Service Rate Limit

Kato supports envoy-based global rate limiting by default. Presented in the comprehensive network management plug-in provided by Kato by default. In this article, we present a use case to show how to use the global rate limit in Kato.

Precondition

  1. Deploy an accessible Demo component.
  2. Open the integrated network management plug-in for this component.

Operating Procedures

  1. Deploy the Redis components that need to be used by the global restriction service. Use the mirror redis:alpine to create the component. After the component is created, change the port alias of 6379 to REDIS in the port settings, and enable the internal service permission.

  2. Deploy global restriction services, deploy global restriction services using mirroring. Use the following DockerRun command to create a component, which can be deployed to the same application of the business. After adding, make it depend on the REDIS component installed in the previous step.

docker run -e USE_STATSD=false -e REDIS_SOCKET_TYPE=tcp -e REDIS_URL=${REDIS_HOST}:${REDIS_PORT} -e RUNTIME_ROOT=/data -e RUNTIME_SUBDIRECTORY=ratelimit -v /data/ -p 8081:8081 gridworkz/ratelimit: v1.4.0 /bin/ratelimit

After the addition is successful, switch to the component port setting page, open the port 8081 internal service and set the port alias to RATE_LIMIT_SERVER

The global limit service used by default is the default implementation of envoy, and you can customize the implementation according to envoy’s rate limit service API specification.

  1. Add rate limit profile

Enter the environment management of the global limit service component, add a configuration file, the file path is /data/ratelimit/config/config.yaml

domain: limit.common
descriptors:
  -key: remote_address
    rate_limit:
      unit: second
      requests_per_unit: 10

  # Black list IP
  -key: remote_address
    value: 50.0.0.5
    rate_limit:
      unit: second
      requests_per_unit: 0

Restart the component after adding the configuration file.

The meaning of this configuration is to limit the rate by request source IP, IP is 50.0.0.5 to limit access, other IP addresses limit 10 requests per second

  1. Business components rely on limiting service components and update plug-in configuration

Edit the topology diagram so that the business component depends on the rate limiting service component just deployed, and then enter the business component plug-in management, and click the view configuration entry of the integrated management plug-in that has been activated. Make the following configuration in the configuration form:

  • Configure OPEN_LIMIT to yes
  • Configure LIMIT_DOMAIN as limit.common, which corresponds to the configuration domain in the above configuration file.

After the configuration is complete, update the plug-in configuration.

  1. Verify that the rate limit is in effect

We can use the ab command for stress testing

ab -n 1000 -c 20 http://5000.gr425688.duaqtz0k.17f4cc.grapps.ca/

The results will be displayed as follows:

Concurrency Level: 20
Time taken for tests: 6.132 seconds
Complete requests: 1000
Failed requests: 794
   (Connect: 0, Receive: 0, Length: 794, Exceptions: 0)
Non-2xx responses: 794

It can be seen that 794 of 1000 requests were restricted, and the access code of the request rejected by the rate limit was 429

Common Problems

Is it possible to customize the development rate limit service?

Of course, the service implementation used in this article is envoy ratelimit, you can base it on API Specification is implemented independently.

Whether to support more rate limiting strategies

The rate limiting strategy can also support limiting based on the request header, but currently only supports based on the source IP address.