Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Advanced Rate Limiting Use Cases with Envoy Pro...

Solo.io
June 25, 2020
Programming
0
1.2k

Advanced Rate Limiting Use Cases with Envoy Proxy API and Gloo API Gateway

Applications of all types including monoliths, microservices, serverless functions, and any combination of them often need a way for external clients and users to access them in a safe and secure way. As incoming requests can be numerous and varied, protecting backend services and globally enforcing business limits can become incredibly complex being handled at the application level.

Rate limiting is a strategy that can prevent service outages by protecting the service from being overrun with more requests than it’s resources can process and respond to within the agreed service levels. Rate limits can be set to limit the number of times the service can be called (per second, minute, hour) within a specified time period (total received in a day, week, month).

Attend this session to learn how to leverage Envoy Proxy at the edge to implement advanced rate limiting use cases:
* Configure multiple rate limits per client
* Secure rate limit actions with JSON Web Tokens (JWT)
* Combine rate limits with WAF and Auth
* Gloo control plane to manage Envoy configurations

Watch the talk here https://youtu.be/wVSSfcxjLy8
About Gloo https://www.solo.io/products/gloo/
Read the docs https://docs.solo.io/gloo/latest/
Try the demos yourself https://bit.ly/2BDUpvW
Request a trial https://lp.solo.io/lp-request-a-trial-general
Questions? Join the community at https://slack.solo.io

Solo.io

June 25, 2020
Tweet

More Decks by Solo.io

See All by Solo.io
Gloo Mesh Enterprise Webinar 12.10.2020
soloio
0
210
Workshop - Service Mesh Hub
soloio
0
110
Wasm-SF Meetup - Creating a "Docker-Like" Experience for Wasm in Envoy
soloio
0
86
What's New in Gloo API Gateway version 1.5
soloio
0
480
Workshop - Service Mesh Hub
soloio
1
110
Can You Replace API Management with Service Mesh?
soloio
0
600
Multi-Cluster Deployment Patterns for Ingress and API Gateways
soloio
0
540
Gloo API Gateway Federation Overview and Demo
soloio
0
510
Protecting Applications with L4 and L7 Network Encryption for TLS/mTLS
soloio
0
310

Other Decks in Programming

See All in Programming
Why Jakarta EE Matters to Spring - and Vice Versa
ivargrimstad
0
1.1k
CSC509 Lecture 09
javiergs
PRO
0
140
LLM生成文章の精度評価自動化とプロンプトチューニングの効率化について
layerx
PRO
2
190
TypeScript Graph でコードレビューの心理的障壁を乗り越える
ysk8hori
2
1.1k
Creating a Free Video Ad Network on the Edge
mizoguchicoji
0
120
イベント駆動で成長して委員会
happymana
1
320
3 Effective Rules for Using Signals in Angular
manfredsteyer
PRO
0
100
Jakarta EE meets AI
ivargrimstad
0
180
Click-free releases & the making of a CLI app
oheyadam
2
120
型付き API リクエストを実現するいくつかの手法とその選択 / Typed API Request
euxn23
8
2.2k
Amazon Bedrock Agentsを用いてアプリ開発してみた!
har1101
0
340
AWS Lambdaから始まった
Serverlessの「熱」とキャリアパス / It started with AWS Lambda Serverless “fever” and career path
seike460
PRO
1
260

Featured

See All Featured
Understanding Cognitive Biases in Performance Measurement
bluesmoon
26
1.4k
The Language of Interfaces
destraynor
154
24k
Optimising Largest Contentful Paint
csswizardry
33
2.9k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
109
49k
How To Stay Up To Date on Web Technology
chriscoyier
788
250k
Making Projects Easy
brettharned
115
5.9k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
329
21k
Fantastic passwords and where to find them - at NoRuKo
philnash
50
2.9k
Building Flexible Design Systems
yeseniaperezcruz
327
38k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
31
2.7k
Done Done
chrislema
181
16k
What’s in a name? Adding method to the madness
productmarketing
PRO
22
3.1k

Transcript

  1. Advanced Rate Limiting with Envoy Proxy API and Gloo June

    25, 2020

  2. 2 | Copyright © 2020 What is Rate Limiting? Goal

    Protect backend applications from failures caused by intentional and unintentional overloading of network traffic. Definition Rate limiting allows for setting a limit to the amount of incoming traffic an application (API) can accept for processing responses. Rate limiting allows a max number of requests over a specific time interval like per second, minute, or hour and can also have a quota. Example: 100 requests per second for service A

  3. 3 | Copyright © 2020 Gloo API Gateway and Ingress

    Controller ENVOY CONFIG CONTROL PLANE DATA PLANE END USERS Service 1 Service 2 Next Generation API Gateway • Built with Envoy Proxy • Kubernetes and Consul Native • Monolith, Microservices and Serverless Functions • Lightweight, performant, secure Service 3

  4. 4 | Copyright © 2020 Rate Limiting with Gloo: How

    does it work? EXTERNAL AUTH RATE LIMITING gRPC TRANSCODER ROUTER UPSTREAM EXTERNAL AUTH SERVER RATE LIMITING SERVER DATA PLANE CONTROL PLANE ENVOY PROXY FILTERS CONFIGS IN GLOO

  5. 5 | Copyright © 2020 Advanced Rate Limiting Use Cases

    Multiple Rate Limits Per Client ID Rate Limit Traffic Prioritization on HTTP Method Integrating Rate Limits with JWT

  6. 6 | Copyright © 2020 Use Case: Multiple Rate Limits

    Per Client ID Granular control to protect against unplanned bursts in traffic • Define by remote_address • Use real client ID, not Kubernetes cluster or load balancer address • Configure one or multiple rate limits • Nested rate limits spec: ratelimit: descriptors: - key: generic_key value: "per-minute" descriptors: - key: remote_address rateLimit: requestsPerUnit: 20 unit: MINUTE - key: generic_key value: "per-second" descriptors: - key: remote_address rateLimit: requestsPerUnit: 2 unit: SECOND

  7. 7 | Copyright © 2020 Use Case: Rate Limit Prioritization

    by HTTP Method Guarantee high priority traffic when multiple types of requests enter a given service • Define a limit per request type • Critical request will be processed before the lower priority request • Service will never be overloaded by volume of lower priority requests spec: ratelimit: descriptors: # allow 5 calls per minute for any unique host - key: remote_address rateLimit: requestsPerUnit: 5 unit: MINUTE # specifically limit GET requests from unique hosts to 2 per min - key: method value: GET descriptors: - key: remote_address rateLimit: requestsPerUnit: 2 unit: MINUTE

  8. 8 | Copyright © 2020 Use Case: Integrate Rate Limiting

    with JWT Integrating additional security policies • Further protect services • Add JWT configuration above the rate limit configuration in the yml file • JWT token must be verified prior to passing through rate limit filter options: jwt providers: solo: tokenSource: headers: - header: x-token queryParams: - token claimsToHeaders: - claim: type header: x-type - claim: number header: x-number issuer: solo.io jwks: local: key: | -----BEGIN PUBLIC KEY-----

  9. 9 | Copyright © 2020 Gloo Open Source and Enterprise

    Features

  10. 10 | Copyright © 2020 Companies Using Gloo Read their

    stories at www.solo.io/customers

  11. 11 | Copyright © 2020 LEARN MORE solo.io/gloo OPEN SOURCE

    gloo.solo.io ENTERPRISE TRIAL lp.solo.io/lp-request-a-trial-general TRY THE DEMOS bit.ly/2BDUpvW SOLO COMMUNITY slack.solo.io Thank You!