The Ambassador Edge Stack ships with a rate limiting service that is enabled to perform advanced rate limiting out of the box.
Configuration of the
RateLimit resources that control how
to rate limit requests can be found in the
Rate Limiting section of the documentation.
This document focuses on how to deploy and manage the rate limiting extension.
Ambassador uses the
to connect to the rate limiting extension in the Ambassador Edge Stack.
RateLimitService is named
ambassador-edge-stack-ratelimit and is
failure_mode_denyBy default, Ambassador Edge Stack will fail open when unable to communicate with the service due to it becoming unvailable or due to timeouts. When this happens the upstream service that is being protected by a rate limit may be overloaded due to this behavior. When set to
trueAmbassador Edge Stack will be configured to return a
500status code when it is unable to communicate with the RateLimit service and will fail closed by rejecting request to the upstream service.
grpccontains settings for grpc connections
use_resource_exhausted_codeBy default, Ambassador Edge Stack will return an
UNAVAILABLEgRPC code when a request is rate limited. When set to
true, this field will cause Ambassador Edge Stack will return a
RESOURCE_EXHAUSTEDgRPC code instead.
This configures Envoy to send requests that are labeled for rate limiting to the
extension process running on port 8500. The rate limiting extension will then
use that request to count against any
RateLimit whose pattern matches the
Certain use cases may require some tuning of the rate limiting extension. Configuration of this extension is managed via environment variables. The Ambassador Container has a full list of environment variables available for configuration. This document highlights the ones used by the rate limiting extension.
The rate limiting extension relies heavily on redis for writing and reading
counters for the different
The Ambassador Edge Stack shares the same Redis pool for all features that use Redis.
See the Redis documentation for information on Redis tuning.
REDIS_PERSECOND is true, a second Redis connection pool is created (to a
potentially different Redis instance) that is only used for per-second
RateLimits; this second connection pool is configured by the
variables rather than the usual
true to access support for redis clustering,
local caching, and an upgraded redis client with improved scalability in
Only available if
The AES rate limit extension can optionally cache over-the-limit keys so it does not need to read the redis cache again for requests with labels that are already over the limit.
LOCAL_CACHE_SIZE_IN_BYTES to a non-zero value with enable local
Only available if
Adjusts the ratio used by the
near_limit statistic for tracking requests that
are "near the limit".
0.8 (80%) of the limit defined in the