Manual Chapter :
API rate limiting: Group-based quota enforcement
Applies To:
Show VersionsBIG-IP APM
- 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0
API rate limiting: Group-based quota enforcement
This example of API rate limiting uses OAuth token validation, request
classification, and branch logic based on user group. Each group signifies a different tier of
the API that is sold to customers: Platinum, Gold, and Silver. All users have an unlimited number
of GET requests. Within each group, each user has a limited number of POST requests.
Each group has a different API rate limiting agent. Platinum users are
allowed up to 10,000 requests, Gold users up to 5,000, and Silver users up to 1000 requests. The
API protection per-request policy determines which group the request is from, determines the user
ID, and adds the request to the quota tally.
To develop this example, you need to
- Create an API protection profile that defines the paths, servers, and responses preferably using an OpenAPI spec file.
- In the API protection profile, forAuthorization, useOAuth 2.0.
- On the Rate Limiting tab of the API protection profile, create an identity key calledusernameandusergroupwith a value of%{subsession.access_token.username}and%{subsession.access_token.usergroup}. Also create three rate limiting configurations with different Request Quotas and Spike Arrest values.
- On the Access Control tab, clickEditto see the visual representation of the per-request policy that was created.
- In the visual policy editor, edit the policy as needed for rate limiting each branch. Create API Rate Limiting agents for each tier and in each agent, select the appropriate configuration and response for that tier.
Here is the example API protection per-request policy that performs
different levels of rate limiting for three product tiers.
How it works
- Access Policy Manager receives an API request with an authorization header containing a JWT access token.
- The access token is extracted from the authorization header.
- For all API requests, the OAuth Scope agent in the subroutine validates the access token.
- If OAuth validation fails, the system returns an appropriate response for that API request.
- On successful validation of the JWT access token, the Request Classification agent classifies the API request based on its path and method.
- For each branch, the branch expression classifies the request based on the user group.
- By assigning different Rate Limiting configurations in the three API Rate Limiting agents, the policy enforces different rate limiting quotas for each user group. Each user of a given group gets an individual quota.
- If a user exceeds the quota, the system returns a response to the sender of the API request, and logs an error message.