Rate limiting can be added to Workloads by configuring an endpoint which serves the Envoy Rate Limit project. This endpoint receives a rate limit request from a configured Workload and decides if the request should be limited.

Follow the steps below to configure your Workload with a rate limiting policy.


  • An existing Workload that requires rate limiting.
  • Review the Rate Limiting project’s README.

Configuration Steps

Envoy’s Rate Limit project is deployed as a Workload at Control Plane and requires a local Redis Workload.

Follow the steps below to download and apply a YAML manifiest file which will deploy, create, and configure:

Step One - Configure the Rate Limiting Workload

  • Download and review the YAML manifest file that will be applied.
  • Using the UI or CLI:
    • Create a GVC named ratelimit. If you choose a different GVC name, update the YAML manifest file accordingly.
    • Within that GVC, use the cpln apply command to deploy the manifest file.

The latest envoyproxy/ratelimit deployment can be obtained here.

The downloaded YAML manifest file uses the image envoyproxy/ratelimit:5b6e65da. If there is a newer tag, it can be substituted in the YAML file before executing the cpln apply command.

Step Two - Customize the Config File

The rate limit config file is stored as an opaque secret named ratelimit-config that was created when applying the YAML manifest file.

The configuration that was deployed with the manifest file sets a limit of 10 requests per minute for any request that contains an authorization header (see sample config below).

To adjust the rate limit per your requirments, use the UI or CLI to edit the ratelimit-config secret using the pattern referenced here.

Sample Config

domain: cpln
  - key: authorization
      unit: minute
      requests_per_unit: 10

After saving the updated secret, it’s recommended to perform a Force Redeploy of the ratelimit Workload to reload the config file.

Step Three - Configure Rate Limiting on a Workload

Add the following tags to enable rate limiting on the desired Workload.

  • cpln/rateLimitAddress
    • Required
    • Use the Global Endpoint of the Rate Limiting Workload that was configured in step one. This endpoint can be obtained by browsing to the Info page of the ratelimit Workload. Do not include the https:// scheme.
  • cpln/rateLimitScheme
    • Optional.
    • Default is: https:.
  • cpln/rateLimitPort
    • Optional.
    • Default is: 443.
  • cpln/rateLimitDomain
    • Optional.
    • Default is: cpln.
    • This value corresponds to the domain entry within the config file that was configured in step 2.
  • cpln/rateLimitDescriptors
    • Optional. Default is: authorization.
    • Allowed values: authorization, host, port.
    • This value corresponds to the descriptor entry within the config file that was configured in step 2.

After saving these tags and the Workload has deployed successfuly, the rate limits defined within the config file will be enforced. If a client hits the limit, an HTTP 429 (Too Many Requests) response will be returned.