Skip to main content

Rate Limiting Settings

The HTTP access service provides rate limiting functionality for routes. You can set rate limiting policies based on your actual business scenarios to protect your backend resources.

Rate Limiting Configuration Guide

Follow these steps to configure rate limiting on the CloudBase platform:

  1. Log in to CloudBase Platform
  2. Select Environment Settings in the left navigation bar, then go to HTTP Access Service
  3. In the route configuration, select the specific route you want to configure
  4. Configure rate limiting rules as needed:
    • Resource-level rate limiting: Apply complete rate limiting to the route
    • Client-level rate limiting: Apply rate limiting based on route and user ID or client IP
  5. Click Save to apply the configuration

Note:

  • Configuration changes take approximately 1-2 minutes to take effect
  • It is recommended to validate the configuration in a test environment first
  • Excessively low rate limiting values may affect normal business operations

Current rate limiting settings include two dimensions:

  • Resource-level rate limiting - Limits the overall call frequency of the route
  • Client-level rate limiting - Limits the call frequency of individual clients

Resource-Level Rate Limiting

Resource-level rate limiting restricts the total call frequency of a specified route, preventing excessive calls that could cause high pressure or unavailability of backend services.

Configuration Details

  • Configurable Range: 100 to environment maximum QPS
  • Calculation Method: Queries Per Second (QPS) = Total requests to specified route / second
  • Typical Scenarios:
    • Protect core business from being overwhelmed by traffic spikes
    • Limit the frequency of third-party calls
    • Control resource usage costs

Configuration Recommendations

  1. Set reasonable thresholds based on business peak traffic
  2. Reserve 20%-30% buffer space to handle traffic fluctuations
  3. Use monitoring alerts to detect rate limiting situations promptly
  4. Consider separate environments for critical business to avoid mutual interference

Example: For a route with average QPS of 80 and peak of 120, it's recommended to configure rate limiting at 150 QPS

Client-Level Rate Limiting

Client-level rate limiting is used to restrict the call frequency of individual clients to specified resources, preventing malicious interface abuse or excessive resource usage.

Configuration Details

  • Configurable Range: 0 to 30 QPS
  • Identification Methods:
    • UserID (CloudBase User ID / WeChat openid): Based on CloudBase user ID, or user openid from mini-program requests
    • ClientIP (Client IP Address): Based on the client IP address initiating the request
  • Selection Recommendations:
    • Choose UserID for businesses with a user system
    • Choose ClientIP for anonymous access scenarios
    • Only one identification method can be selected per resource
  • Typical Scenarios:
    • Prevent users from frequently refreshing pages
    • Limit bot crawler behavior
    • Control API call quotas
    • Protect sensitive interfaces from brute-force attacks

Configuration Examples

# UserID-based rate limiting example
Route: /userProfile
Rate Limit Type: UserID
Threshold: 5 QPS

Effect: 
- UserID=123 limited to 5 QPS 
- UserID=456 limited to 5 QPS
- Requests without UserID are not restricted

# ClientIP-based rate limiting example
Route: /login  
Rate Limit Type: ClientIP
Threshold: 3 QPS

Effect:
- IP=1.2.3.4 limited to 3 QPS
- IP=5.6.7.8 limited to 3 QPS

Important Notes:

  • UserID method requires requests to carry user identity information; requests without UserID will be ignored and allowed through
  • ClientIP may inadvertently affect users sharing the same IP
  • For critical business, it's recommended to configure both resource-level and client-level rate limiting

Best Practices

Tiered Rate Limiting Strategy

  1. Core Business: Set more relaxed rate limits (e.g., route-level 500 QPS + client-level 10 QPS)
  2. Regular Business: Medium rate limits (e.g., route-level 200 QPS + client-level 5 QPS)
  3. High-Risk Interfaces: Strict rate limits (e.g., route-level 100 QPS + client-level 1 QPS)

Testing and Validation

  1. Validate rate limiting configuration in test environment first
  2. Use load testing tools to simulate different scenarios
  3. Gradually adjust to optimal configuration

Handling Rate Limit Triggers

  • Return 429 status code with clear error message
  • Clients should implement exponential backoff retry mechanism
  • Consider queuing or degradation solutions for critical business

Configuration Checklist:

  • Is reasonable buffer space configured
  • Are business peak loads considered
  • Is monitoring and alerting configured
  • Has the configuration effect been tested and validated
  • Is there a plan for handling rate limit triggers