11436 SSO

Tutorial: Adding a Request Quota to your Apigee-127 API

Dec 02, 2014

So now you’ve done it. You went and built yourself an API with Apigee-127. All that’s left is to put it out there in the wild and let the requests flow, right? In a perfect world, sure. In a perfect world, a developer would never load test against your API, traffic would never unexpectedly spike from an app gone awry, and it would be unheard of for a malicious user to DDoS your API.

Alas, we live in a pretty good world, but it’s far from perfect. So, in this latest post in our Apigee-127 blog series, let’s talk about API management, in particular applying an API request quota.

What’s a quota and why do I want it?

Thanks to Apigee’s open-source Volos project, Apigee-127 gives you the ability to easily apply a variety of different API management features to your API. When building your API, one of the first of these you’ll want to consider configuring is quota. Simply put, a quota policy limits the number of requests your Apigee-127 API will process within a given timespan. All requests that exceed the quota are automatically rejected by the API.

So why is quota one of the first things we need to look at when building an API, whether from scratch or with Apigee-127? The simple answer is security. It’s a cold, dark world out there, and limiting the number of requests your API will process within a given timespan is an important safeguard against attacks that can overwhelm your API, or worse yet bring down the server it runs on. There are, of course, less malicious reasons why your API could suddenly experience a sharp increase in traffic, but regardless of the cause, it’s critically important to understand how much load your server can safely handle, and to ensure traffic is never allowed to rise above a critical threshold.

So use quota. It’s not just a good feature, it’s a good idea.

Configuring a quota

Luckily, setting up a request quota in Apigee-127 is dead simple. First, we configure a quota in the "x-volos-resources" block of our Swagger yaml file:

        provider: <volos_provider>
            timeUnit: <time_unit>
            interval: <interval_to_apply_quota>
            allow: <number_of_requests_to_allow>

Here’s an example of a complete quota definition:

        provider: volos-quota-apigee
            timeUnit: minute
            interval: 3
            allow: 100


There are several options we can configure for our quota policy: 

1. quota_name: The name of our quota definition. This can be anything you want, and allows you to define multiple quota policies within a single API, then apply them to the desired routes by name. More on applying quota policies later.

2. Provider: Where our quota settings will be stored. Apigee-127 supports the following providers:

  • volos-quota-memory
  • volos-quota-apigee
  • volos-quota-redis

There is no inherent advantage to choosing one quota provider over another. Which you choose is a design decision, and should usually be based on what provider you are using for other services, such as OAuth and caching. For example, if you are deploying your Apigee-127 API to Apigee, then it makes sense to also use Apigee as your quota provider.

3. timeUnit: The unit of time used to measure our quota. For example, if we set this to "minutes" our quota will be applied at an interval measured in minutes. Allowed values are: millisecond, second, minute, hour, day, week.

4. interval: The amount of time to apply our quota for, measured in the specified time unit. For example, the quota definition above will apply our quota to all requests received in 3 minute intervals.

5. allow: The number of requests to allow during the specified time interval. So in our example above, our quota policy allows the API to handle 100 requests every 3 minutes.

Applying a quota

Applying a quota is even easier than configuring it. Just add the following to any route in the "x-volos-apply" block of our Swagger yaml file, where <quota_name> is the name we specified in "x-volos-resource":

    <quota_name>: {}

That’s it! For more on applying API management features in Apigee-127, check out our blog post on using caching, and visit our Apigee-127 YouTube playlist

Photo: Sami/Flickr

Microservices Done Right

Next Steps


Resources Gallery