Basic Request Rate LimitingSecurity
Not all of your endpoints are equally resilient. If you want to limit the amount of requests to a less resilient endpoint no matter the user, you can do so with basic request rate limiting.
The QoTM service deployed from the Ambassador directory exposes the routes
/qotm/limited/ can only handle as much load as is defined by the
REQUEST_LIMIT environment variable (defaults to 5), meaning that after 5 requests in a minute, the server will return a 500 error. The
/qotm/open/ endpoint, however, can handle higher loads.
You can test this by running the
ratelimit.sh script in "basic" mode which sends a request every second. After the fifth request you will see the server a 500 error.
To protect our QoTM app, we need to put a rate limit on the number of requests that are allowed to the
Install Ambassador Pro
Ambassador Pro is a commercial version of Ambassador that includes integrated Single Sign-On, powerful rate limiting, custom filters, and more. Ambassador Pro also uses a certified version of Ambassador OSS that undergoes additional testing and validation.
Clone the Ambassador Pro configuration repository
Ambassador Pro consists of a series of modules that communicate with Ambassador. The core Pro module is typically deployed as a sidecar to Ambassador. This means it is an additional process that runs on the same pod as Ambassador. Ambassador communicates with the Pro sidecar locally. Pro thus scales in parallel with Ambassador. Ambassador Pro also relies on a Redis instance for its rate limit service and several Custom Resource Definitions (CRDs) for configuration.
For this installation, we'll start with a standard set of Ambassador Pro configuration files.
git clone https://github.com/datawire/pro-ref-arch
env.sh, and add your specific license key to the
env.shfile. If you don’t have a license key, you can request a free 14-day trial key now.
Note: Ambassador Pro will not start without a valid license key.
Deploy Ambassador Pro
If you're on GKE, first, create the following
kubectl create clusterrolebinding my-cluster-admin-binding \ --clusterrole=cluster-admin \ --user=$(gcloud info --format="value(config.account)")
Then, deploy Ambassador Pro:
makecommand will use
kubectlto deploy Ambassador Pro and a basic test configuration to the cluster.
Verify that Ambassador Pro is running:
kubectl get pods | grep ambassador ambassador-79494c799f-vj2dv 2/2 Running 0 1h ambassador-pro-redis-dff565f78-88bl2 1/1 Running 0 1h
Note: If you are not deploying in a cloud environment that supports the
LoadBalancertype, you will need to change the
ambassador/ambassador-service.yamlto a different service type (e.g.,
By default, Ambassador Pro uses ports 8081 and 8082 for rate-limiting and filtering, respectively. If for whatever reason those assignments are problematic (perhaps you set service_port to one of those), you can set adjust these by setting environment variables:
GRPC_PORT: Which port to serve the RateLimitService on;
APRO_AUTH_PORT: Which port to serve the filtering AuthService on;
pro-ref-archdirectory, observe the
ambassador/05-qotm.yamlwe deployed earlier.
You will see a
labelsapplied to the
qotm_limited_mapping. This configures Ambassador to label the request with the string
qotm. We will configure Ambassador to
RateLimitoff this label.
--- apiVersion: ambassador/v1 kind: Mapping name: qotm_limited_mapping prefix: /qotm/limited/ rewrite: /limited/ service: qotm labels: ambassador: - string_request_label: - qotm
Note: There is no label applied to the
kubectl apply -f ratelimit/rl-basic.yaml
We have now configured Ambassador to limit requests containing the label
qotmto 5 requests per minute.
This is a simple bash script that sends a
cURLto http://$AMBASSADOR_IP/qotm/limited/ every second. You will notice that after the 5th request, Ambassador is returning a 429 instead of 200 to requests to the
/qotm/open/endpoint does not have the same load restrictions and therefore does not need to be rate limited.