Configure rate limiting with Google Cloud Armor

This product or feature is subject to the "Pre-GA Offerings Terms" in the General Service Terms section of theService Specific Terms. Pre-GA products and features are available "as is" and might have limited support. For more information, see thelaunch stage descriptions.

This document describes how you can apply fairshare rate limiting to yourCloud Service Mesh clients, helping you manage fair consumption of yourservices and prevent malicious or misbehaving clients from overloading yourservices.

The configuration process requires you to create a Cloud Armor securitypolicy and an endpoint policy. If you aren't familiar with Cloud Armorsecurity policies, we recommend that you read theSecurity policy overview.

How rate limiting works

Rate limiting restricts the number of requests that your service canreceive from clients within a specified time interval in order to improve theavailability of your service and fairly share available capacity among clients.The request threshold, interval, and action that Cloud Armor applies toincoming traffic that exceeds the rate limit threshold is user configurable. ForCloud Service Mesh rate limiting, Cloud Armor uses thesecurity policy typeCLOUD_ARMOR_INTERNAL_SERVICE and security policy rulesuse thefairshare action.

Each Cloud Armor security policy contains one or more rules. Each ruleconsists of a match condition and an action. When a request meets the matchcondition, Cloud Armor applies the configured action to the request.When you configure rate limiting, you create a security policy rule withone of the rate limiting actions mentioned previously, and whatever matchcondition fits your use case (including matching on all incoming requests withthe flag--src-ip-ranges "*"). Rules within a policy are evaluated in priorityorder. The rule with the lowest numerical priority has the highest logicalpriority and is evaluated first. Cloud Armor performs server-side ratelimiting, which means that the server enforces the rate limit rather than theclient device.

Rate limiting actions have additional fields that you use to fine-tune the ratelimit threshold. The following fields are shared among all rate limiting rules:

• rate_limit_threshold_count: the number of requests per user-configured timeinterval over which Cloud Armor must apply rate limiting.
• interval_sec: the time interval, in seconds, forrate_limit_threshold_count.
• exceed_action: the action to perform on requests that exceed the rate limitthreshold.
• conform_action: the action to perform on requests that don't exceed therate limit threshold.

Rate limiting with Cloud Service Mesh

This section provides a general description of the steps that you need to taketo configure rate limiting with Cloud Service Mesh.

First, you create an endpoint policy and make sure that theEndpointMatcherselects your Cloud Service Mesh instances to enforce ratelimits on inbound traffic. TheEndpointMatcher uses endpoint labels toidentify the instances to which it attaches.

Next, you create a Cloud Armor security policy with the typeCLOUD_ARMOR_INTERNAL_SERVICE. The only action available for this securitypolicy type isfairshare. In this policy, you create a default rule with thefairshare action to apply fairshare rate limiting to all traffic that doesn'tmeet a higher-priority rule. You can add new, higher-priority rules to apply adifferent rate limit to different kinds of traffic. For example, you can givea specific IP address range a lower or higher rate limit.

Finally, after you finish creating your security policy with one or morerate limiting rules you attach it to the endpoint policy. After you attach thesecurity policy, Cloud Armor applies server-side rate limiting to allincoming traffic that matches with a match condition of a rule and that connectsto the service mesh instances that theEndpointMatcher selected.

Cloud Service Mesh configures a global rate limit across allinstances. This means that the total traffic volume across all server instancesis aggregated to determine when to enforce the rate limit. Any client that sendsrequests to such a service is subject to the same enforcement threshold andpolicy. This means that when theaggregate traffic rate exceeds the threshold,some requests are dropped.

To configure rate limiting with Cloud Service Mesh, seeConfigure Google Cloud Armor rate limiting with Envoy.

Limitations

When you configure rate limiting with Cloud Armor, consider thefollowing limitations:

• Cloud Armorquotas limit the number of custom rulesthat you can create. We recommend that you check your quota before creatingmore than 20 custom rules.
• Each endpoint policy resource must reference a different security policy. Youcan't attach a security policy to a new endpoint policy if it's alreadyreferenced by an existing endpoint policy.
• Security policies with thefairshare action are limited to theALL ratelimiting key.
• When you deploy security policies with thefairshare action,Cloud Armor ignores thepreview field during rule enforcement.
• You can't configure a Cloud Armor security policy if you're using TCPtraffic routing.

In addition, Cloud Armor security policies with theCLOUD_ARMOR_INTERNAL_SERVICE type are limited to the following customexpression language (CEL) attributes:

• request.headers
• request.method
• request.path
• request.scheme
• request.query

For more information about CEL attributes, seeConfigure custom rules language attributes.