2.6 Configure the Limiting Policies for the APIs

Secure API Manager allows you to create limiting policies that control the number of requests to the APIs and the amount of bandwidth the APIs use for a certain period of time. You should consider creating these limiting policies to ensure that the API endpoints do not receive so many requests that they no longer work. The limiting policies are associated with a specific API Gateway cluster.

2.6.1 Understand the Limiting Policies for the APIs

As the administrator of Secure API Manager, you create a set of limiting policies that the API developers can use when they create the APIs in the Publisher. The API developers add a limiting policy when they are creating the APIs through the subscription tiers. When the API developers subscribe to the APIs, they can view the subscription tier assigned to the APIs.

By default, Secure API Manager creates and enables an unlimited policy named Unlimited. It allows unlimited requests and bandwidth to the APIs and the API endpoints. We recommend that you create limiting policies depending on your environment limits and the limits of the API endpoints. You can have only one limiting policy assigned to each API.

Secure API Manager allows you to control the number of requests to the APIs and the amount of bandwidth the APIs use for a certain period of time through limiting policies. There are two options when you configure a limiting policy that affect the limiting that occurs to the APIs. These options behave differently than you would assume that they do. The options are:

  • Bandwidth: Throttles the number of kilobytes in the time period specified. For example, if the requested endpoint has a large photo and you have the parameters set to 1 KB per second, Secure API Manager limits the painting of the photo to 1 KB each second.

  • Request Count: Secure API Manager contains a queue that stores all of the requests to the APIs and processes the request as they occur. The queue is two times the number you specify for the request count. The queue contains elements that contain a flag and Secure API Manager marks the flag as available or unavailable depending on the number of requests.

    The request limit does not take effect until the queue is full. If a burst of request occur that fills the queue, Secure API Manager applies the request count and starts processing the requests according to the defined limits until all requests are processed. If no elements are available, Secure API Manager returns a 503 error Service Unavailable. The elements become available based upon the requests per time limit.

    For example, if you configure 10 requests per 1 second, an element becomes available every 100 milliseconds and the queue sizes is 20. The following tables shows how Secure API Manager processes the requests.

    Time

    Requests

    Processed

    Rejected (503 errors)

    Available/Unavailable

    Total Sent

    -1 ms

    0

    0

    0

    20/0

    0

    0 ms

    21

    21

    0

    0/20

    21 (1st request is sent so it never takes an available element)

    15 ms

    1

    0

    1

    0/20

    99 ms

    1

    0

    1

    0/20

    101 ms

    0

    0

    0

    1/19

    101 ms

    1

    0

    0

    0/20

    22

    115 ms

    1

    0

    1

     

    201 ms

     

     

     

    1/19

     

    215 ms

    1

    1

    0

    0/20

    23

    299 ms

    1

    0

    1

     

     

    315 ms

     

     

     

    1/19

    24

    315 ms

    1

    1

    0

    0/20

     

    415 ms

     

     

     

    1/19

     

    415 ms

    1

    1

    0

    0/20

    25

    615 ms

     

     

     

    2/18

     

    615 ms

    1

    1

    0

    1/19

    26

    715 ms

     

     

     

    2/18

     

    717 ms

    1

    1

    0

    1/19

    27

    817 ms

     

     

     

    2/19

     

    817 ms

    1

    1

    0

    1/19

    28

    835 ms

    45

    1

    44

    0/20

    29

    935 ms

     

     

     

    1/19

     

    935 ms

    2

    1

    1

    0/20

    30

    1035 ms

     

     

     

    1/19

     

    1036 ms

    7

    1

    6

    0/20

    31

    1136 ms

     

     

     

    19/1

     

    1236 ms

     

     

     

    18/2

     

    1336 ms

     

     

     

    17/3

     

    1436 ms

     

     

     

    16/4

     

    1536 ms

     

     

     

    15/5

     

    Skip

     

     

     

     

     

    2036 ms

     

     

     

    20/0

     

    2037 ms

    1

    1

    0

    20/0

     

2.6.2 Create the Limiting Policies for the APIs

Select Access Manager Administration Console > Dashboard > API Gateway

As the Secure API Manager administrator, you are responsible for creating limiting policies to protect the bandwidth usage of the APIs as well as protect the API endpoints from failing due to too many requests. You can create these policies following your organization’s policies. The API developers might ask to have you create specific limiting policies.

By default, Secure API Manager creates an Unlimited policy that the API developers can use. You create the limiting policies in a specific API Gateway cluster. The limiting policies apply only to the APIs that are stored in that the same API Gateway cluster. APIs can have only one limiting policy assigned to them at a time.

To create a limiting policy:

  1. On the Dashboard, click the appropriate API Gateway cluster where you want the limiting policy applied.

  2. On the Policy tab, click New Policy.

  3. Use the following information to create a limiting policy:

    Name

    Specify a unique name for the limiting policy and a detailed description the API developers know what this limiting policy does.

    Quota

    Select how Secure API Manager limits access to the APIs.

    Type

    Select whether to limit access by the number of requests or by the bandwidth.

    Request Count

    Specify the number of requests per the time period, then select the time period you want to use. Read the information about the request count policy to understand how Secure API Manager process the requests to the APIs.

    Bandwidth

    Specify the amount of kilobytes per time period, then select the time period you want to use. Read the information about the bandwidth policy to understand how Secure API Manager limits the bandwidth to the APIs.

    Count

    If you selected Request Count, specify the maximum number of requests that Secure API Manager allows to the APIs during a certain period of time.

    If you selected Bandwidth, specify the number of kilobytes that the requests to the APIs can use during a certain period of time.

    Time Period

    Specify the amount of time when Secure API Manager limits the requests to the APIs or the bandwidth that the APIs use in seconds, minutes, or hours.

  4. Click Summary to ensure that the policy is correct.

  5. Click OK to save the policy.

You can create as many different limiting policies as you need.