This article is part of a series where we discuss the importance of API Gateways with Spring boot and Netflix Zuul. Previous article How to build an API-Gateway with Netflix Zuul + Spring Boot
When it comes to API Gateways, it is important to keep your services under the load they can bear. This can be done in two ways.
- Scale the services and balance load.
- Limit the rate of requests.
Both of the above features are possible to implement with API Gateways, but in this article we are discussing about the later. Most surprisingly, Netflix Zuul official documentation does not cover how to implement rate limiting.
How to add rate limiting to Zuul
We found an awesome library called spring-cloud-zuul-ratelimit which you can use to easily implement rate limiting in your Spring boot application. There are six rate limiting stratergies supported by this library.
|Authenticated User||Uses the authenticated username or 'anonymous'|
|Request Origin||Uses the user origin request|
|URL||Uses the request path of the downstream service|
|ROLE||Uses the authenticated user roles|
|Request method||Uses the HTTP request method|
|Global configuration per service||This one does not validate the request Origin, Authenticated User or URI.|
To use this approach just don’t set param 'type'
It is also possible to combine Authenticated User, Request Origin, URL, ROLE and Request Method just adding multiple values to the list.
To start with, add the following dependency to your
<dependency> <groupId>com.marcosbarbero.cloud</groupId> <artifactId>spring-cloud-zuul-ratelimit</artifactId> <version>LATEST</version> </dependency>
Then chose one of the following storage backends which will be used by this library to keep track of the requests.
Depending of the chosen backend, you have to add a different dependency to the pom. All the dependency information can be found in their github README.
Then configure the rates for each endpoint that you want to control. This can be done via either
properties file or
yml configuration. Sample yml file can be seen below. All the supported properties can be found here.
When one of the endpoints reached their configured rate limit, it will automatically respond with http error code
429 Too Many Requests for subsequent requests until the rate limit comes back to the allowed range. This will prevent the underlying service from being overload in a peak time or under a DoS attack.