Global Rate LimitingSecurity
Suppose you've announced a major Black Friday sale. Generally, ecommerce platforms generate 300% more sales on Black Friday. But if your database starts to fail under the increased load, the degraded performance can impact your conversion numbers. Or worse, your website can fail completely. To mitigate performance issues as quickly as possible while you work to scale your backend, you can use rate limiting.
Ambassador Pro's rate limiting integrates with the authentication and filter system. Suppose our authentication system sets an HTTP header of
x-limited-user: true once they've successfully authenticated. We can then set a global rate limit for all requests that contain this HTTP header. In this example, we'll set this rate limit to 10 requests per minute which facilitiates manual testing.
Install Ambassador Pro
Ambassador Pro is a commercial version of Ambassador that includes integrated Single Sign-On, powerful rate limiting, custom filters, and more. Ambassador Pro also uses a certified version of Ambassador OSS that undergoes additional testing and validation.
Clone the Ambassador Pro configuration repository
Ambassador Pro consists of a series of modules that communicate with Ambassador. The core Pro module is typically deployed as a sidecar to Ambassador. This means it is an additional process that runs on the same pod as Ambassador. Ambassador communicates with the Pro sidecar locally. Pro thus scales in parallel with Ambassador. Ambassador Pro also relies on a Redis instance for its rate limit service and several Custom Resource Definitions (CRDs) for configuration.
For this installation, we'll start with a standard set of Ambassador Pro configuration files.
git clone https://github.com/datawire/pro-ref-arch
env.sh, and add your specific license key to the
env.shfile. If you don’t have a license key, you can request a free 14-day trial key now.
Note: Ambassador Pro will not start without a valid license key.
Deploy Ambassador Pro
If you're on GKE, first, create the following
kubectl create clusterrolebinding my-cluster-admin-binding \ --clusterrole=cluster-admin \ --user=$(gcloud info --format="value(config.account)")
Then, deploy Ambassador Pro:
makecommand will use
kubectlto deploy Ambassador Pro and a basic test configuration to the cluster.
Verify that Ambassador Pro is running:
kubectl get pods | grep ambassador ambassador-79494c799f-vj2dv 2/2 Running 0 1h ambassador-pro-redis-dff565f78-88bl2 1/1 Running 0 1h
Note: If you are not deploying in a cloud environment that supports the
LoadBalancertype, you will need to change the
ambassador/ambassador-service.yamlto a different service type (e.g.,
By default, Ambassador Pro uses ports 8081 and 8082 for rate-limiting and filtering, respectively. If for whatever reason those assignments are problematic (perhaps you set service_port to one of those), you can set adjust these by setting environment variables:
GRPC_PORT: Which port to serve the RateLimitService on;
APRO_AUTH_PORT: Which port to serve the filtering AuthService on;
pro-ref-archdirectory, observe the ambassador
ambassador/03-ambassador-service.yamlwe deployed earlier.
You will see a
default_labelset in the config. This configures Ambassador to label every request through Ambassador with a check for
x-limited-userso the rate limiting service can check it.
--- apiVersion: ambassador/v1 kind: Module name: ambassador config: enable_grpc_web: True default_label_domain: ambassador default_labels: ambassador: defaults: - x_limited_user: header: "x-limited-user" omit_if_not_present: true
Configure the global rate limit
kubectl apply -f ratelimit/rl-global.yaml
This configures Ambassador's rate limiting service to look for the
x_limited_userlabel and, if set to
true, limit the requests to 10 per minute.
Test the rate limit
We provide a simple way to test that this global rate limit is working. Run the simple shell script
ratelimit-test.shin "global" mode to send requests to the
httpbinendpoints. You will see, after a couple of request, that requests that set
x-limited-user: truewill be returned a 429 by Ambassador after 10 requests but requests with
x-limited-user: falseare allowed.
Don't leave your website performance at risk for sudden spikes in traffic. To quickly enable global rate limiting on your website, get started with a free 14-day trial of Ambassador Pro, or contact sales today.