Lab 1.6 - Implement Rate Limiting

The API Protection Profile allows a BIG-IP administrator to throttle the amount of connections to an API through the use of Key Names.

Task 1 - Test access pre-ratelimiting

  1. From Postman, Select the request GET-Retrieve User Attributes-JWT-Pass

image42

  1. Click Save, so the current token is saved as part of the API request.

image88

  1. Click Runner located in the left corner

image89

  1. Expand the API Protection collection

image90

  1. Deselect all requests except GET-Retrieve User Attributes-JWT-Pass
  2. Set the iterations to 100
  3. Click Run API Protection

image91

  1. You receive a 200 OK for every request. Leave Runner open

image92

Task 2 - Define the rate limiting keys

  1. Navigate to API Protection >> Profile. Click Profile to modify the previously created API protection Profile. Not the + Plus symbol.

image48

  1. Click api-protection

image64

  1. Click Rate Limiting from the top ribbon

image69

Note

The API protection profile default settings contains five Key Names created, but their values are empty. Additional Keys can be created if necessary

  1. Click api-protection_auto_rate_limiting_key1

image70

  1. Enter the Key Value %{subsession.oauth.scope.last.jwt.user}
  2. Click Edit

image71

  1. Click api-protection_auto_rate_limiting_key2
  2. Enter the Key Value %{subsession.oauth.scope.last.jwt.groupid}
  3. Click Edit

image73

  1. Click api-protection_auto_rate_limiting_key3
  2. Enter the Key Value %{subsession.oauth.scope.last.jwt.client}
  3. Click Edit

image75

  1. Click api-protection_auto_rate_limiting_key4
  2. Enter the Key Value %{subsession.oauth.scope.last.jwt.tier}
  3. Click Edit

image77

  1. Click api-protection_auto_rate_limiting_key5
  2. Enter the Key Value %{subsession.oauth.scope.last.jwt.org }
  3. Click Edit

image79

  1. Click Save

image80

Task 3 - Create a Rate Limiting Policy

  1. Click Create in the rate limiting section

image81

  1. Enter the Name acme-rate-limits
  2. Move all five keys under Selected Keys
  3. Enter 10 for the number of requests per minute
  4. Enter 5 for the number requests per second
  5. Click Add.

image82

  1. Click Save

image83

Task 4 - Apply the Rate Limiting Policy

  1. Click Rate Limiting from the ribbon

image93

  1. Click Edit Per Request Policy

image94

  1. Click the + (Plus Symbol) on the Out branch of the OAuth Scope Check AuthZ Macro

image95

  1. Click the Traffic Management tab
  2. Select API Rate Limiting
  3. Click Add Item

image96

  1. Click Add new entry
  2. Select acme-rate-limits
  3. Click Save

image97

  1. Verify the Rate Limiting agent now appears in the appropriate location

image98

Task 5 - Test Rate Limiting

  1. From Postman, return to Runner

image89

  1. Click Retry to rerun the request an additional 100 times.

image103

  1. On the 6th request you begin to receive a 429 Too Many Requests response status code

image99