Rate Limiting

Kong Gateway imposes rate limits on clients through the use of the . When rate limiting is enabled, clients are restricted in the number of requests that can be made in a configurable period of time. The plugin supports identifying clients as consumers or by the client IP address of the requests.

The following tutorial walks through managing rate limiting across various aspects in Kong Gateway.

This chapter is part of the Get Started with Kong series. For the best experience, it is recommended that you follow the series from the beginning.

Start with the introduction , which includes tool prerequisites and instructions for running a local Kong Gateway.

Step two of the guide, Services and Routes, includes instructions for installing a mock service used throughout this series.

If you haven’t completed these steps already, complete them before proceeding.

Installing the plugin globally means every proxy request to Kong Gateway will be subject to rate limit enforcement.

Enable rate limiting

This command has instructed Kong Gateway to impose a maximum of 5 requests per minute per client IP address for all routes and services.

The policy configuration determines where Kong Gateway retrieves and increments limits. See the full plugin configuration reference for details.

You will see a response that contains the new plugin configuration, including identification information similar to:
```
"id": "fc559a2d-ac80-4be8-8e43-cb705524be7f",
"name": "rate-limiting",
"enabled": true
```
Validate

After configuring rate limiting, you can verify that it was configured correctly and is working, by sending more requests then allowed in the configured time limit.

Command Line

Web browser

Run the following command to quickly send 6 mock requests:

Open in your browser and refresh the page 6 times within 1 minute.
```
{
   "message": "API rate limit exceeded"
}
```

The Rate Limiting plugin can be enabled for specific services. The request is the same as above, but posted to the service URL:

The Rate Limiting plugin can be enabled for specific routes. The request is the same as above, but posted to the route URL:

curl -X POST http://localhost:8001/routes/example_route/plugins \
   --data config.policy=local

In Kong Gateway, are an abstraction that defines a user of a service. Consumer-level rate limiting can be used to limit request rates per consumer.

Create a consumer

Consumers are created using the consumer object in the Admin API.
Enable rate limiting for the consumer

Using the consumer id, enable rate limiting for all routes and services for the jsmith consumer.
```
curl -X POST http://localhost:8001/plugins \
   --data "name=rate-limiting" \
   --data "consumer.username=jsmith" \
```

In high scale production scenarios, effective rate limiting may require advanced techniques. The basic Rate Limiting plugin described above only allows you to define limits over fixed-time windows. Fixed-time windows are sufficient for many cases, however, there are disadvantages:

Bursts of requests around the boundary time of the fixed window, may result in strained resources as the window counter is reset in the middle of the traffic burst.

The Rate Limiting Advanced plugin is an enhanced version of the Rate Limiting plugin. The advanced plugin provides additional limiting algorithm capabilities and superior performance compared to the basic plugin. For more information on advanced rate limiting algorithms, see .

Next Proxy Caching