To effectively manage API traffic for various user tiers (such as free, basic, and premium subscribers) you can create consumer groups for each tier and assign individual consumers to these groups. Then, configure the Rate Limiting Advanced plugin to apply specific rate limits based on these groups. This setup allows you to enforce customized request limits for each tier, ensuring fair usage and optimizing performance for high-value users.
This is a Konnect tutorial. If you don’t have a Konnect account, you can get started quickly with our onboarding wizard.
The following Konnect items are required to complete this tutorial:
This tutorial requires Kong Gateway Enterprise. If you don’t have Kong Gateway set up yet, you can use the quickstart script with an enterprise license to get an instance of Kong Gateway running almost instantly.
Export your license to an environment variable:
export KONG_LICENSE_DATA='<license-contents-go-here>'
Run the quickstart script:
curl -Ls https://get.konghq.com/quickstart | bash -s -- -e KONG_LICENSE_DATA
Once Kong Gateway is ready, you will see the following message:
Kong Gateway Ready
decK is a CLI tool for managing Kong Gateway declaratively with state files. To complete this tutorial you will first need to:
Create a deck_files directory and a kong.yaml file in the directory:
mkdir deck_files && touch deck_files/kong.yaml
For this tutorial, you’ll need Kong Gateway entities, like services and routes, pre-configured. These entities are essential for Kong Gateway to function but installing them isn’t the focus of this guide. Follow these steps to pre-configure them:
Create a prereqs.yaml file within your deck_files directory, and add the following content to it:
_format_version: '3.0'
services:
- name: example-service
url: http://httpbin.org/anything
routes:
- name: example-route
paths:
- "/anything"
service:
name: example-service
Sync your changes.
deck gateway sync deck_files
Make sure to substitute your Konnect Personal Access Token for konnect_token and the control plane name for KONNECT_CP_NAME in the command:
deck gateway sync deck_files \
--konnect-token $KONNECT_TOKEN \
--konnect-control-plane-name $KONNECT_CP_NAME
To learn more about entities, you can read our entities documentation.
We need to set up authentication to identify the consumer and apply rate limiting. In this guide, we’ll be using the Key Auth plugin plugin, but you can use any Kong authentication plugin.
Add the following content to your kong.yaml file in the deck_files directory to configure the Key Auth plugin:
_format_version: '3.0'
plugins:
- name: key-auth
config:
key_names:
- apikey
Before you can enable rate limiting for tiers of users, we first have to create consumer groups for each tier and then add consumers to those groups. Consumer groups are soley a way to organize consumers of your APIs. In this guide, we’ll create three tiers (Free, Basic, and Premium), so we need to create a unique consumer group for each tier.
Apphend the following content to your kong.yaml file in the deck_files directory to create consumer groups for each tier:
consumer_groups:
- name: Free
- name: Basic
- name: Premium
Now that you’ve added consumer groups for each tier, you can create three consumers, one for each tier. Here, we’re manually adding consumers for the sake of ease, but in a production environment, you could use a script that would automatically add consumers to the correct groups as they sign up for a tier of service.
We’re also adding key auth credentials (key) to each consumer so they can authenticate and we can test later that rate limiting was correctly configured for the different tiers.
Apphend the following content to your kong.yaml file in the deck_files directory to create consumers and their authentication credentials:
consumers:
- username: Amal
groups:
- name: Free
keyauth_credentials:
- key: amal
- username: Dana
groups:
- name: Basic
keyauth_credentials:
- key: dana
- username: Mahan
groups:
- name: Premium
keyauth_credentials:
- key: mahan
Enable the Rate Limiting Advanced plugins for each tier:
Add the following to your existing plugins section in kong.yaml:
- name: rate-limiting-advanced
consumer_group: Free
config:
limit:
- 3
window_size:
- 30
window_type: fixed
retry_after_jitter_max: 0
namespace: free
- name: rate-limiting-advanced
consumer_group: Basic
config:
limit:
- 5
window_size:
- 30
window_type: sliding
retry_after_jitter_max: 0
namespace: basic
- name: rate-limiting-advanced
consumer_group: Premium
config:
limit:
- 500
window_size:
- 30
window_type: sliding
retry_after_jitter_max: 0
namespace: premium
This configures the different tiers like the following:
config.limit) for every 30 seconds (config.window_size).config.limit) for every 30 seconds (config.window_size).config.limit) for every 30 seconds (config.window_size).Synchronize your decK configuration files.
Make sure you created the deck_files directory in the prerequisites.
First, compare the decK file or files to the state of the Kong Gateway:
deck gateway diff deck_files
deck gateway diff deck_files \
--konnect-token $KONNECT_TOKEN \
--konnect-control-plane-name $KONNECT_CP_NAME
The output shows you which entities will change if you sync the state files.
If everything looks right, synchronize them to update your Gateway configuration:
deck gateway sync deck_files
deck gateway sync deck_files \
--konnect-token $KONNECT_TOKEN \
--konnect-control-plane-name $KONNECT_CP_NAME
Now we can test that each rate limiting tier is working as expected by sending a series of HTTP requests (for example, six for Free Tier and seven for Basic Tier) to the endpoint with the appropriate API key with the goal of exceeding the configured rate limit for that tier. The tests wait for one second between requests to avoid overwhelming the server and test rate limits more clearly.
Test the rate limiting of the Free tier:
echo "Testing Free Tier Rate Limit..."
for i in {1..6}; do
curl -I http://localhost:8000/anything -H 'apikey:amal'
echo
sleep 1
done
For the first few requests (up to the configured limit, which is 3 requests in 30 seconds), you should receive a 200 OK status code. Once the limit is exceeded, you should receive a 429 Too Many Requests status code with a message indicating the rate limit has been exceeded.
Test the rate limiting of the Basic tier:
echo "Testing Basic Tier Rate Limit..."
for i in {1..7}; do
curl -I http://localhost:8000/anything -H 'apikey:dana'
echo
sleep 1
done
For the first few requests (up to the configured limit, which is 5 requests in 30 seconds), you should receive a 200 OK status code. After exceeding the limit, you should receive a 429 Too Many Requests status code with a rate limit exceeded message.
Test the rate limiting of the Premium tier:
echo "Testing Premium Tier Rate Limit..."
for i in {1..11}; do
curl -I http://localhost:8000/anything -H 'apikey:mahan'
echo
sleep 1
done
For the initial requests (up to the configured limit, which is 500 requests in 30 seconds), you should receive a 200 OK status code. After exceeding the limit, you should receive a 429 Too Many Requests status code.
If you created a new control plane and want to conserve your free trial credits or avoid unnecessary charges, delete the new control plane used in this tutorial.
curl -Ls https://get.konghq.com/quickstart | bash -s -- -d
Why can’t I use the regular Rate Limiting plugin to rate limit tiers of consumers?
We use the Rate Limiting Advanced plugin because it supports sliding windows, which we use to apply the rate limiting logic while taking into account previous hit rates (from the window that immediately precedes the current) using a dynamic weight.