Gloo API (Enterprise)

Overview

Gloo includes a simplified rate limiting model that allows you to specify the number of requests per configurable unit of time that can be made against all routes defined within a virtual host. You can set different limits for both authorized and anonymous users. An authorized user is one that the Gloo external authentication server has validated and their user token is included with the request. Authorized users are rate limited on a per user basis. Anonymous users are rate limited on a calling IP basis, i.e., all requests from that incoming IP count towards the requests per time limits.

For a more fine grained approach, take a look at using Gloo with Envoy’s native rate limiting model

Rate Limit

Rate limits are defined on the virtual service specification as spec.virtualHost.virtualHostPlugins.extensions.configs.rate-limit. There is a full example later in this document that shows the rate limit configuration in context.

rate-limit:
  anonymous_limits:
    requests_per_unit: 1000
    unit: HOUR
  authorized_limits:
    requests_per_unit: 200
    unit: MINUTE

An example virtual service with rate limits enabled

The minimum required configuration to create a new virtual service for the example petclinic application with anonymous and authorized rate limits enabled is shown below.

First, install the petclinic application.

kubectl apply \
  --filename https://raw.githubusercontent.com/solo-io/gloo/master/example/petclinic/petclinic.yaml

Refer to the Gloo external authentication documentation on how to configure Gloo to authenticate users.

In this example, we restrict authorized users to 200 requests per minute and anonymous users to 1000 requests per hour.

apiVersion: gateway.solo.io/v1
kind: VirtualService
metadata:
  name: default
  namespace: gloo-system
spec:
  displayName: default
  virtualHost:
    domains:
    - '*'
    routes:
    - matcher:
        prefix: /
      routeAction:
        single:
          upstream:
            name: default-petclinic-8080
            namespace: gloo-system
    virtualHostPlugins:
      extensions:
        configs:
          rate-limit:
            anonymous_limits:
              requests_per_unit: 1000
              unit: HOUR
            authorized_limits:
              requests_per_unit: 200
              unit: MINUTE
        # extauth:
        #   oauth:
        #     # your OAuth settings here to authorize users

You can also just set rate limits for just anonymous users (rate limit by remote address) or just authorized users (rate limit by user id). For example, to rate limit for anonymous users, you would configure the anonymous_limits section like as follows.

apiVersion: gateway.solo.io/v1
kind: VirtualService
metadata:
  name: default
  namespace: gloo-system
spec:
  displayName: default
  virtualHost:
    domains:
    - '*'
    routes:
    - matcher:
        prefix: /
      routeAction:
        single:
          upstream:
            name: default-petclinic-8080
            namespace: gloo-system
    virtualHostPlugins:
      extensions:
        configs:
          rate-limit:
            anonymous_limits:
              requests_per_unit: 1000
              unit: HOUR