Search code examples
azureazure-devopswso2-api-managerazure-api-managementapi-throttling

How can we achieve a Global Rate Limiting with Azure API Management Service while using multiple APIM Service for High Availability?

How can we achieve a Global Rate Limiting with Azure API Management Service while using multiple APIM Services for High Availability across paired regions in round robin fashion (50/50 traffic split), as the Rate Limit config/policy is local to each APIM?

For an example, we are using 2 Azure APIM Service, one in East US 2, another in Central US having 50/50 traffic split (round robin) to each APIM Service, for better HA. The the rate limit policy applied per client is 2 API calls per minute, which is local to each APIM Service. Now the client might end up making 4 API calls within a minute before hitting throttling limit, if the requests are splitted between the APIMS in 2 different regions. In such how can we achieve a global Rate limit of 2 API calls per minute for a caller/client?

Did not find any option in Azure to achieve this yet

Solution

  • Yes, using a shared caching system like Azure Cache for Redis or Azure Cosmos DB to achieve global rate restriction is one method.

    • Using a third-party API management system that supports global rate restriction is an alternative, easier method.There are third-party programmes available that can limit rates globally for a variety of APIM services.
    • Using the rate-limit-by-key policy, you can implement global rate restriction with Azure API Management Service. With the help of this policy, you may define expressions that designate the keys used to monitor traffic flow. As a rate limiting key, you can utilise the client IP address or the user identity to identify the user. By utilising the same key for all requests, you can then implement the rate restriction policy globally across all APIM services. By doing this, the rate limit will be upheld in all APIM services and locations. Below is the Sample policy statement from MS document,
    <rate-limit-by-key calls="number"
                   renewal-period="seconds"
                   increment-condition="condition"
                   increment-count="number"
                   counter-key="key value" 
                   retry-after-header-name="custom header name, replaces default 'Retry-After'" 
                   retry-after-variable-name="policy expression variable name"
                   remaining-calls-header-name="header name"  
                   remaining-calls-variable-name="policy expression variable name"
                   total-calls-header-name="header name"/>
    • The other possible way is utilising a single APIM service with multiple regions is preferable to utilising numerous APIM services. By using Azure Traffic Manager or Azure Front Door, you may achieve high availability while the rate limit policy is imposed globally.
    • Reference MS document