Local rate limit

    • This filter should be configured with the name envoy.filters.http.local_ratelimit.

    The HTTP local rate limit filter applies a token bucket rate limit when the request’s route or virtual host has a per filter .

    If the local rate limit token bucket is checked, and there are no tokens available, a 429 response is returned (the response is configurable). The local rate limit filter then sets the x-envoy-ratelimited response header. can be configured to be returned.

    Request headers can be configured to be added to forwarded requests to the upstream when the local rate limit filter is enabled but not enforced.

    Depending on the value of the config , the token bucket is either shared across all workers or on a per connection basis. This results in the local rate limits being applied either per Envoy process or per downstream connection. By default the rate limits are applied per Envoy process.

    Example filter configuration for a globally set rate limiter (e.g.: all vhosts/routes share the same token bucket):

    Example filter configuration for a globally disabled rate limiter but enabled for a specific route:

    The route specific configuration:

    Note that if this filter is configured as globally disabled and there are no virtual host or route level token buckets, no rate limiting will be applied.

    Rate limit descriptors can be used to override local per-route rate limiting. A route’s rate limit action is used to match up a in the filter config descriptor list. The local descriptor’s token bucket settings are then used to decide if the request should be rate limited or not depending on whether the local descriptor’s entries match the route’s rate limit actions descriptor entries. If there is no matching descriptor entries, the default token bucket is used.

    local-rate-limit-with-descriptors.yaml

    In this example, requests are rate-limited for routes prefixed with “/foo” as follow. If requests come from a downstream service cluster “foo” for “/foo/bar” path, then 10 req/min are allowed. But if they come from a downstream service cluster “foo” for “/foo/bar2” path, then 100 req/min are allowed. Otherwise, 1000 req/min are allowed.

    The local rate limit filter outputs statistics in the <stat_prefix>.http_local_rate_limit. namespace. 429 responses – or the configured status code – are emitted to the normal cluster .

    The HTTP rate limit filter supports the following runtime fractional settings:

    http_filter_enabled

    % of requests that will check the local rate limit decision, but not enforce, for a given route_key specified in the local rate limit configuration. Defaults to 0.

    http_filter_enforcing

    % of requests that will enforce the local rate limit decision for a given route_key specified in the . Defaults to 0. This can be used to test what would happen before fully enforcing the outcome.