Throttling in Azure API Management

Hey everyone, recently I participated on Azure Advent Calendar and I talked about Azure API Management.

Putting in place a throttling plan is important to prevent your API from being overwhelmed by too many requests. Your API must not be open to receive more requests than it can treat.

Azure API Management provides a way to implement a throttling plan.

• Control the rate of requests

Using the policy :

<rate-limit-by-key calls="X" renewal-period="Y" counter-key="<your-key>" />

You can restrict a client to send X calls every Y minutes based on a key.

• Control the total requests/data

Using the policy :

<quota-by-key calls="X" bandwidth="Y" renewal-period="Z"           counter-key="<your-key>" />

You can restrict a client to send X calls and a total of Y Kilobytes of bandwidth per Z time.

• How to put in place a throttling plan

Well, there is too many ways to put in place a throttling plan. You can use the IP Address of the client. In this example, I will control the rate of requests.

<rate-limit-by-key calls="10" renewal-period="60" counter-key="@(context.Request.IpAddress)" />

Yes cool, we can do like that. But one thing is important, some clients may share the same IP Address because they access to the internet using a NAT device.

As I said on the Azure Advent Calendar, we can use Azure API Management to implement the authorization & authentication. We can get profit of this to implement the throttling.

Think about it, we can construct a throttling plan using the token. Wait how ?

The clients provide a token in the “authorization” request header so they can authenticate/authorize to access to the backend. Since the token is unique, it can be used as the key of the rate limit. In this way, we are able to bypass the single IP Address problem and put in place a throttling plan properly.

• Demo

Let’s assume that I have my Azure API Management already configured to do the authorization using Azure Active Directory. This last gives a token (JWT) so we can validate it.

I will get profit of it. So I added a policy in the inbound section :

<rate-limit-by-key calls="30" renewal-period="60" counter-key="@(context.Request.Headers.GetValueOrDefault("Authorization",""))" />

This policy means that I want that the keeper of this token sends only 30 Requests per minute.

I wrote a powershell script that sends 40 requests in less than one minute.

Note : don’t try the token, it’s already dead :D

By putting in place the policy and running the script, I got :

So it sends exactly 30 requests !

Bella ciao !