API Gateway 10.15 | Getting Started with API Gateway | Rate limit your APIs
 
Rate limit your APIs
 
Configuring Rate Limit for an API
Testing the API Rate Limit
API rate limiting is a technique that is used to limit the number of invocations made to an API during the specified time interval. Limiting the number of invocations prevents overloading the API and in turn improves its performance.
Using the Traffic Optimization policy in API Gateway, you can limit the number of API invocations during a specified time interval. When the number of invocations exceeds the configured limit, API Gateway sends alerts to a specified destination.
The Traffic optimization policy generates two types of events when the specified limit is breached:
*Policy violation event. Indicates the violations that occur for an API. If there are 100 violations, then 100 policy violation events are generated.
*Monitor event. Controlled by the alert frequency configuration specified in the policy.
The following illustration explains how the configured rate limit restricts the API invocation.
rate limit
Why and when do you configure rate limiting?
API providers configure rate limit to:
*Prevent resource abuse. There could be cases in which a single consumer performs an unexpected number of invocations to an API. This overloads the system and affects API's performance. Hence, as an API provider, you can configure a rate limit to prevent such a usage.
*Manage traffic. As an API provider, you provide certain SLAs to your consumers and if you have a large consumer base for your APIs then it is vital to control the traffic rate of your APIs. You can use rate limiting to manage traffic to an API, ensuring that it is highly available and responsive when handling requests from many consumers.
*Controlling resource usage. Resources cost money. The number of API invocations is directly proportional to the consumption of resources such as hosting provider, third-party agents and so on. By setting rate limits, you can control the number of resources that are used by each client.
*Protect from malicious activities. Restricting requests over a period also helps to minimise the risk of attackers and protects your resources from malicious activities.
Rate limiting considerations
*You can configure rate limit in conjunction with other API policies such as Identify & Authorize policy, Traffic management policy and so on.
*For the proper usage of the rate limit, you can configure for protection and the quota for monetization, you must understand the fundamental difference between both:
Rate limit
Quota
Specifies the number of requests that can be made to an API over a relatively shorter period such as second or minute.
Specifies the number of requests that a consumer can make to an API over a longer period, such as per day, per week, or per month.
Useful for managing traffic and preventing overload of an API in real-time.
Useful for controlling the usage over a longer period and ensuring fair use of API resources.