Ambassador Logo

Version:

Pre-releaseLatest1.121.111.101.91.81.71.61.51.41.3

Search the Docs

Rate Limiting in Ambassador Edge Stack

The Basic Configuration Objects

Rate limits in Ambassador Edge Stack are composed of two parts:

  • Labels applied to requests (a label is basic metadata that is used by the rate limiting service).
  • RateLimits that set limits based on the labels in the request

Labels

Edge Stack supports three types of labels:

  • generic_key which is a simple string
  • remote_address which is the value of the client IP address, assuming the load balancer configuration is set correctly
  • a custom type that can forward the value of a header to Ambassador for rate limiting

Global vs service-level rate limits

Edge Stack supports both global and service-level rate limits via two different labeling mechanisms.

  • Labels applied in the ambassador Module are "global" and applied to every single request that goes through Ambassador; these labels are typically managed by operations
  • Labels applied at the Mapping are at the service-level and applied only to the requests that use that Mapping

An example service-level rate limit

The following Mapping resource will add the {"generic_key": "default_generic_key_label"} to every request to the foo-app service:

---
apiVersion: getambassador.io/v2
kind: Mapping
metadata:
  name: foo-app
spec:
  prefix: /foo/
  service: foo
  labels:
    ambassador:
      - label_group:
        - foo-app_generic_key_label

You can then create a default rate limit on every request that matches this label:

---
apiVersion: getambassador.io/v2
kind: RateLimit
metadata:
  name: default-rate-limit
spec:
  domain: ambassador
  limits:
   - pattern: [{generic_key: "default_generic_key_label"}]
     rate: 10
     unit: minute

Tip: For testing purposes, it is helpful to configure per-minute rate limits before switching the rate limits to per second or per hour.

Request Labels

Mappings can have multiple labels which annotate a given request. 

---
apiVersion: getambassador.io/v2
kind:  Mapping
metadata:
  name:  catalog
spec:
  prefix: /catalog/
  service: catalog
  labels:
    ambassador:
      - string_request_label:         # a specific request label group
        - catalog                     # annotate the request with the string `catalog`
      - header_request_label:
        - headerkey:                  # The name of the label
            header: ":method"         # annotate the request with the specific HTTP method used
            omit_if_not_present: true # if the header is not present, omit the label
      - multi_request_label_group:
        - authorityheader:
            header: ":authority"
            omit_if_not_present: true
        - xuserheader:
            header: "x-user"
            omit_if_not_present: true

Let's digest the above example:

  • Request labels must be part of the ambassador label domain.
  • Each label must have a name, e.g., one_request_label
  • The string_request_label simply adds the string catalog to every incoming request to the given mapping. The string is referenced with the key generic_key.
  • The header_request_label adds a specific HTTP header value to the request, in this case, the method. Note that HTTP/2 request headers must be used here (e.g., the host header needs to be specified as the :authority header).
  • Multiple labels can be part of a single named label, e.g., multi_request_label specifies two different headers to be added
  • When an HTTP header is not present, the entire named label is omitted. The omit_if_not_present: true is an explicit notation to remind end-users of this limitation. false is not a supported value.

Ambassador Edge Stack supports several special labels:

  • remote_address automatically populates the remote IP address using the trusted IP address from X-Forwarded-For
  • request_headers: HEADER will extract the value from a given HTTP header
  • destination_cluster populates the name of the Envoy cluster. Typically, there is a 1:1 correspondence between a service in a Mapping to a destination_cluster. You can get the name of the cluster from the diagnostics service.
  • source_cluster populates the name of the originating cluster (e.g., the Envoy listener).

Note: In Envoy, labels are referred to as descriptors.

Grouping

Labels can be grouped. This allows for a single request to count against multiple different RateLimit resources. For example, imagine the following scenario:

  1. Users should be limited on the total number of requests that can be sent to a set of endpoints
  2. On a specific service, stricter limits are desirable

The following Mapping resources could be configured:

---
apiVersion: getambassador.io/v2
kind: Mapping
metadata:
  name: foo-app
spec:
  prefix: /foo/
  service: foo
  labels:
    ambassador:
      - foo-app_label_group:
        - foo-app
      - total_requests_group:
        - remote_address
---
apiVersion: getambassador.io/v2
kind: Mapping
metadata:
  name: bar-app
spec:
  prefix: /bar/
  service: bar
  labels:
    ambassador:
      - bar-app_label_group:
        - bar-app
      - total_requests_group:
        - remote_address

Now requests to the foo-app and the bar-app would be labeled with {{"generic_key": "foo-app"},{"remote_address", 10.10.11.12}} and {{"generic_key": "bar-app"},{"remote_address", 10.10.11.12}}, respectively. Rate limits on these two services could be created as such:

---
apiVersion: getambassador.io/v2
kind: RateLimit
metadata:
  name: foo-rate-limit
spec:
  domain: ambassador
  limits:
   - pattern: [{generic_key: "foo-app"}]
     rate: 10
     unit: second
---
apiVersion: getambassador.io/v2
kind: RateLimit
metadata:
  name: bar-rate-limit
spec:
  domain: ambassador
  limits:
   - pattern: [{generic_key: "bar-app"}]
     rate: 20
     unit: second
---
apiVersion: getambassador.io/v2
kind: RateLimit
metadata:
  name: user-rate-limit
spec:
  domain: ambassador
  limits:
   - pattern: [{remote_address: "*"}]
     rate: 100
     unit: minute

Global labels and groups

Global labels are prepended to every single label group. In the above example, if the following global label was added in the ambassador Module:

—--
apiVersion: getambassador.io/v2
kind: Module
metadata:
  name: ambassador
spec:
  config:
    default_label_domain: ambassador
    default_labels:
      ambassador:
        defaults:
        - default

The labels metadata would change from: {{"generic_key": "foo-app"},{"remote_address", 10.10.11.12}} and {{"generic_key": "bar-app"},{"remote_address", 10.10.11.12}} to: {{"generic_key": "default", "generic_key": "foo-app"},{"generic_key": "default", "remote_address", 10.10.11.12}} and {{"generic_key": "default", "generic_key": "bar-app"},{"generic_key": "default", "remote_address", 10.10.11.12}} and thus our RateLimits would need to change to appropriately handle the new labels.

Questions?

We’re here to help. If you have questions, join our Slack or contact us.