Updated on 2024-11-27 GMT+08:00

Configuring Request Throttling 2.0

ROMA Connect provides flexible extension capabilities for APIs through plug-in policies. Request throttling 2.0 limits the number of times an API can be called within a specific time period to protect backend services.

Plug-in policies and APIs are independent of each other. A plug-in policy takes effect for an API only after it is bound to the API. When binding a plug-in policy to an API, you must specify an environment where the API has been published. The plug-in policy takes effect for the API only in the specified environment.

Constraints

  • An API can be bound to only one plug-in policy of the same type in the same environment. A plug-in policy that has been bound to an API cannot be deleted.
  • If an API has been bound by a traditional request throttling policy and a request throttling 2.0 policy at the same time, the request throttling 2.0 policy takes effect.

Creating a Request Throttling 2.0 Policy

  1. Log in to the ROMA Connect console. On the Instances page, click View Console of an instance.
  2. In the navigation pane on the left, choose API Connect > API Policies. On the Policies tab, click Create Policy.
  3. On the Select Policy Type page, select Request Throttling 2.0 in the Plug-ins area.
  4. On the page displayed, configure plug-in policy information.
    Table 1 Policy configuration

    Parameter

    Description

    Name

    Enter a policy name. Using naming rules facilitates future search.

    Type

    Fixed as Request Throttling 2.0.

    Scope

    Specify the scope to view the policy.

    • Integration application: Each policy belongs to an integration application. Only users who have the permission on the integration application can view and use the policy.
    • All: All users in the current instance can view and use the policy.

    Integration Application

    Mandatory for Scope set to Integration application.

    Select an integration application for the policy. If none is available, click Create Integration Application on the right to create one.

    Description

    Describe the policy.

    Policy Content: Configure the policy in a form or script. For details about how to configure a script, see Script Configuration Example.

    Throttling

    Set the throttling type. High-performance throttling is recommended.

    • High precision: There is no error in a specific period, with poor performance in high concurrency scenarios. Select this type in low concurrency scenarios.
    • High-performance: There are occasionally small errors in a specific period, with small performance penalty in high concurrency scenarios. Select this type in high concurrency scenarios.
    • Single-node: There are certain errors in a specific period, with smaller performance penalty in high concurrency scenarios. Select this type in higher concurrency scenarios.

    Policy Information

    Policy Type

    Select a policy type.

    • API-specific: Requests of APIs bound to the current plug-in are calculated separately.
    • API-sharing: Requests of all APIs bound to the current plug-in are calculated together.

    Period

    Enter the request throttling duration in seconds, minutes, hours, or days. This parameter must be used together with parameters in Basic Throttling:

    • Max. API Requests limits calls
    • Max. User Requests limits calls by a user
    • Max. Credential Requests limits calls by a credential
    • Max. IP Address Requests limits calls by an IP address

    Basic Throttling

    Max. API Requests

    Enter the maximum number of times that an API can be called. This parameter is used along with Period.

    Max. User Requests

    Enter the maximum number of times that an API can be called by a user. This parameter is used along with Period. The value of this parameter cannot be greater than the Max. API Requests.

    Max. Credential Requests

    Enter the maximum number of times that an API can be called by a credential. This parameter is used along with Period. The value of this parameter cannot be greater than the Max. API Requests.

    Max. IP Address Requests

    Enter the maximum number of times that an API can be called by an IP address. This parameter is used along with Period. The value of this parameter cannot be greater than the Max. API Requests.

    Parameter-based Throttling

    Specify whether to enable parameter-based throttling. Once enabled, rules and throttling limits in the policy you configure here override those in Basic Throttling.

    • If a parameter-based throttling policy is matched, its throttling limits take effect.
    • If no parameter-based throttling policy is matched, throttling limits configured in Basic Throttling take effect.

    Define Parameters

    Define the parameters for rule matching. Click Add Parameter to add rule parameters.

