Manual Chapter : Overview: Rate limiting API requests

Applies To:

Show Versions

BIG-IP APM

15.0.1, 15.0.0

Overview: Rate limiting API requests

At the same time you are configuring APM as an API protection proxy, you can also establish quotas and spike arrest limits to maintain API traffic so that it stays within the limits of the capacity of the applications and backend API servers. This way, you can control API traffic loads based on system requirements.

In the API Protection profile, you can enforce rate limiting in the following ways:

Configure and enforce quota limits for API calls using configurable settings such as Client ID, User Group, Client IP address, User Name, multiple values (like User Group and User Name), or a perflow variable name.

Control traffic spikes by limiting the number of API requests over shorter intervals.

Create a whitelist or blacklist to allow or reject requests identified by key and key values.

Generate responses when quota, spike, or blacklist enforcement rejects API requests.

This section describes how to manually configure rate limiting within an existing API protection profile that is associated with a virtual server. For details on creating API protection profiles, refer to

Protecting APIs with Access Policy Manager

. For a simpler, automated setup procedure, you can instead follow the steps in the

API Protection

template using

Access

Guided Configuration

Rate limiting API Requests

About rate limiting API requests

Creating keys for classifying requests

Creating a rate limiting configuration

Developing a whitelist or blacklist for API requests

Adding API Rate Limiting to a per-request policy