Advanced Rate Limiting with Envoy Proxy API and Gloo June 25, 2020

2 | Copyright © 2020 What is Rate Limiting? Goal Protect backend applications from failures caused by intentional and unintentional overloading of network traffic. Definition Rate limiting allows for setting a limit to the amount of incoming traffic an application (API) can accept for processing responses. Rate limiting allows a max number of requests over a specific time interval like per second, minute, or hour and can also have a quota. Example: 100 requests per second for service A

3 | Copyright © 2020 Gloo API Gateway and Ingress Controller ENVOY CONFIG CONTROL PLANE DATA PLANE END USERS Service 1 Service 2 Next Generation API Gateway • Built with Envoy Proxy • Kubernetes and Consul Native • Monolith, Microservices and Serverless Functions • Lightweight, performant, secure Service 3

4 | Copyright © 2020 Rate Limiting with Gloo: How does it work? EXTERNAL AUTH RATE LIMITING gRPC TRANSCODER ROUTER UPSTREAM EXTERNAL AUTH SERVER RATE LIMITING SERVER DATA PLANE CONTROL PLANE ENVOY PROXY FILTERS CONFIGS IN GLOO

5 | Copyright © 2020 Advanced Rate Limiting Use Cases Multiple Rate Limits Per Client ID Rate Limit Traffic Prioritization on HTTP Method Integrating Rate Limits with JWT

6 | Copyright © 2020 Use Case: Multiple Rate Limits Per Client ID Granular control to protect against unplanned bursts in traffic • Define by remote_address • Use real client ID, not Kubernetes cluster or load balancer address • Configure one or multiple rate limits • Nested rate limits spec: ratelimit: descriptors: - key: generic_key value: "per-minute" descriptors: - key: remote_address rateLimit: requestsPerUnit: 20 unit: MINUTE - key: generic_key value: "per-second" descriptors: - key: remote_address rateLimit: requestsPerUnit: 2 unit: SECOND

7 | Copyright © 2020 Use Case: Rate Limit Prioritization by HTTP Method Guarantee high priority traffic when multiple types of requests enter a given service • Define a limit per request type • Critical request will be processed before the lower priority request • Service will never be overloaded by volume of lower priority requests spec: ratelimit: descriptors: # allow 5 calls per minute for any unique host - key: remote_address rateLimit: requestsPerUnit: 5 unit: MINUTE # specifically limit GET requests from unique hosts to 2 per min - key: method value: GET descriptors: - key: remote_address rateLimit: requestsPerUnit: 2 unit: MINUTE

8 | Copyright © 2020 Use Case: Integrate Rate Limiting with JWT Integrating additional security policies • Further protect services • Add JWT configuration above the rate limit configuration in the yml file • JWT token must be verified prior to passing through rate limit filter options: jwt providers: solo: tokenSource: headers: - header: x-token queryParams: - token claimsToHeaders: - claim: type header: x-type - claim: number header: x-number issuer: solo.io jwks: local: key: | -----BEGIN PUBLIC KEY-----

9 | Copyright © 2020 Gloo Open Source and Enterprise Features

10 | Copyright © 2020 Companies Using Gloo Read their stories at www.solo.io/customers

11 | Copyright © 2020 LEARN MORE solo.io/gloo OPEN SOURCE gloo.solo.io ENTERPRISE TRIAL lp.solo.io/lp-request-a-trial-general TRY THE DEMOS bit.ly/2BDUpvW SOLO COMMUNITY slack.solo.io Thank You!