From 69b1dd8b3cb2aede9e915eb1524d977f2ceb94f7 Mon Sep 17 00:00:00 2001 From: huabing zhao Date: Mon, 25 Dec 2023 18:42:28 +0800 Subject: [PATCH] local rate limit user doc Signed-off-by: huabing zhao --- .../{rate-limit.md => global-rate-limit.md} | 13 +- .../en/latest/user/local-rate-limit.md | 283 ++++++++++++++++++ 2 files changed, 293 insertions(+), 3 deletions(-) rename site/content/en/latest/user/{rate-limit.md => global-rate-limit.md} (96%) create mode 100644 site/content/en/latest/user/local-rate-limit.md diff --git a/site/content/en/latest/user/rate-limit.md b/site/content/en/latest/user/global-rate-limit.md similarity index 96% rename from site/content/en/latest/user/rate-limit.md rename to site/content/en/latest/user/global-rate-limit.md index f74fbc4f6a22..0ddab96725ef 100644 --- a/site/content/en/latest/user/rate-limit.md +++ b/site/content/en/latest/user/global-rate-limit.md @@ -1,5 +1,5 @@ --- -title: "Rate Limit" +title: "Global Rate Limit" --- Rate limit is a feature that allows the user to limit the number of incoming requests to a predefined value based on attributes within the traffic flow. @@ -10,13 +10,19 @@ Here are some reasons why you may want to implement Rate limits * To prevent applications and its resources (such as a database) from getting overloaded. * To create API limits based on user entitlements. -Envoy Gateway supports [Global rate limiting][], where the rate limit is common across all the instances of Envoy proxies where its applied +Envoy Gateway supports two types of rate limiting: [Global rate limiting][] and [Local rate limiting][]. + +[Global rate limiting][] applies rate limits to the traffic flowing through all the instances of Envoy proxies where its applied i.e. if the data plane has 2 replicas of Envoy running, and the rate limit is 10 requests/second, this limit is common and will be hit if 5 requests pass through the first replica and 5 requests pass through the second replica within the same second. Envoy Gateway introduces a new CRD called [BackendTrafficPolicy][] that allows the user to describe their rate limit intent. This instantiated resource can be linked to a [Gateway][], [HTTPRoute][] or [GRPCRoute][] resource. +**Note:** Limit is applied per route. Even if a [BackendTrafficPolicy][] targets a gateway, each route in that gateway +still has a separate rate limit bucket. For example, if a gateway has 2 routes, and the limit is 100r/s, then each route +has its own 100r/s rate limit bucket. + ## Prerequisites ### Install Envoy Gateway @@ -192,7 +198,7 @@ Get the Gateway's address: export GATEWAY_HOST=$(kubectl get gateway/eg -o jsonpath='{.status.addresses[0].value}') ``` -Lets query `ratelimit.example/get` 4 times. We should receive a `200` response from the example Gateway for the first 3 requests +Let's query `ratelimit.example/get` 4 times. We should receive a `200` response from the example Gateway for the first 3 requests and then receive a `429` status code for the 4th request since the limit is set at 3 requests/Hour for the request which contains the header `x-user-id` and value `one`. @@ -818,6 +824,7 @@ kubectl rollout restart deployment envoy-gateway -n envoy-gateway-system ``` [Global Rate Limiting]: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/other_features/global_rate_limiting +[Local rate limiting]: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/other_features/local_rate_limiting [BackendTrafficPolicy]: https://gateway.envoyproxy.io/latest/api/extension_types.html#backendtrafficpolicy [Envoy Ratelimit]: https://github.com/envoyproxy/ratelimit [EnvoyGateway]: https://gateway.envoyproxy.io/latest/api/config_types.html#envoygateway diff --git a/site/content/en/latest/user/local-rate-limit.md b/site/content/en/latest/user/local-rate-limit.md new file mode 100644 index 000000000000..7de6ef42cd1c --- /dev/null +++ b/site/content/en/latest/user/local-rate-limit.md @@ -0,0 +1,283 @@ +--- +title: "Local Rate Limit" +--- + +Rate limit is a feature that allows the user to limit the number of incoming requests to a predefined value based on attributes within the traffic flow. + +Here are some reasons why you may want to implement Rate limits + +* To prevent malicious activity such as DDoS attacks. +* To prevent applications and its resources (such as a database) from getting overloaded. +* To create API limits based on user entitlements. + +Envoy Gateway supports two types of rate limiting: [Global rate limiting][] and [Local rate limiting][]. + +[Local rate limiting][] applies rate limits to the traffic flowing through a single instance of Envoy proxy. This means +that if the data plane has 2 replicas of Envoy running, and the rate limit is 10 requests/second, each replica will allow +10 requests/second. This is in contrast to [Global Rate Limiting][] which applies rate limits to the traffic flowing through +all instances of Envoy proxy. + +Envoy Gateway introduces a new CRD called [BackendTrafficPolicy][] that allows the user to describe their rate limit intent. +This instantiated resource can be linked to a [Gateway][], [HTTPRoute][] or [GRPCRoute][] resource. + +**Note:** Limit is applied per route. Even if a [BackendTrafficPolicy][] targets a gateway, each route in that gateway +still has a separate rate limit bucket. For example, if a gateway has 2 routes, and the limit is 100r/s, then each route +has its own 100r/s rate limit bucket. + +## Prerequisites + +### Install Envoy Gateway + +* Follow the steps from the [Quickstart Guide](../quickstart) to install Envoy Gateway and the HTTPRoute example manifest. +Before proceeding, you should be able to query the example backend using HTTP. + +## Rate Limit Specific User + +Here is an example of a rate limit implemented by the application developer to limit a specific user by matching on a custom `x-user-id` header +with a value set to `one`. + +```shell +cat <