Importance of rate-limiting and applying throttling policies to your APIs using WSO2 Microgateway
In this article, I will give you a brief introduction about the importance of API throttling and will show you how to configure WSO2 Microgateway to your APIs and applying throttling policies.
If you are an API developer and have created economically valuable APIs, you should have definitely worried about your API management. Also, many organizations have exposed their APIs to the public for business purposes. At that point, attackers may try to steal sensitive information or cause harm to the organization in possible ways. To avoid the situation developers should make sure that the APIs are well secure. Applying throttling policies to your APIs is one way to secure your APIS.
What is API throttling?
We can control the usage of our APIs using API throttling in a given time period. As an example, we can define the throttling policy to limit the total API requests as 1000 per minute. When a throttle limit has exceeded, it is automatically getting restricted to the consumers.
Why we need API throttling?
APIs are the major links to your backend resources which are very important in any business. Throttling offers you an extra layer of security to your resources. We can define different levels of security to different resources of our APIs as well and this will give you a chance to develop more robust and flexible APIs 😉.
Let’s see how we can apply throttling policies to our APIs. There are different levels of applicability in throttling such as Application level, Subscription level, Globel level, API level, and Resources level. In this article, I will explain a way to apply the API level and Resource level throttling policies.
Here I am going to use WSO2 Microgateway which is a lightweight gateway distribution for APIs to apply API throttling.
Configure WSO2 API Microgateway
( If you already configured WSO2 Microgateway, you can skip this steps )
Step 1- Install prerequisites
First, make sure that you have installed Java JDK 1.8 version to your system and set JAVA_HOME as your environment variable.
Step 2 -Install WSO2 API Microgateway
There are two-components in the WSO2 Microgateway which are Toolkit and Runtime. You have to download both the Toolkit and Runtime based on your operating system.
You can download Toolkit and Runtime from the WSO2 official website and you can find more details about WSO2 API Microgateway in WSO2 API Microgateway Documentation.
Adding APIs to the Microgateway
I mentioned earlier that there are two components in the WSO2 Microgateway.
The toolkit is a command-line interface(CLI) to manage Microgatway projects. It initializes the Microgateway projects using standard API definitions and then it will create the runtime artifacts.
Go inside the bin folder in the toolkit and you can initialize a project using the following command. (my project name is “petstore” )
./micro-gw init petstoreThen you can see a folder named “petstore” and the folder structure of the project will look like this.
Then we can add Open API definitions to the petstore > api_definitions folder. Here I will use a basic petstore API definition and if you want you can use your own APIs. You can find my example definition here, at petstore_basic.yaml. Copy this .yaml file and add it to the petstore > api_definitions folder(.yaml file name can be anything you want. Ex: petstore_basic.yaml). Here you can see the base path is defined as /petstore/v1 (you can define whatever you want) and the production endpoint defined as http://petstore.swagger.io/v2.
And also this definition includes two resources which are/pet/{petId} and /pet/findByStatus. Here both the resources are exposed by one production endpoint and if you want you can expose different resources via different endpoints as microservices (if you define different endpoints to resources, add the endpoints under the resource>get )
Adding Throttling policy
Now it’s time to add throttling. First, you have to define your throttling policy in “policies.yaml” file (it is inside the project ).
It has already defined some throttling policies on different levels. Now define your policy as bellow in the policies.yaml file under the resourcePolicies.
I added policy as 3 requests per minute (This is only for the demonstration purposes, practically the value will be higher ). Define the policy with the correct indentation. Otherwise, you will get errors when you build the project.
- 3PerMin:
count: 3
unitTime: 1
timeUnit: minNow you can see the policies.yaml file like below.
Then you should include the policy in your API definition. Add the below extension to the .yaml file that you defined earlier in the api_definitions folder like below.
x-wso2-throttling-tier: 3PerMinNow you can see the .yaml file like below.
If you want to apply this throttling policy to any specific resource you can include the policy as below (here I only applied this policy to pet/{petId).
Now we are done 😁. It’s time to create our runtime artifacts of the project.
Generate runtime artifacts
Again go to the bin directory of the toolkit and execute the build command as below and it will generate the runtime artifacts.
./micro-gw build petstoreThe output of the terminal shows you the path of the generated artifacts.
Now we have finished with the toolkit and let's move to the gateway runtime.
Run the API Microgateway
Copy the path of the generated petstore.jar file and navigate to the <MGW_HOME>/bin folder and execute the following command to start the Microgateway.
./gateway <path-to-MGW-executable-file>In my example,
<path-to-MGW-executable-file> = home/chashika/Documents/wso2/releases/wso2am-mic
ro-gw-toolkit-linux-3.1.0/bin/petstore/target/petstore.jar
You have successfully added your API to the Microgateway with throttling policies and started the Microgateway. Now time to experience throttling policies.
Try out the API
Open a new terminal. First, we need to get a valid token ( you can use oauth2 token or API key).
Here, I used an api_key for the authentication. If you want, you can use base auth or oauth2 tokens for the authentication.
If you want to change the authentication token type, go to your open api definition .yaml file in the API definition folder and change the schema as whatever you want and build the project again. You can find more details about security schemas in this Documentation. In my petstore_basic.yaml, I have defined the security extension as api_key under the resource level.
Here we can get a valid API key and set it to the shell variable from the following command using Microgateway itself.
TOKEN=$(curl -X get "https://localhost:9095/apikey" -H "Authorization:Basic YWRtaW46YWRtaW4=" -k)Then invoke the API using the following curl command.
curl -X GET “https://localhost:9095/petstore/v1/pet/1" -H “accept: application/xml” -H “api_key:$TOKEN” -kif it is a successful call, you can see the output as below in the terminal.
Try it several times continuously and you won't be able to access it after a few calls. That means your throttling policy has applied to your API.
If the throttle limit has exceeded you can see the output as below.
Congratulation!!. We are done now 😁. I hope you got a good understanding of API throttling and applying throttling policies using WSO2 API Microgateway. Cheers!! see you next time 😉.
You can find WSO2 API Microgateway latest releases in the WSO2 official website or wso2/product-microgateway Github repository.
