Throttling allows you to limit the number of hits to an API during a given period of time, typically in cases such as the following:
- To protect your APIs from common types of security attacks such as denial of service (DOS)
- To regulate traffic according to infrastructure availability
- To make an API, application or a resource available to a consumer at different levels of service, usually for monetization purpose
...
API-level throttling tiers are defined when Managing APIs using the API Publisher portal. The UI looks as follows:
...
IP-level throttling
In IP address based -level throttling, you can limit the number of requests sent by a client IP (e.g., 10 calls from single client).
- Log in to the management console and click the Resources -> Browse menu.
- Navigate to the
tiers.xml
file in the registry location/_system/governance/apimgt/applicationdata
. Add your policy. For example, the throttling policy shown below allows only 1 API call per minute for a client from 10.1.1.1 and 2 calls per minute for a client from any other IP address
.
Code Block language
xml <wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:throttle="http://www.wso2.org/products/wso2commons/throttle"> <throttle:MediatorThrottleAssertion> <wsp:Policy> <throttle:ID throttle:type="IP">10.1.1.1</throttle:ID> <wsp:Policy> <throttle:Control> <wsp:Policy> <throttle:MaximumCount>1</throttle:MaximumCount> <throttle:UnitTime>60000</throttle:UnitTime> </wsp:Policy> </throttle:Control> </wsp:Policy> </wsp:Policy> <wsp:Policy> <throttle:ID throttle:type="IP">other</throttle:ID> <wsp:Policy> <throttle:Control> <wsp:Policy> <throttle:MaximumCount>2</throttle:MaximumCount> <throttle:UnitTime>60000</throttle:UnitTime> </wsp:Policy> </throttle:Control> </wsp:Policy> </wsp:Policy> </throttle:MediatorThrottleAssertion></wsp:Policy>
How throttling tiers work
- When an API is invoked, it first checks whether the request is allowed by APIapplication-level throttling limit. If the consumer an application has exceeded his/her its maximum number of allowed API requests, the new request will be terminated.
- If APIapplication-level limit is not exceeded, it then checks whether the request is allowed by applicationresource-level throttling limit. If it has exceeded, the request will be terminated.
- If applicationresource-level limit is not exceeded, it finally checks whether the request is allowed by resourceAPI-level throttling limit. If the limit is not exceeded, then the request will be granted.
...
The following throttling policy allows 1000 concurrent requests to a service.
Code Block language html/xml <wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:throttle="http://www.wso2.org/products/wso2commons/throttle" wsu:Id="WSO2MediatorThrottlingPolicy"> <throttle:MediatorThrottleAssertion> <throttle:MaximumConcurrentAccess>1000</throttle:MaximumConcurrentAccess> <wsp:Policy> <throttle:ID throttle:type="IP">other</throttle:ID> </wsp:Policy> </throttle:MediatorThrottleAssertion> </wsp:Policy>
- Start the API Manager, log in to its management console (
https://localhost:9443/carbon
) and click the Resource > Browse menu to view the registry. - Click the
goverence/apimgt/applicationdata
path to go to its detailed view. - In the detail view, click the Resource link and upload the created policy file to the server as a registry resource.
In the management console, select the Service Bus > Source View menu.
The configurations of all APIs created in the API Manager instance opens. To engage the policy to a selected API, add it to your API definition. In this example, we add it to the login API.
Code Block language html/xml <?xml version="1.0" encoding="UTF-8"?><api xmlns="http://ws.apache.org/ns/synapse" name="_WSO2AMLoginAPI_" context="/login"> <resource methods="POST" url-mapping="/*"> <inSequence> <send> <endpoint> <address uri="https://localhost:9493/oauth2/token"/> </endpoint> </send> </inSequence> <outSequence> <send/> </outSequence> </resource> <handlers> <handler class="org.wso2.carbon.apimgt.gateway.handlers.throttling.APIThrottleHandler"> <property name="id" value="A"/> <property name="policyKey" value="gov:/apimgt/applicationdata/throttle.xml"/> </handler> <handler class="org.wso2.carbon.apimgt.gateway.handlers.ext.APIManagerExtensionHandler"/> </handlers> </api>
Note Be sure to specify the same path used in step 3 in the policy key of your API definition.
- You have successfully engaged a throttling policy to an API.