Gloo Gateway API (Enterprise)

Overview

Gloo Gateway includes a simplified rate limiting model that allows you to specify the number of requests per configurable unit of time that can be made against all routes defined within a virtual host or individual routes. You can set different limits for both authorized and anonymous users. An authorized user is one that the Gloo Gateway external authentication server has validated and their user token is included with the request. Authorized users are rate limited on a per user basis. Anonymous users are rate limited on a calling IP basis, i.e., all requests from that incoming IP count towards the requests per time limits.

For a more fine grained approach, take a look at using Gloo Gateway with Envoy’s native rate limiting model

Rate Limit

Rate limits are defined on the virtual service or route specification as spec.virtualHost.options.ratelimitBasic with the following format . There is a full example later in this document that shows the rate limit configuration in context.

ratelimitBasic:
  anonymousLimits:
    requestsPerUnit: 1000
    unit: HOUR
  authorizedLimits:
    requestsPerUnit: 200
    unit: MINUTE

An example virtual service with rate limits enabled

The minimum required configuration to create a new virtual service for the example petclinic application with service-level anonymous and authorized rate limits enabled is shown below.

First, install the petclinic application.

kubectl apply \
  --filename https://raw.githubusercontent.com/solo-io/gloo/v1.2.9/example/petclinic/petclinic.yaml

Refer to the Gloo Gateway external authentication documentation on how to configure Gloo Gateway to authenticate users.

In this example, we restrict authorized users to 200 requests per minute and anonymous users to 1000 requests per hour.

apiVersion: gateway.solo.io/v1
kind: VirtualService
metadata:
  name: default
  namespace: gloo-system
spec:
  displayName: default
  virtualHost:
    domains:
    - '*'
    routes:
    - matchers:
      - prefix: /
      routeAction:
        single:
          upstream:
            name: default-petclinic-8080
            namespace: gloo-system
    options:
      ratelimitBasic:
        anonymousLimits:
          requestsPerUnit: 1000
          unit: HOUR
        authorizedLimits:
          requestsPerUnit: 200
          unit: MINUTE
    # extauth:
    #   oauth:
    #     # your OAuth settings here to authorize users

You can also just set rate limits for just anonymous users (rate limit by remote address) or just authorized users (rate limit by user id). For example, to rate limit for anonymous users, you would configure the anonymousLimits section like as follows.

apiVersion: gateway.solo.io/v1
kind: VirtualService
metadata:
  name: default
  namespace: gloo-system
spec:
  displayName: default
  virtualHost:
    domains:
    - '*'
    routes:
    - matchers:
      - prefix: /
      routeAction:
        single:
          upstream:
            name: default-petclinic-8080
            namespace: gloo-system
    options:
      ratelimitBasic:
        anonymousLimits:
          requestsPerUnit: 1000
          unit: HOUR

Route-level rate limits

Rate limits can be specified on individual routes within a virtual host in addition to or instead of the virtual host itself. The API for specifying the rate limits is identical to the virtual host version, with one caveat. Any routes with a specified ratelimitBasic must also specify a name at the top level of the route. These names: