This use case provides Rate Limiting of traffic by using an HTTP Callout to get the designated rate tier for a Tenant API key and resource.
In general, as request load increases, compute capacity can be scaled to meet demand as needed. However, not all back-end systems are so easily scaled. Sometimes even a moderate traffic load increase for a resource-constrained service could make it unresponsive. NetScaler rate limiting can protect services through the enforcement of flexible traffic quotas. This HTTP Callout based use case is helpful where service capacity may be different among tenants and/or application resources and the rule set for when to apply rate limiting quotas is managed by an external API server.
Communication flow overview
- Client sends request for http://app1.demo.com/dtu560m5-cn4v-bqex-5vl1-9ywz4748hcji/product?itemid=3944
- NetScaler sends the tenant key, and the resource requested, to the API server which responds with the desired rate tier.
- When the client reaches its tier threshold, the NetScaler responds to the client with a 429 "Too Many Requests" response.
Configuration Steps
- Define the tenant key and resource locations
add ns expression m_resource HTTP.REQ.URL.PATH.GET(2)
- Create the rate limiting service tiers (8000 rpm, 3000 rpm, 200 rpm)
In this example, we will offer 3 tiers of service limiting the number of requests per second each tenant key can make for a given resource.
Different Tenants can share rate tiers because the stream selector in this example designates each tenants API key is to be tracked independently within the limit identifier.
add ns limitIdentifier m_8000pm -threshold 8000 -timeSlice 60000 -mode REQUEST_RATE -limitType BURSTY -selectorName m_8000pm
add stream selector m_3000pm m_api_key
add ns limitIdentifier m_3000pm -threshold 3000 -timeSlice 60000 -mode REQUEST_RATE -limitType BURSTY -selectorName m_3000pm
add stream selector m_200pm m_api_key
add ns limitIdentifier m_200pm -threshold 200 -timeSlice 60000 -mode REQUEST_RATE -limitType BURSTY -selectorName m_200pm
- Create an HTTP callout.
- Configure the HTTP callout to receive the Rate Limit service tier name (aka Limit ID) based on the API key used and resource requested.
> Host: apiserver
>
< HTTP/1.1 200 OK
< Content-Type: application/json; charset=utf-8
<
[{
"id1": "dtu560m5-cn4v-bqex-5vl1-9ywz4748hcji",
"service": "m_200pm"
}]
TIP: Use the Expression Evaluator to help you craft the correct AppExpert policy:
- Configure a 429 response message to use when the limit is reached.
add responder action m_429 respondwithhtmlpage m_429_body -responseStatusCode 429 -reasonPhrase q{"Too Many Requests"}
- Configure the responder policies.
add responder policy m_3000pm "SYS.HTTP_CALLOUT(m_rate_limit_query).CONTAINS(\"m3000pm\") && SYS.CHECK_LIMIT(\"m_3000pm\")" m_429
add responder policy m_200pm "SYS.HTTP_CALLOUT(m_rate_limit_query).CONTAINS(\"m200pm\") && SYS.CHECK_LIMIT(\"m_8000pm\")" m_429
- Binding the policies.
bind responder global m_3000pm 110 END -type REQ_OVERRIDE
bind responder global m_8000pm 120 END -type REQ_OVERRIDE
- View the traffic rates
- View the Cached Callout Response
References
- https://docs.citrix.com/en-us/citrix-adc/current-release/appexpert/http-callout/how-http-callouts-work.html
- https://docs.citrix.com/en-us/citrix-adc/current-release/appexpert/rate-limiting.html
Recommended Comments
There are no comments to display.
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now