Lab 5: Rate Limiting

Scenario

An internal application occasionally enters a temporary loop, repeatedly sending requests to a single endpoint. This degrades performance for other clients and, at times, renders the API unusable.

Implement a solution to limit the number of requests an endpoint will accept from a given client “source” within a specific time window to prevent excessive load.

Expected Lab Time: 8 minutes

Task 1: Simulate Unmitigated Excessive Requests

Currently, our Banking Application does not implement or enforce rate-limiting to a specific endpoint.

In this task, you will follow steps to send multiple requests within one minute to the /getallcustomers endpoint.

  1. Using another browser tab, navigate to the following URL.

    http://<your-namespace>.lab-sec.f5demos.com/swagger
    ../_images/shared-swagger-intro1.png

  2. Within the Swagger page, navigate and expand the customerlookup/getallcustomers endpoint, and click Try it out.

    ../_images/lab4-image0151.png

  3. Click the Execute button, and observe the Response Body (200 OK):

    ../_images/lab4-image0161.png

  4. Click the Execute button 10 times within one minute, and observe the Response Body; each request should be allowed.

    ../_images/lab4-image0171.png

Task 2: Enabled API Rate-Limiting

In this task’s series of steps, you will enable the API Rate-Limiting feature on the previously built HTTP Load Balancer object delivering the targeted API.

  1. In the left-hand navigation of the Web App & API Protection service, click on Load Balancers > HTTP Load Balancers under the Manage section.

  2. In the resulting Load Balancers window, click on the three dots in the Action column, and the select Manage Configuration.

    ../_images/shared-1031.png

  3. Click Edit Configuration in the top-right corner.

    ../_images/shared-1041.png

  4. Using the left-hand navigation, click the Common Security Controls link.

    ../_images/lab4-image0211.png

  5. Locate the Rate Limiting area of the Common Security Controls and use the drop-down to select API Rate Limit.

    ../_images/lab4-image0221.png

  6. In the expanded menu under API Rate Limit, click View Configuration

    ../_images/lab4-image0231.png

  7. In the resulting window, under API Endpoints, click Configure.

    ../_images/lab4-image0241.png

  8. Select Add Item, within API Endpoints.

    ../_images/lab5-api-endpoint-add1.png

  9. In the resulting window, use the drop-down under API Endpoint, and click See Suggestions.

    ../_images/lab4-image0551.png

  10. In the suggestion results, use the drop-down and select the /getallcustomers endpoint.

    ../_images/lab4-image0261.png

  11. In the resulting configuration window, update the following fields then click Apply.

    • Method List: ANY

    • Threshold: 10

    • Duration: Minute

    Note

    This will rate limit a client after making 10 requests within 1 minute.

    ../_images/lab4-image0271.png

  12. Review the API Endpoint rate limiting rule and click, the Apply button.

    ../_images/lab4-image0281.png

  13. Click Apply at the API Rate Limit page.

    ../_images/lab4-image0291.png

  14. Note the updated configuration for API Rate limiting then select Save HTTP Load Balancer at the bottom right of the window.

    ../_images/lab4-image0301.png

Task 3: Simulate Mitigated Excessive Requests

In this task, you will send more than 10 requests within one minute

  1. Using another browser tab, navigate to the following URL.

    http://<your-namespace>.lab-sec.f5demos.com/swagger
    ../_images/shared-swagger-intro1.png

  2. Within the Swagger page, navigate and expand the customerlookup/getallcustomers endpoint, and click Try it out.

    ../_images/lab4-image0151.png

  3. Click the Execute button more than 10 times within one minute and observe the Response Body. Each request through the 10th should be allowed/accepted. Observe the Response Body once you exceed this threshold.

    ../_images/lab4-image0311.png

End of Lab

../_images/labend10.png