API Throttling

-

 API throttling is the process of limiting the number of API requests a user can make in a certain period. An application programming interface (API) functions as a gateway between a user and a software application. For example, when a user clicks the post button on social media, the button click triggers an API call.

If you are creating the API, it can be used by many clients. Sometimes some of the clients consume the API frequently without any limit. But if you want to limit consuming the API for a particular client within a certain time, then you can achieve it by Rate Limiting

Why do we need Rate Limiting?

  • Rate Limiting helps us to protect against malicious bot attacks. For example, a hacker can use bots to make repeated requests to an API endpoint. Due to the number of repeated requests, resulting in will be service unavailable for others. This is called as the Denial of Service (DoS) attack. So, the rate limiting helps us from the DoS attack.
  • Another use of the rate limiting is to regulate traffic to the API.

We can implement the rate limiting using AspNetCoreRateLimit NuGet Package

To configure the rate limiting to use in-memory persistence, add the following lines to the ConfigureServices() method in Startup class

builder.Services.AddMemoryCache();
builder.Services.Configure<IpRateLimitOptions>(builder.Configuration.GetSection("IpRateLimiting"));
builder.Services.AddSingleton<IIpPolicyStore, MemoryCacheIpPolicyStore>();
builder.Services.AddSingleton<IRateLimitCounterStore, MemoryCacheRateLimitCounterStore>();
builder.Services.AddSingleton<IRateLimitConfiguration, RateLimitConfiguration>();
builder.Services.AddSingleton<IProcessingStrategy, AsyncKeyLockProcessingStrategy>();
builder.Services.AddInMemoryRateLimiting();


Let’s add the configuration for the IP rate limit in the application’s appsettings.json file:

"IpRateLimiting": {
"EnableEndpointRateLimiting": true,
"StackBlockedRequests": false,
"RealIPHeader": "X-Real-IP",
"ClientIdHeader": "X-ClientId",
"HttpStatusCode": 429,
"GeneralRules": [
{
"Endpoint": "GET:/Locations",
"Period": "5s",
"Limit": 2
}
]
}

Add the following lines to the Configure() method in Startup class

app.UseIpRateLimiting();

In the above code, the option EnableEndpointRateLimiting is set as true to ensure that limit is applied to specific endpoints (here /GetLocations) rather than all endpoints. If EnableEndpointRateLimiting is set to false then the limits will apply globally and only rules that have as endpoint * will apply.

The RealIpHeader is used to extract the client IP when your Kestrel server is behind a reverse proxy, if your proxy uses a different header, then X-Real-IP uses this option to set it up.

The ClientIdHeader is used to extract the client id for whitelisting, if a client id is present in this header and matches a value specified in ClientWhitelist then no rate limits are applied.

The rate limiting rules are set in the GeneralRules section. In the above example, the rule specifies that for the endpoint GET:/Location with an HTTP verb GET, allow only 2 requests in a time window of 5 seconds.

The format for the Endpoint setting is flexible as it supports pattern matching. For example, *:/Locations/* will apply the rate-limiting rule to all the endpoints irrespective of the HTTP verb and having the term “Locations” in its route.


Press F5 to run the API locally and to launch the Swagger UI just hit the http://localhost:<port_number>/swagger/index.html URL in the browser. The Swagger UI for the above controller looks as follows



Execute the Locations endpoint. You will get below response. The API endpoint returns result along with three response headers, related to rate-limiting



  • x-rate-limit-limit - It shows the rate limit time window
  • x-rate-limit-remaining - The remaining number of requests for the API endpoint for that particular time window. 
  • x-rate-limit-reset - It displays the time stamp for resetting the limit rules.

If you hit the above endpoint more than 2 times within 5 seconds (rate-limiting rules are violated) then failure response (status code is 429) will be returned. The headers has retry-after: 3 which means the client to retry after 3 seconds to avoid the violation of rate-limiting rules















Comments

Post a Comment

Popular posts from this blog

Email Sending through O365 using OAuth Protocol

-
  Microsoft Office365 EWS servers have been extended to support authorization via the industry-standard OAuth 2.0 protocol. Using OAUTH protocol, user can do authentication by Microsoft Web OAuth instead of inputting user and password directly in application Microsoft / Office 365 OAuth + EWS We can use the OAuth authentication service provided by Azure Active Directory to enable our application to connect with IMAP, POP or SMTP protocols to access Exchange Online in Office 365. To use OAuth with our application we need to register application on Azure Active directory and other steps also we need to do to get the access token back. Below are the steps   To use Microsoft/Office365 OAUTH in your application, you must create an application in  https://portal.azure.com . Sign into the Azure portal using either a work or school account or a personal Microsoft account. If your account gives you access to more than one tenant, select your account in the top right corn
Read more

IISRESET vs App Pool Recycling ?

-
Image
 I think most IIS administrators know IISRESET command, and why they use it. One of possible reasons can be to restart IIS services to initialize web applications, or to apply some changes of applications & IIS settings .There’re just a few conditions those need your IISRESET command. In most situations, you don’t need this. I have a concern if you always run this command for applying any changes, or release system resource – memory – regularly, or frequently. Because it’s much more cost than what you really need to take – there’re side effects Recycling App Pool’ has been introduced from IIS6 in Windows2003. It’s designed to restart only application pools(=worker processes). It can be done in a command prompt(run ‘IISAPP /?’ in a command prompt for details), as well as in the IIS manager What IISRESET does? When you run IISRESET, many things will happen. In order to understand them, I think I need to show you how IIS looks like – about IIS core components. The below shows you role
Read more

Deploy .Net6.0 Web api with docker

-
Image
  What is Docker? Docker is a containerization platform, meaning that it enables you to package your applications into images and run them as “containers” on any platform that can run Docker. It negates the classic: “It works on my computer” argument as Docker images contain everything needed for the app to run. Are Containers the same as Virtual Machines? They are similar, but not the same. In short: Virtual Machines provide OS Level Virtualization Containers provide App Level Virtualization This concept is depicted below: Why Would You Use it? In short you would use Docker, (and hence containers), for the following reasons: Portability.  As containers are self- contained  they can run on any platform that runs Docker, making them easy to stand up and run on a wide variety of platforms. Scalability.  With the use of additional “orchestration” you can spin up multiple container instances to support increased load. Performance.  Containers generally perform better than their VM counterp
Read more