Protect your Services

    If you are following the getting started workflow, make sure you have completed Exposing Your Services before moving on.

    Kong’s lets you restrict how many requests your upstream services receive from your API consumers, or how often each user can call the API.

    Rate limiting protects the APIs from accidental or malicious overuse. Without rate limiting, each user may request as often as they like, which can lead to spikes of requests that starve other consumers. After rate limiting is enabled, API calls are limited to a fixed number of requests per second.

    Using Kong Manager

    Using the Admin API

    Using decK (YAML)

    1. Access your Kong Manager instance and your default workspace.

    2. Go to API Gateway > Plugins.

    3. Click New Plugin.

    4. Scroll down to Traffic Control and find the Rate Limiting Advanced plugin. Click Enable.

    5. If you switched it to Scoped, the rate limiting would apply the plugin to only one Service, Route, or Consumer.

    6. Scroll down and complete only the following fields with the following parameters.

      1. config.limit:
      2. config.sync_rate: -1
      3. config.window_size: 30

      Besides the above fields, there may be others populated with default values. For this example, leave the rest of the fields as they are.

    Call the Admin API on port 8001 and configure plugins to enable a limit of five (5) requests per minute, stored locally and in-memory, on the node.

    cURL

    HTTPie

    1. http -f post :8001/plugins \
    2.   name=rate-limiting \
    3.   config.minute=5 \
    4.   config.policy=local

    1. Add a new plugins section to the bottom of your kong.yaml file. Enable rate-limiting with a limit of five (5) requests per minute, stored locally and in-memory, on the node:

      2.  services:
      3.  - host: mockbin.org
      4.    name: example_service
      5.    port: 80
      6.    protocol: http
      7.    routes:
      8.    - name: mocking
      9.      paths:
      10.      strip_path: true
      12.  - name: rate-limiting
      13.    config:
      14.      minute: 5
      15.      policy: local

      This plugin will be applied globally, which means the rate limiting applies to all requests, including every Service and Route in the Workspace.

      If you pasted the plugin section under an existing Service, Route, or Consumer, the rate limiting would only apply to that specific entity.

    2. Sync the configuration:

    Using a Web Browser

    Using the Admin API

    1. Enter <admin-hostname>:8000/mock and refresh your browser six times. After the 6th request, you’ll receive an error message.
    2. Wait at least 30 seconds and try again. The service will be accessible until the sixth (6th) access attempt within a 30-second window.

    To validate rate limiting, access the API six (6) times from the CLI to confirm the requests are rate limited.

    cURL

    HTTPie

    1. curl -i -X GET http://<admin-hostname>:8000/mock/request

    After the 6th request, you should receive a 429 “API rate limit exceeded” error:

    1. {
    3. }

    In this section:

    • If using the Admin API or decK, you enabled the Rate Limiting plugin, setting the rate limit to 5 times per minute.