Rate limiting API requests in Azure API Management
TypeScriptRate limiting in Azure API Management (APIM) is an essential mechanism to control the rate of incoming requests to your backend services, protecting them from being overwhelmed by too many requests and ensuring equitable resource usage among consumers. This is achieved by setting policies in APIM.
Using Pulumi, you can define these policies declaratively in code, allowing you to set up rate limiting on your API endpoints. We will use the
azure-native.apimanagement.Api
resource to create an API and apply a policy to it, which will include a rate limit rule.The specific policy to enforce rate limiting is specified in XML format within the
Policy
property when defining the API or an individual operation. A common approach is to define aset-backend-service
policy to specify the backend endpoint and arate-limit-by-key
policy to apply rate limiting based on a subscription key.Below is a Pulumi program in TypeScript that sets up an APIM service and an API with a rate limit policy:
import * as pulumi from "@pulumi/pulumi"; import * as apimanagement from "@pulumi/azure-native/apimanagement"; // Create an API Management Service const apimService = new apimanagement.Service("myAPIMService", { resourceGroupName: "myResourceGroup", // Replace with your resource group name serviceName: "myAPIMServiceName", // Replace with your desired service name publisherName: "MyCompany", publisherEmail: "contact@mycompany.com", sku: { name: "Developer", // Choose an appropriate SKU capacity: 1, }, }); // Create an API within the API Management Service const api = new apimanagement.Api("myApi", { resourceGroupName: "myResourceGroup", serviceName: apimService.name, apiId: "hello-api", // Replace with your desired API identifier displayName: "Hello API", path: "hello", protocols: ["https"], }); // Apply a policy to the API to rate limit requests const policy = new apimanagement.ApiPolicy("myApiPolicy", { resourceGroupName: "myResourceGroup", serviceName: apimService.name, apiId: api.apiId, policyId: "policy", value: ` <policies> <inbound> <base /> <rate-limit-by-key calls="5" renewal-period="15" counter-key="@(context.Subscription.Id)" /> </inbound> <backend> <base /> </backend> <outbound> <base /> </outbound> <on-error> <base /> </on-error> </policies> `, }); // Export the API Management Service URL export const apimServiceUrl = apimService.properties.apply(p => `https://${p.gatewayUrl}`);
In the above program:
- We create an API Management service named
myAPIMService
in themyResourceGroup
resource group. ReplacemyResourceGroup
andmyAPIMServiceName
with appropriate values for your environment. - We define an API named
myApi
with the path/hello
. You can redefineapiId
,displayName
, andpath
to create an API with your required properties. - We define a policy
myApiPolicy
applied to the API. It includes arate-limit-by-key
clause in the XML that limits the number of calls to 5 every 15 seconds per subscription. - The
counter-key
attribute in therate-limit-by-key
tag is set to@(context.Subscription.Id)
, which means that rate limiting is done at the subscription level. Each subscription will be able to make 5 calls every 15 seconds.
When you run this Pulumi program, it will provision the described resources in your Azure account. This configuration is a basic example of rate limiting; Azure APIM allows for more nuanced and complex policies to be defined as needed. You can modify the
value
of thepolicy
resource to include the specific XML policy statements required for your API's rate limiting needs.- We create an API Management service named