Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Spell-check
Excerpt

Throttling allows you to limit the number of successful hits to an API during a given period of time, typically in cases such as the following:

  • To protect your APIs from common types of security attacks such as certain types of denial of service (DOS) attacks
  • To regulate traffic according to infrastructure availability
  • To make an API, application or a resource available to a consumer at different levels of service, usually for monetization purpose

...

Subscription-level throttling tiers are also defined when managing APIs using the API Publisher portal. 

Subscription-level Throttling tiers 

The default throttling tiers are as follows:

  • Bronze: 1000 requests per minute
  • Silver: 2000 requests per minute
  • Gold: 5000 requests per minute
  • Unlimited: Allows unlimited access (you can disable the Unlimited tier by editing the <EnableUnlimitedTier> element in <ThrottlingConfigurations> node of the <APIM_HOME>/repository/conf/api-manager.xml file)

    Note

    In API Manager 2.0.0 onwards, Advanced Throttling is enabled by default with following configuration in <API-M_HOME>/repository/conf/api-manager.xml.

    Code Block
    <ThrottlingConfigurations>
            <EnableAdvanceThrottling>true</EnableAdvanceThrottling>
         ......
    <ThrottlingConfigurations>

    If you are disabling Advanced Throttling by setting the value of <EnableAdvanceThrottling> false, Advanced Throttling is disabled and basic Throttling mechanism is enabled thereafter. In such a scenario, if you want to disable the Unlimited Throttling tier of basic Throttling configurations, you need to disable it under <TierManagement> by setting <EnableUnlimitedTier> to false.

    Code Block
    <TierManagement>        
            <EnableUnlimitedTier>true</EnableUnlimitedTier>
    </TierManagement>

It is also possible to specify a bandwidth per unit time instead of a number of requests. This can be done by an API Manager administrator. For information on editing the values of the existing tiers, defining new tiers and specifying a bandwidth per unit time, see adding Adding a new subscription-level throttling tier

Note

Note that when you edit an API with active subscribers, certain things like tier changes do not get automatically reflected to the subscribers. For such changes to take effect, the subscribers should resubscribe to the API and regenerate the access token.

Rate limiting (burst control)

...

For instance, if there's a subscription level policy enforced over a long period, you may not want users to consume the entire quota within a short time span. Sudden spikes in usage or attacks from users can also be handled via rate limiting. You can define a spike arrest policy when the subscription level tier is created. For more information on using rate limiting in subscription tiers, refer Adding a new subscription-level throttling tier.

Info

Spike Arrest Policy is used to protect the API backend against large number of traffic spikes and DoS attacks. Unlike setting one definite throttling tier (Quota), it helps to limit the sudden increase of number of requests at any point in time.

As an example, if we specify a quota policy as 20 requests per minute, it is possible to send all 20 requests in first few seconds in one minute so that we cannot limit it. By defining a spike arrest policy as 10 requests per second, it equally scatters the number of requests over the given one minute. Therefore, by doing rate limiting we can protect the backend from sudden spikes and DoS attacks through spike arrest policy.


For each subscription level throttle key, a WS policy is created on demand. The request count is calculated and throttling occurs at the node level. If you are using a clustered deployment, the counters are replicated across the cluster.

...

After subscription-level throttling tiers are set and the API is published, at subscription time, the consumers of the API can log in to the API Store and select which tier (out of those enabled for subscribers) they are interested in, as shown below:

 

According to the selected tiers the subscriber selects, s/he is , the subscribers are granted a maximum number of requests to the API. 

...

Advanced throttling policies are applicable on an API-level as well as on a resource-level. APIapplied when we are Publishing an API. It can be further divided into two levels according to the applicability. Those are,

  1. API-Level Throttling
  2. Resource-Level Throttling
API Level Throttling

API-level policies are defined when managing APIs using when managing APIs using the API Publisher portal, by selecting Apply per API under Advanced Throttling policies as shown below.



This will specify the maximum throttling level per minute for the API .

Resource-Level Throttling

An API is made up of one or more resources. Each resource handles a particular type of request and is analogous similar to a method (function) in a larger API. You can use this method when handling a large number of request in resource level such as Financial transactions. For example, Imagine API have two resources and one resource take more request than other you do not need to throttle it in API level in that case you can use this. Resource-level throttling tiers are set to HTTP verbs of an API's  resources when Managing APIs using the API Publisher portal as You can apply resource-level throttling through the Manage tab as shown below:

Advanced Throttling tiers

The default throttling tiers are as follows:

...

It is also possible to specify a bandwidth per unit time instead of a number of requests.  This This can be done by an through the Admin Portal of API Manager administrator. For information on editing the values of the existing tiers, defining new tiers and specifying a bandwidth per unit time, see adding Adding a new advanced throttling policy

...

An application is available to a consumer at different levels of service. For example, if you have infrastructure limitations in facilitating more than a certain number of requests to an application at a time, the throttling tiers can be set accordingly so that the application can have a maximum number of requests within a defined time.

Application-level Throttling tiers

The default throttling levels are are as follows:

  • 10KPerMin10PerMin: 10 ,000 requests per minute
  • 20KPerMin20PerMin: 20 ,000 requests per minute
  • 50KPerMin50PerMin: 50 ,000 requests per minute
  • Unlimited: Unlimited access. The Default Application, which is provided out of the box has the tier set to Unlimited. 

It is also possible to specify a bandwidth per unit time instead of a number of requests. This This can be done by an through the Admin Portal of API Manager administrator. For  For information on editing the values of the existing tiers, defining new tiers and specifying a bandwidth per unit time, see adding Adding a new application-level throttling tier.