    • Parameter Location: position of a parameter in an API request.
      • path: API request URI. This parameter is configured by default.
      • method: API request method. This parameter is configured by default.
      • header: first value of the header parameter in an API request.
        NOTE:

        For security purposes, do not include sensitive information in these parameters.

      • query: first value of the query parameter in an API request.
      • system: a system parameter.
    • Parameter: name of a parameter used for rule matching.

    Define Rules

    Define the rules for parameter-based throttling. Click Add Rule to add rules. The system matches rules from top to bottom.

    • Rules: Click to modify the condition expression. If there are three or more expressions, you can layer them by clicking Set Lower Level.
      • =: equal to
      • !=: not equal to
      • pattern: regular expression
      • enum: enumerated values, separated by comma (,)
    • Max. API Requests: Enter the maximum number of times that bound APIs can be called. This parameter is used along with Period.
    • Period: Enter the throttling duration in seconds, minutes, hours, or days. This parameter is used along with Max. API Requests.

    For example, add the Host parameter and specify the location as header; add the condition Host = www.abc.com, and set the throttling limit to 10 and the period to 60s. For APIs whose Host parameter in the request header is equal to www.abc.com, they cannot be called again once called 10 times in 60s.

    Excluded Throttling

    Specify whether to enable excluded throttling for tenants or integration applications.

    The throttling limits for excluded tenants and applications override the Max. User Requests and Max. Credential Requests set in Basic Throttling.

    Excluded Tenants

    Click Add Tenant to limit the requests of specified tenants.

    • Account ID: Enter the ID of the tenant to which the request throttling policy is to be bound.
      • If the App authentication mode is used to call APIs, the tenant ID is the project ID of the user to which the integration application belongs.
      • If IAM authentication is used to call APIs, enter the account ID of the caller.

      Click the username in the upper right corner of the console and choose My Credentials to obtain the project ID and account ID.

    • Threshold: Enter the maximum number of times that an API can be called by the tenant within the specified period. The value of this parameter cannot be greater than the Max. API Requests in Basic Throttling.

    Excluded Apps

    Click Add App to limit the requests of specified integration applications.

    • App: Select an integration application for request throttling.
    • Threshold: Enter the maximum number of times that an API can be called by the application within the specified period. The value of this parameter cannot be greater than the Max. API Requests in Basic Throttling.
  5. Click OK.

    After a plug-in policy is created, perform Binding a Plug-in Policy to an API for the policy to take effect for the API.

Binding a Plug-in Policy to an API

  1. On the Policies tab, filter policies by Request Throttling 2.0.
  2. Click the name of a policy to go to the details page.
  3. On the APIs tab, select the environment of the APIs you want to bind the policy to, and click Bind to APIs.
  4. On the page displayed, select the APIs to bind the policy to.

    APIs can be filtered by API group and API name.

  5. Click OK.

Script Configuration Example

{
  "scope": "basic",
  "default_interval": 60,
  "default_time_unit": "second",
  "api_limit": 100,
  "app_limit": 50,
  "user_limit": 50,
  "ip_limit": 20,
  "specials": [
    {
      "type": "app",
      "policies": [
        {
          "key": "e9230d70c749408eb3d1e838850cdd23",
          "limit": 10
        }
      ]
    },
    {
      "type": "user",
      "policies": [
        {
          "key": "878f1b87f71c40a7a15db0998f358bb9",
          "limit": 10
        }
      ]
    }
  ],
  "algorithm": "counter",
  "parameters": [
    {
      "id": "3wuj354lpptv0toe0",
      "value": "reqPath",
      "type": "path",
      "name": "reqPath"
    },
    {
      "id": "53h7e7j11u38l3ocp",
      "value": "method",
      "type": "method",
      "name": "method"
    },
    {
      "id": "vv502bnb6g40td8u0",
      "value": "Host",
      "type": "header",
      "name": "Host"
    }
  ],
  "rules": [
    {
      "match_regex": "[\"Host\",\"==\",\"www.abc.com\"]",
      "rule_name": "u8mb",
      "time_unit": "second",
      "interval": 2,
      "limit": 5
    }
  ]
}