| Excerpt |
|---|
Throttling allows you to limit the number of successful hits to an API during a given period of time, typically in cases such as the following:
|
...
- Bronze: 1000 requests per minute
- Silver: 2000 requests per minute
- Gold: 5000 requests per minute
Unlimited: Allows unlimited access (you can disable the Unlimited tier by editing the
<EnableUnlimitedTier>element in<ThrottlingConfigurations>node of the<APIM_HOME>/repository/conf/api-manager.xmlfile)Note In API Manager 2.0.0 onwards, Advanced Throttling is enabled by default with following configuration in <API-M_HOME>/repository/conf/api-manager.xml.
Code Block <ThrottlingConfigurations> <EnableAdvanceThrottling>true</EnableAdvanceThrottling> ...... <ThrottlingConfigurations>If you are disabling Advanced Throttling in any case by setting the value of
<EnableAdvanceThrottling>false, Advanced Throttling is disabled and basic Throttling mechanism is enabled thereafter. In such a scenario, if you want to disable the Unlimited Throttling tier of basic Throttling configurations, you need to disable it under<TierManagement>by setting<EnableUnlimitedTier>to false.Code Block <TierManagement> <EnableUnlimitedTier>true</EnableUnlimitedTier> </TierManagement>
It is also possible to specify a bandwidth per unit time instead of a number of requests. This can be done by an API Manager administrator. For information on editing the values of the existing tiers, defining new tiers and specifying a bandwidth per unit time, see Adding a new subscription-level throttling tier.
| Note |
|---|
Note that when you edit an API with active subscribers, certain things like tier changes do not get automatically reflected to the subscribers. For such changes to take effect, the subscribers should resubscribe to the API and regenerate the access token. |
Rate limiting (burst control)
...
For instance, if there's a subscription level policy enforced over a long period, you may not want users to consume the entire quota within a short time span. Sudden spikes in usage or attacks from users can also be handled via rate limiting. You can define a spike arrest policy when the subscription level tier is created. For more information on using rate limiting in suscription subscription tiers, refer Adding a new subscription-level throttling tier.
| Info |
|---|
Spike Arrest Polcy Policy is used to protect the API backend against large number of traffic spikes and DoS attacks. Unlike setting one definite throttling tier (Quota), it helps to limit the sudden increase of number of requests at any point in time. As an example, if we specify a quota policy as 20 requests per minute, it is possible to send all 20 requests in first few seconds in one minute so that we cannot limit it. By defining a spike arrest policy as 10 requests per second, it equally scatter the scatters the number of requests over the given one minute. Therefore, by doing rate limiting we can protect the backend from sudden spikes and DoS attacks through spike arrest policy. |
...
Application-level Throttling tiers
The default throttling levels are are as follows:
- 10PerMin: 10 requests per minute
- 20PerMin: 20 requests per minute
- 50PerMin: 50 requests per minute
- Unlimited: Unlimited access. The Default Application, which is provided out of the box has the tier set to Unlimited.
It is also possible to specify a bandwidth per unit time instead of a number of requests. This can be done through the Admin Portal of API Manager. For information on editing the values of the existing tiers, defining new tiers and specifying a bandwidth per unit time, see Adding a new application-level throttling tier.