Skip to main content

Rate Limiting Settings

Rate Limiting Settings provides call frequency limiting functionality for CloudBase resources, effectively preventing excessive calls to resources and ensuring service stability.

Supported Resource Types

The following resources currently support rate limiting configuration:

  • Cloud Function
  • Cloud Hosting Service

Rate Limiting Settings Description

Follow these steps to configure rate limiting on the Cloud Development Platform:

  1. Log in to the CloudBase platform
  2. In the left navigation bar, select [Environment Configuration] and navigate to [Security Control].
  3. Select the resource type to configure (Cloud Function Rate Limiting / Cloud Hosting Service Rate Limiting)
  4. Configure rate limiting rules as needed:
    • Specific resources (Cloud Function/Cloud Hosting Service)
    • Resource dimension rate limiting
    • Client dimension rate limiting
  5. Click [Save] to apply the configuration

Note:

  • Configuration changes take effect in approximately 1-2 minutes
  • It is recommended to first verify the configuration effect in the test environment
  • Excessively low rate limit values may affect normal business

The current rate limiting settings include two dimensions:

  • Resource dimension rate limiting - Limits the overall invocation frequency of resources
  • Client dimension rate limiting - Restricts the invocation frequency of a single client

Resource dimension rate limiting

Resource dimension rate limiting restricts the total invocation frequency of specified resources, preventing service unavailability caused by excessive calls.

Configuration Instructions

  • Configurable range: 100 to the environment's maximum QPS
  • Calculation method: Requests per second (QPS) = Total requests for the specified resource / second
  • Typical scenarios:
    • Protect core business functions or services from being overwhelmed by sudden traffic surges
    • Restrict the frequency of third-party calls
    • Control resource usage costs

Configuration Recommendations

  1. Set a reasonable threshold based on peak business traffic
  2. Reserve 20%-30% buffer space to accommodate traffic fluctuations
  3. Use monitoring alerts to promptly detect rate limiting situations
  4. Critical businesses can consider dedicated environments to avoid mutual interference

Example: A cloud function has an average QPS of 80 and a peak of 120. It is recommended to configure rate limiting at 150 QPS

Client Dimension Rate Limiting

Client dimension rate limiting is used to restrict the invocation frequency of a single client to specified resources, preventing malicious API scraping or excessive resource usage by users.

Configuration Instructions

  • Configurable range: 0 to 30 QPS
  • Identification method:
    • UserID (CloudBase user ID/WeChat openid): The user ID based on CloudBase, or the user openid included in requests from the mini program side
    • ClientIP (client IP address): Based on the client IP address from which the request originates
  • Selection recommendations:
    • User-based businesses should select UserID
    • For anonymous access scenarios, select ClientIP.
    • Only one identification method can be selected for the same resource.
  • Typical scenarios:
    • Prevent users from frequently refreshing the page
    • Restrict crawler bot activities
    • Control API call quotas
    • Protect sensitive interfaces from brute-force attacks

Configuration Example

# UserID Dimension Rate Limiting Example
Resource: userProfile
Rate Limiting Type: UserID
Threshold: 5 QPS

Effect: 
- UserID=123 is limited to 5 QPS 
- UserID=456 is limited to 5 QPS
- Requests without UserID are not limited

# ClientIP Dimension Rate Limiting Example
Resource: loginAPI  
Rate Limiting Type: ClientIP
Threshold: 3 QPS

Effect:
- IP=1.2.3.4 is limited to 3 QPS
- IP=5.6.7.8 is limited to 3 QPS

Notes:

  • The UserID method requires requests to carry user identity information. Requests without UserID will be ignored and allowed to pass.
  • ClientIP may inadvertently block legitimate users sharing the same IP.
  • It is recommended to configure both resource dimension and client dimension rate limiting for critical services.

Best Practices

Tiered Rate Limiting Strategy

  1. Core Business: Set relatively loose rate limits (e.g., resource dimension 500 QPS + client dimension 10 QPS)
  2. General Business: Set moderate rate limits (e.g., resource dimension 200 QPS + client dimension 5 QPS)
  3. High-Risk Interfaces: Set strict rate limits (e.g., resource dimension 100 QPS + client dimension 1 QPS)

Monitoring and Alerting

  • Configure Cloud Monitor alert rules to send notifications when the rate limiting trigger rate reaches the threshold
  • Record rate limiting logs and analyze the characteristics of restricted requests
  • Set a user-friendly error message for rate limit triggering

Test Verification

  1. Verify the rate limiting configuration in the test environment first
  2. Use stress testing tools to simulate different scenarios
  3. Gradually adjust to the optimal configuration

Handling Rate Limit Triggers

  • Return a 429 status code and a clear error message
  • The client should implement an exponential backoff retry mechanism
  • Critical services may consider queuing or degradation solutions

Configuration Checklist:

  • Whether reasonable buffer space is configured
  • Whether business peak has been considered
  • Whether monitoring and alerting have been configured
  • Whether the configuration effect has been tested and verified
  • Whether there is a solution for handling rate limit triggers