Manual Chapter : Overview: Rate limiting API requests

Applies To:

Show Versions Show Versions


  • 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0
Manual Chapter

Overview: Rate limiting API requests

At the same time you are configuring APM as an API protection proxy, you can also establish quotas and spike arrest limits to maintain API traffic so that it stays within the limits of the capacity of the applications and backend API servers. This way, you can control API traffic loads based on system requirements.
In the API Protection profile, you can enforce rate limiting in the following ways:
  • Configure and enforce quota limits for API calls using configurable settings such as Client ID, User Group, Client IP address, User Name, multiple values (like User Group and User Name), or a perflow variable name.
  • Control traffic spikes by limiting the number of API requests over shorter intervals.
  • Create a whitelist or blacklist to allow or reject requests identified by key and key values.
  • Generate responses when quota, spike, or blacklist enforcement rejects API requests.
This section describes how to manually configure rate limiting within an existing API protection profile that is associated with a virtual server. For details on creating API protection profiles, refer to
Protecting APIs with Access Policy Manager
. For a simpler, automated setup procedure, you can instead follow the steps in the
API Protection
template using
Guided Configuration