Secure API Manager allows you to create limiting policies that control the number of requests to the APIs and the amount of bandwidth the APIs use for a certain period of time. Consider creating these limiting policies to ensure that the API endpoints do not receive so many requests that they no longer work. The limiting policies are associated with a specific API Gateway cluster.
As the administrator of Secure API Manager, you create a set of limiting policies that the API developers can use when they create the APIs in the Publisher. The API developers add a limiting policy when they are creating the APIs through the subscription tiers. When the API developers subscribe to the APIs, they can view the subscription tier assigned to the APIs.
By default, Secure API Manager creates and enables an unlimited policy named Unlimited. It allows unlimited requests and bandwidth to the APIs and the API endpoints. We recommend that you create limiting policies depending on your environment limits and the limits of the API endpoints. You can have only one limiting policy assigned to each API.
Secure API Manager allows you to control the number of requests to the APIs and the amount of bandwidth the APIs use for a certain period of time through limiting policies. When you configure a limiting policy, there are two options that determine the extent of the limiting effect on the APIs. These options behave differently than you might assume. The options are:
Bandwidth: Throttles the number of kilobytes in the time period specified. For example, if the requested endpoint has a large photo and you have the parameters set to 1 KB per second, Secure API Manager limits the painting of the photo to 1 KB each second.
Request Count: Secure API Manager contains a queue that stores all of the requests to the APIs and processes the requests as they occur. The queue is two times the number you specify for the request count. The queue contains elements that contain a flag and Secure API Manager marks the flag as available or unavailable depending on the number of requests.
The request limit does not take effect until the queue is full. If a burst of requests occurs that fills the queue, Secure API Manager applies the request count and starts processing the requests according to the defined limits until all requests are processed. If no elements are available, Secure API Manager returns a 503 Service Unavailable error. The elements become available based upon the requests per time limit.
For example, if you configure 10 requests per 1 second, an element becomes available every 100 milliseconds and the queue size is 20. The following table shows how Secure API Manager processes the requests.
Time |
Requests |
Processed |
Rejected (503 errors) |
Available/Unavailable |
Total Sent |
---|---|---|---|---|---|
-1 ms |
0 |
0 |
0 |
20/0 |
0 |
0 ms |
21 |
21 |
0 |
0/20 |
21 (1st request is sent so it never takes an available element) |
15 ms |
1 |
0 |
1 |
0/20 |
|
99 ms |
1 |
0 |
1 |
0/20 |
|
101 ms |
0 |
0 |
0 |
1/19 |
|
101 ms |
1 |
0 |
0 |
0/20 |
22 |
115 ms |
1 |
0 |
1 |
|
|
201 ms |
|
|
|
1/19 |
|
215 ms |
1 |
1 |
0 |
0/20 |
23 |
299 ms |
1 |
0 |
1 |
|
|
315 ms |
|
|
|
1/19 |
24 |
315 ms |
1 |
1 |
0 |
0/20 |
|
415 ms |
|
|
|
1/19 |
|
415 ms |
1 |
1 |
0 |
0/20 |
25 |
615 ms |
|
|
|
2/18 |
|
615 ms |
1 |
1 |
0 |
1/19 |
26 |
715 ms |
|
|
|
2/18 |
|
717 ms |
1 |
1 |
0 |
1/19 |
27 |
817 ms |
|
|
|
2/19 |
|
817 ms |
1 |
1 |
0 |
1/19 |
28 |
835 ms |
45 |
1 |
44 |
0/20 |
29 |
935 ms |
|
|
|
1/19 |
|
935 ms |
2 |
1 |
1 |
0/20 |
30 |
1035 ms |
|
|
|
1/19 |
|
1036 ms |
7 |
1 |
6 |
0/20 |
31 |
1136 ms |
|
|
|
19/1 |
|
1236 ms |
|
|
|
18/2 |
|
1336 ms |
|
|
|
17/3 |
|
1436 ms |
|
|
|
16/4 |
|
1536 ms |
|
|
|
15/5 |
|
Skip |
|
|
|
|
|
2036 ms |
|
|
|
20/0 |
|
2037 ms |
1 |
1 |
0 |
20/0 |
|
Access Manager Administration Console > Dashboard > API Gateway
As the Secure API Manager administrator, you are responsible for creating Limiting Policies to protect the bandwidth usage of the APIs as well as to protect the API endpoints from failing due to too many requests. You can create these policies following your organization’s policies.
Secure API Manager contains different rate-limiting policies to help control the traffic sent to the APIs and the API Gateway. There are three different types of rate-limiting policies:
Limiting Policies: These policies are per API. Secure API Manager creates and manages these policies.
Subscription Rate Policies: These policies are per subscription and per API. The API developers create and manage these policies when they create an API.
Subscription User Rate Policies: These policies are per user, per subscription, and per API. The API developers create and manage these policies when they create an API.
The Limiting Policies that you create on the API Gateway control the traffic per API. API developers select these policies when they create APIs and define the general settings. The Limiting Policies take precedence over the other types of rate-limiting policies that the API developers create. If an API Developer creates a policy that allows 100,000 requests per second, and you have a policy that limits the total number of requests to be 75,000 per second, the API Gateway allows a maximum of 75,000 requests per second.
You create the Limiting Policies in a specific API Gateway cluster. The Limiting Policies apply only to the APIs that are stored in that the same API Gateway cluster. APIs can have only one Limiting Policy assigned to them at a time.
To create a Limiting Policy:
On the Dashboard, click the appropriate API Gateway cluster where you want the Limiting Policy applied.
On the Policy tab, click New Policy.
Use the following information to create a Limiting Policy:
Specify a unique name for the Limiting Policy and a detailed description so that the API developers know what this Limiting Policy does.
Select how Secure API Manager limits access to the APIs.
Select whether to limit access by the number of requests or by the bandwidth.
Specify the number of requests per the time period, then select the time period you want to use. Read the information about the request count policy to understand how Secure API Manager processes the requests to the APIs.
Specify the number of kilobytes per time period, then select the time period you want to use. Read the information about the bandwidth policy to understand how Secure API Manager limits the bandwidth to the APIs.
If you selected Request Count, specify the maximum number of requests to the APIs that Secure API Manager allows during a certain period of time.
If you selected Bandwidth, specify the number of kilobytes that the requests to the APIs can use during a certain period of time.
Specify the amount of time during which Secure API Manager limits the requests to the APIs or the bandwidth that the APIs use in seconds, minutes, hours, or days.
Click Summary to ensure that the policy is correct.
Click OK to save the policy.
You can create as many different limiting policies as you need.