Limit request rates to services in the mesh

This topic describes how to configure Consul to limit the request rate to services in the mesh.

This feature is available in Consul Enterprise.

Introduction

Consul allows you to configure settings to limit the rate of HTTP requests a service receives from sources in the mesh. Limiting request rates is one strategy for building a resilient and highly-available network.

Consul applies rate limits per service instance. As an example, if you specify a rate limit of 100 requests per second (RPS) for a service and five instances of the service are available, the service accepts a total of 500 RPS, which equals 100 RPS per instance.

You can limit request rates for all traffic to a service, as well as set rate limits for specific URL paths on a service. When multiple rate limits are configured on a service, Consul applies the limit configured for the first matching path. As a result, the maximum RPS for a service is equal to the number of service instances deployed for a service multiplied by either the rate limit configured for that service or the rate limit for the path.

Requirements

Consul Enterprise v1.17.0 or later

Limit request rates to a service on all paths

Specify request rate limits in the service defaults configuration entry. Create or edit the existing service defaults configuration entry for your service and specify the following fields:

RateLimits.InstanceLevel.RequestPerSecond: Set an average number of requests per second that Consul should allow to the service. The number of requests may momentarily exceed this value up to the value specified in the RequestsMaxBurst parameter, but Consul temporarily lowers the speed of the transactions.
RateLimits.InstanceLevel.RequestsMaxBurst: Set the maximum number of concurrent requests that Consul momentarily allows to the service. Consul blocks any additional requests over this limit.

The following example configures the default behavior for a service named billing. This configuration limits each instance of the billing service to an average of 1000 requests per second, but allows the service to accept up to 1500 concurrent requests.

Kind = "service-defaults"
Name = "billing"
Protocol = "http"

RateLimit {
  InstanceLevel {
    RequestsPerSecond = 1000
    RequestsMaxBurst = 1500
  }
}

spec.rateLimits.instanceLevel.requestPerSecond: Set an average number of requests per second that Consul should allow to the service. The number of requests may momentarily exceed this value up to the value specified in the requestsMaxBurst parameter, but Consul temporarily lowers the speed of the transactions.
spec.rateLimits.instanceLevel.requestsMaxBurst: Set the maximum number of concurrent requests that Consul momentarily allows to the service. Consul blocks any additional requests over this limit.

kind: ServiceDefaults
name: billing
protocol: http
rateLimit:
  instanceLevel:
    requestsPerSecond: 1000
    requestsMaxBurst: 1500

Refer to the service defaults configuration entry reference for additional specifications and example configurations.

Specify request rate limits for specific paths

Specify request rate limits in the service defaults configuration entry. Create or edit the existing service defaults configuration entry for your service and configure the following parameters:

Add a RateLimits.InstanceLevel.Routes block to the configuration entry. The block contains the limits and matching criteria for determining which paths to set limits on.
In the Routes block, configure one of the following match criteria to determine which path to set the limits on:
- PathExact: Specifies the exact path to match on the request path.
- PathPrefix: Specifies the path prefix to match on the request path.
- PathRegex: Specifies a regular expression to match on the request path.
Configure the limits you want to enforce in the Routes block as well. You can configure the following parameters:
- RequestsPerSecond: Set an average number of requests per second that Consul should allow to the service through the matching path. The number of requests may momentarily exceed this value up to the value specified in the RequestsMaxBurst parameter, but Consul temporarily lowers the speed of the transactions. This configuration overrides the value specified in RateLimits.InstanceLevel.RequestPerSecond field of the configuration entry.
- RequestsMaxBurst: Set the maximum number of concurrent requests that Consul momentarily allows to the service through the matching path. Consul blocks any additional requests over this limit. This configuration overrides the value specified in RateLimits.InstanceLevel.RequestsMaxBurst field of the configuration entry.

The following example configures the default behavior for a service named billing. This configuration limits each instance of the billing service depending on the path it received the request on. The service is limited to an average of 500 requests when the request is made on an HTTP path with the /api prefix. When an instance of the billing service receives a request from the /login path, it is limited to an average of 100 requests per second and 500 concurrent connections.

Kind = "service-defaults"
Name = "billing"
Protocol = "http"

RateLimit {
  InstanceLevel {
    Routes = [
      {
         PathPrefix = "/api"
         RequestsPerSecond = 500
      },
      {
         PathPrefix = "/login"
         RequestsPerSecond = 100
         RequestsMaxBurst = 500
      }
    ]
  }
}

Add a spec.rateLimits.instanceLevel.routes block to the configuration entry. The block contains the limits and matching criteria for determining which paths to set limits on.
In the routes block, configure one of the following match criteria for enabling Consul to determine which path to set the limits on:
- pathExact: Specifies the exact path to match on the request path. When using this field.
- pathPrefix: Specifies the path prefix to match on the request path.
- pathRegex: Specifies a regular expression to match on the request path.
Configure the limits you want to enforce in the routes block as well. You can configure the following parameters:
- requestsPerSecond: Set an average number of requests per second that Consul should allow to the service through the matching path. The number of requests may momentarily exceed this value up to the value specified in the requestsMaxBurst parameter, but Consul temporarily lowers the speed of the transactions. This configuration overrides the value specified in spec.rateLimits.instanceLevel.requestPerSecond field of the CRD.
- requestsMaxBurst: Set the maximum number of concurrent requests that Consul momentarily allows to the service through the matching path. Consul blocks any additional requests over this limit. This configuration overrides the value specified in spec.rateLimits.instanceLevel.requestsMaxBurst field of the CRD.

kind: service-defaults
name: billing
protocol: http
rateLimit:
  instanceLevel:
    routes:
      - pathPrefix: /api
        requestsPerSecond: 500
      - pathPrefix: /login
        requestsPerSecond: 100
        requestsMaxBurst: 500

Refer to the service defaults configuration entry reference for additional specifications and example configurations.