Manual Chapter : Adding API Rate Limiting to a per-request policy

Applies To:

Show Versions Show Versions


  • 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0
Manual Chapter

Adding API Rate Limiting to a per-request policy

Because the API Rate Limiting agent enforces rate limiting configurations developed in an API protection profile, you need to have created the profile, and it must include at least one rate limiting configuration, and any responses you want to use.
When you create an API protection profile, the system automatically develops a per-request policy based on the settings you provided. You can edit the per-request policy to add an API Rate Limiting agent at specific points to enforce rate limiting, spike control, whitelists, and blacklists for each API request.
  1. On the Main tab, click
    API Protection
  2. In the Per-Request Policy column of the API protection profile, click
    The visual policy editor opens the per-request policy in a separate screen.
  3. On a policy branch, in the location where you want to enforce rate limiting, click
    For example, if the policy includes
    Classify API Request (RCA)
    , the Request Classification Agent, you may want to apply different levels of rate limiting to different classes of requests and would click the
    after that agent.
    The API Rate Limiting agent has to be located in the main policy branch (or macro) and never in a subroutine.
    A popup screen displays actions on tabs and provides a search field.
  4. On the Traffic Management tab, select
    API Rate Limiting
    , then click
    Add Item
    The API Rate Limiting agent opens.
  5. For
    , use the default name for the action that appears in the API protection per-request policy (API Rate Limiting, by default).
  6. For
    Enforce Blacklist
    Enforce Whitelist
    , select
    In the agent, blacklists are enabled by default. Whitelists are disabled.
    If enabled, requests identified in the blacklist are sent to the fallback branch and trigger the selected response.
  7. To optionally specify a
    , select one of the responses that were previously developed on the Responses tab of the API protection profile.
  8. Add at least one Rate Limiting Configuration:
    1. Click
      Add New Entry
    2. From the
      Rate Liming Configuration
      list, select a configuration previously developed on the Rate Limiting tab of the API protection profile.
    3. To assign a weight to API requests identified by this rate limiting configuration, type a number (greater than 0 and less than the quota and spike limit). By default, the weight of every request is 1.
      If assigning more than one rate limiting configuration, you can assign a higher weight to one of them, for example, so you can control the amount of support provided to different applications.
    4. To add more configurations, repeat the previous steps. At that point, you can use the arrows on the right to order the configurations for use in the per-request policy.
  9. By default, a successful and fallback branch is created. You can adjust the branching, if needed.
  10. At the bottom of the screen, click
An API Rate Limiting agent is created in the per-request policy, and it will limit the number of requests to the API server protected by this policy. Results of rate limiting are set in the
perflow variable.
Refer to the rate limiting use cases for examples of how you can apply rate limiting to each request in a per-request policy.