Manual Chapter : API rate limiting: Group-based quota enforcement

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0
Manual Chapter

API rate limiting: Group-based quota enforcement

This example of API rate limiting uses OAuth token validation, request classification, and branch logic based on user group. Each group signifies a different tier of the API that is sold to customers: Platinum, Gold, and Silver. All users have an unlimited number of GET requests. Within each group, each user has a limited number of POST requests.
Each group has a different API rate limiting agent. Platinum users are allowed up to 10,000 requests, Gold users up to 5,000, and Silver users up to 1000 requests. The API protection per-request policy determines which group the request is from, determines the user ID, and adds the request to the quota tally.
To develop this example, you need to
  • Create an API protection profile that defines the paths, servers, and responses preferably using an OpenAPI spec file.
  • In the API protection profile, for
    Authorization
    , use
    OAuth 2.0
    .
  • On the Rate Limiting tab of the API protection profile, create an identity key called
    usernameandusergroup
    with a value of
    %{subsession.access_token.username}
    and
    %{subsession.access_token.usergroup}
    . Also create three rate limiting configurations with different Request Quotas and Spike Arrest values.
  • On the Access Control tab, click
    Edit
    to see the visual representation of the per-request policy that was created.
  • In the visual policy editor, edit the policy as needed for rate limiting each branch. Create API Rate Limiting agents for each tier and in each agent, select the appropriate configuration and response for that tier.
Here is the example API protection per-request policy that performs different levels of rate limiting for three product tiers.

How it works

  1. Access Policy Manager receives an API request with an authorization header containing a JWT access token.
  2. The access token is extracted from the authorization header.
  3. For all API requests, the OAuth Scope agent in the subroutine validates the access token.
  4. If OAuth validation fails, the system returns an appropriate response for that API request.
  5. On successful validation of the JWT access token, the Request Classification agent classifies the API request based on its path and method.
  6. For each branch, the branch expression classifies the request based on the user group.
  7. By assigning different Rate Limiting configurations in the three API Rate Limiting agents, the policy enforces different rate limiting quotas for each user group. Each user of a given group gets an individual quota.
  8. If a user exceeds the quota, the system returns a response to the sender of the API request, and logs an error message.