Rate limiting can be added to Workloads by configuring an endpoint which serves the Envoy Rate Limit project. This endpoint receives a rate limit request from a configured Workload and decides if the request should be limited.
Follow the steps below to configure your Workload with a rate limiting policy.
Envoy's Rate Limit project is deployed as a Workload at Control Plane and requires a local Redis Workload.
Follow the steps below to download and apply a YAML manifiest file which will deploy, create, and configure:
ratelimit
. If you choose a different GVC name, update
the YAML manifest file accordingly.The latest envoyproxy/ratelimit
deployment can be obtained here.
The downloaded YAML manifest file uses the image envoyproxy/ratelimit:5b6e65da
. If there is a newer tag, it can be substituted in
the YAML file before executing the cpln apply
command.
The rate limit config file is stored as an opaque secret
named ratelimit-config
that was created when applying the YAML manifest file.
The configuration that was deployed with the manifest file sets a limit of 10 requests per minute for any
request that contains an authorization
header (see sample config below).
To adjust the rate limit per your requirments, use the UI or CLI to edit the ratelimit-config
secret using the pattern
referenced here.
Sample Config:
copydomain: cplndescriptors:- key: authorizationrate_limit:unit: minuterequests_per_unit: 10
NOTE: After saving the updated secret, it's recommended to perform a Force Redeploy
of the ratelimit
Workload to reload the
config file.
Add the following tags to enable rate limiting on the desired Workload.
cpln/rateLimitAddress
Global Endpoint
of the Rate Limiting Workload that was configured in step one. This endpoint
can be obtained by browsing to the Info
page of the ratelimit
Workload. Do not include the https://
scheme.cpln/rateLimitScheme
https:
.cpln/rateLimitPort
443
.cpln/rateLimitDomain
cpln
.cpln/rateLimitDescriptors
authorization
.authorization
, host
, port
.After saving these tags and the Workload has deployed successfuly, the rate limits defined within the config file will be enforced. If a client hits the limit, an HTTP 429 (Too Many Requests) response will be returned.