Enabling Rate Limits using Envoy
This task shows you how to use Envoy’s native rate limiting to dynamically limit the traffic to an Istio
service. In this task, you will apply a global rate-limit for the productpage
service through ingress gateway that allows
1 requests per minute across all instances of the service. Additionally, you will apply a local rate-limit for each
individual productpage
instance that will allow 10 requests per minute. In this way, you will ensure that the productpage
service handles a maximum of 1 request per minute through the ingress gateway, but each productpage
instance can handle
up to 10 requests per minute, allowing for any in-mesh traffic.
Before you begin
Setup Istio in a Kubernetes cluster by following the instructions in the Installation Guide5.
Deploy the Bookinfo6 sample application.
Rate limits
Envoy supports two kinds of rate limiting: global and local. Global rate limiting uses a global gRPC rate limiting service to provide rate limiting for the entire mesh. Local rate limiting is used to limit the rate of requests per service instance. Local rate limiting can be used in conjunction with global rate limiting to reduce load on the global rate limiting service.
In this task you will configure Envoy to rate limit traffic to a specific path of a service using both global and local rate limits.
Global rate limit
Envoy can be used to set up global rate limits7 for your mesh. Global rate limiting in Envoy uses a gRPC API for requesting quota from a rate limiting service. A reference implementation8 of the API, written in Go with a Redis backend, is used below.
Use the following configmap to configure the reference implementation9 to rate limit requests to the path
/productpage
at 1 req/min and all other requests at 100 req/min.Create a global rate limit service which implements Envoy’s rate limit service protocol10. As a reference, a demo configuration can be found here11, which is based on a reference implementation8 provided by Envoy.
Apply an
EnvoyFilter
to theingressgateway
to enable global rate limiting using Envoy’s global rate limit filter.The first patch inserts the
envoy.filters.http.ratelimit
global envoy filter13 filter into theHTTP_FILTER
chain. Therate_limit_service
field specifies the external rate limit service,rate_limit_cluster
in this case.The second patch defines the
rate_limit_cluster
, which provides the endpoint location of the external rate limit service.Apply another
EnvoyFilter
to theingressgateway
that defines the route configuration on which to rate limit. This adds rate limit actions14 for any route from a virtual host named*.80
.
Local rate limit
Envoy supports local rate limiting15 of L4 connections and HTTP requests. This allows you to apply rate limits at the instance level, in the proxy itself, without calling any other service.
The following EnvoyFilter
enables local rate limiting for any traffic through the productpage
service.
The HTTP_FILTER
patch inserts the envoy.filters.http.local_ratelimit
local envoy filter16
into the HTTP connection manager filter chain. The local rate limit filter’s token bucket17
is configured to allow 10 requests/min. The filter is also configured to add an x-local-rate-limit
response header to requests that are blocked.
The above configuration applies local rate limiting to all vhosts/routes. Alternatively, you can restrict it to a specific route.
The following EnvoyFilter
enables local rate limiting for any traffic to port 80 of the productpage
service.
Unlike the previous configuration, there is no token_bucket
included in the HTTP_FILTER
patch.
The token_bucket
is instead defined in the second (HTTP_ROUTE
) patch which includes a typed_per_filter_config
for the envoy.filters.http.local_ratelimit
local envoy filter, for routes to virtual host inbound|http|9080
.
Verify the results
Verify global rate limit
Send traffic to the Bookinfo sample. Visit http://$GATEWAY_URL/productpage
in your web
browser or issue the following command:
You will see the first request go through but every following request within a minute will get a 429 response.
Verify local rate limit
Although the global rate limit at the ingress gateway limits requests to the productpage
service at 1 req/min,
the local rate limit for productpage
instances allows 10 req/min.
To confirm this, send internal productpage
requests, from the ratings
pod, using the following curl
command:
You should see no more than 10 req/min go through per productpage
instance.