid values are CLIENT_IP and
TOTAL.
<requests-per-second> is the maximum number of requests per second to send to the API deployment.