Layer7 API Management

  • Private Community

  • 1.  Does the rate-limit on client-ip count within one policy only

    Posted Jul 31, 2017 04:16 AM

    Hello, i couldn't find this in the docs.

     

    When using the rate-limit assertion, and setting it to client-ip.
    Is this a counter specific to one policy, or does it work globally for connections from said client-ip?

     

    For high performant rate limiting, what is the impact of disabling the cluster-wide checkboxes.
    Is it safe to assume, cluster-wide causes database operations, and local is in-memory only and thus faster? Because this could have a big impact on availability during DOS attacks.

     

    Additionally, if it does not work globally. Can we put a rate-limit on client-ip in the message-received global policy, if we want to protect our entire infrastructure.

    And perhaps just out of interest, how do other people protect their gateways against DOS attacks from for example one client? Are there people that put protection measures in the global message-received policy?



  • 2.  Re: Does the rate-limit on client-ip count within one policy only
    Best Answer

    Posted Jul 31, 2017 11:18 AM

    Hello Dimitri,

     

    So, yes assertion with in the policy is effecting only that policy.

    If you have the cluster-wide checkbox checked in the Rate Limit assertion, it will take the value and divide it by the number of nodes in the cluster. The Rate Limit counter is stored in memory, and the memory is not shared among the nodes of the cluster, so the calculation for cluster-wide is simplified.
    When you have concurrency set to 1, and cluster-wide is checked, and you have a 2 node cluster. Then each node can handle a concurrency of 0.5, which will result in a failure.
    And your last question; yes, It can be most efficiently deployed in the Message Received global policy fragment by limiting certain services from being customer too excessively.

     

    I hope I answered your question, if yes, you may mark this as answer, if not please feel free to ask additional questions?

     

    Thanks 

    Kemal 



  • 3.  Re: Does the rate-limit on client-ip count within one policy only

    Broadcom Employee
    Posted Jul 31, 2017 07:23 PM

    Hello Kemal, DimitriDemeer82305080 ,

    As per my understanding, the rate limit counter is node wide, ie. for the same counter id (for example, same client-ip), it's not just effecting only one policy, all the policies in the same gateway node which contain the rate limit assertion with same counter id,  will share the same limit. (if the limit is set to different value in different policies may cause unexpected outcome)

    for example, if there are 2 services have rate limit with same counter id, the limit is set to 10 requests per second, then the total requests to the 2 services cannot exceed 10 requests per second. ie. if the requests come to the 2 services with almost the same rate, then each service is roughly 5 requests per second.

     

    I agree with the others.

     

    Regards,

    Mark



  • 4.  Re: Does the rate-limit on client-ip count within one policy only

    Posted Aug 01, 2017 08:09 AM

    Hey Mark, 

     

    yes I agree, i forgot about the counterID! : ) 

     

    cheers

    kemal



  • 5.  Re: Does the rate-limit on client-ip count within one policy only

    Posted Aug 01, 2017 06:13 AM

    Thank you both!