Throttle APIs with different rate limits for Services and Consumers

Uses: Kong Gateway decK

Deployment Platform:

Prerequisites

Kong Konnect

This is a Konnect tutorial. If you don’t have a Konnect account, you can get started quickly with our onboarding wizard.

The following Konnect items are required to complete this tutorial:
- Personal access token (PAT): Create a new personal access token by opening the Konnect PAT page and selecting Generate Token.
- Control Plane Name: You can use an existing Control Plane or create a new one to use for this tutorial.
- Konnect Proxy URL: By default, a self-hosted Data Plane uses http://localhost:8000. You can set up Data Plane nodes for your Control Plane from the Gateway Manager in Konnect.

Set the personal access token, the Control Plane name, the Control Plane URL, and the Konnect proxy URL as environment variables:

 export DECK_KONNECT_TOKEN='YOUR KONNECT TOKEN'
 export DECK_KONNECT_CONTROL_PLANE_NAME='YOUR CONTROL PLANE NAME'
 export KONNECT_CONTROL_PLANE_URL=https://us.api.konghq.com
 export KONNECT_PROXY_URL='KONNECT PROXY URL'

Kong Gateway running

This tutorial requires Kong Gateway Enterprise. If you don’t have Kong Gateway set up yet, you can use the quickstart script with an enterprise license to get an instance of Kong Gateway running almost instantly.

Export your license to an environment variable:

 export KONG_LICENSE_DATA='LICENSE-CONTENTS-GO-HERE'

Run the quickstart script:

 curl -Ls https://get.konghq.com/quickstart | bash -s -- -e KONG_LICENSE_DATA 

Once Kong Gateway is ready, you will see the following message:

 Kong Gateway Ready

decK

decK is a CLI tool for managing Kong Gateway declaratively with state files. To complete this tutorial you will first need to install decK.

Required entities

For this tutorial, you’ll need Kong Gateway entities, like Gateway Services and Routes, pre-configured. These entities are essential for Kong Gateway to function but installing them isn’t the focus of this guide. Follow these steps to pre-configure them:

Run the following command:

echo '
_format_version: "3.0"
services:
  - name: example-service
    url: http://httpbin.konghq.com/anything
routes:
  - name: example-route
    paths:
    - "/anything"
    service:
      name: example-service
' | deck gateway apply -

To learn more about entities, you can read our entities documentation.

Create privileged Consumers

In this tutorial, we’ll be creating two Consumers that have different rate limits from the limits applied to the Gateway Service. These Consumers act as a type of “privileged” Consumer in this scenario that have higher rate limits, but they will still be prevented from exceeding the Service rate limits. The reason for this is to prevent DDoS type attacks on your APIs.

echo '
_format_version: "3.0"
consumers:
  - username: jsmith
    keyauth_credentials:
    - key: jsmith-key
  - username: tsmith
    keyauth_credentials:
    - key: tsmith-key
' | deck gateway apply -

Enable authentication

Authentication lets you identify a Consumer so that you can apply rate limiting to Consumers. This example uses the Key Authentication plugin, but you can use any authentication plugin that you prefer.

Enable the plugin globally, which means it applies to all Kong Gateway Services and Routes:

echo '
_format_version: "3.0"
plugins:
  - name: key-auth
    config:
      key_names:
      - apikey
' | deck gateway apply -

Enable rate limiting on Consumers with the Rate Limiting plugin

Enable the Rate Limiting plugin for the Consumers. In this example, the limit is 6 requests per minute per Consumer.

echo '
_format_version: "3.0"
plugins:
  - name: rate-limiting
    consumer: jsmith
    config:
      minute: 6
      limit_by: consumer
      policy: local
  - name: rate-limiting
    consumer: tsmith
    config:
      minute: 6
      limit_by: consumer
      policy: local
' | deck gateway apply -

Enable rate limits on the Service with the Service Protection plugin

Now we can apply a rate limit on the Service itself using the Service Protection plugin. In this example, we are setting the limit to 10 requests per minute. Due to plugin execution order, the Service Protection plugin is applied before the Rate Limiting plugin. This means that if multiple Consumers are making requests at the same time, together they can’t make more than 10 requests per minute, even if the individual Consumer rate limit is 6 requests per minute.

echo '
_format_version: "3.0"
plugins:
  - name: service-protection
    service: example-service
    config:
      window_size:
      - 60
      limit:
      - 10
      namespace: service-protection-plugin
' | deck gateway apply -

Validate

To test that the Service Protection plugin correctly applies rate limits to the Service, you’ll run requests from both Consumers in quick succession.

First, run the following command to test the rate limiting as the jsmith Consumer:

for _ in {1..6}; do
  curl  -i $KONNECT_PROXY_URL/anything \
       -H "apikey:jsmith-key" 
  echo
done

for _ in {1..6}; do
  curl  -i http://localhost:8000/anything \
       -H "apikey:jsmith-key" 
  echo
done

On the last request, you should get a 200 response with the message OK.

This doesn’t exceed the rate limit per Consumer or per Service.

Now, quickly run the following command to test the rate limiting as the tsmith Consumer:

for _ in {1..5}; do
  curl  -i $KONNECT_PROXY_URL/anything \
       -H "apikey:tsmith-key" 
  echo
done

for _ in {1..5}; do
  curl  -i http://localhost:8000/anything \
       -H "apikey:tsmith-key" 
  echo
done

On the last request, you should get a 429 response with the message API rate limit exceeded.

You get this error because the Consumer has now exceeded the rate limit of 10 requests per minute on the Service.

Cleanup

Clean up Konnect environment

If you created a new control plane and want to conserve your free trial credits or avoid unnecessary charges, delete the new control plane used in this tutorial.

Destroy the Kong Gateway container

curl -Ls https://get.konghq.com/quickstart | bash -s -- -d