Configure global throttling for an ingress gateway to improve system stability and availability - Alibaba Cloud Service Mesh

You can configure global throttling for a specific route of an ingress gateway to implement precise control over traffic to cope with issues such as traffic bursts, service overload, resource exhaustion, and malicious attacks. This protects the stability of backend services, reduces costs, and improves user experience.

Prerequisites

A managed Kubernetes cluster has been added to your ASM instance, and the ASM instance is version 1.18.0.131 or later. For more information, see Add a cluster to an ASM instance.
Automatic sidecar injection is enabled for the default namespace in the Kubernetes cluster. For more information, see Enable automatic injection.
An ingress gateway named ingressgateway is created and port 80 is enabled. For more information, see Create an ingress gateway.

Preparations

Deploy a throttling service

Create a ratelimit-svc.yaml file that contains the following content:

Show the ratelimit-svc.yaml file

apiVersion: v1
kind: ServiceAccount
metadata:
  name: redis
---
apiVersion: v1
kind: Service
metadata:
  name: redis
  labels:
    app: redis
spec:
  ports:
  - name: redis
    port: 6379
  selector:
    app: redis
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: redis
spec:
  replicas: 1
  selector:
    matchLabels:
      app: redis
  template:
   metadata:
      labels:
        app: redis
        sidecar.istio.io/inject: "false"
   spec:
      containers:
      - image: registry-cn-hangzhou.ack.aliyuncs.com/dev/redis:alpine
        imagePullPolicy: Always
        name: redis
        ports:
        - name: redis
          containerPort: 6379
      restartPolicy: Always
      serviceAccountName: redis
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: ratelimit-config
data:
  config.yaml: |
    {}
---
apiVersion: v1
kind: Service
metadata:
  name: ratelimit
  labels:
    app: ratelimit
spec:
  ports:
  - name: http-port
    port: 8080
    targetPort: 8080
    protocol: TCP
  - name: grpc-port
    port: 8081
    targetPort: 8081
    protocol: TCP
  - name: http-debug
    port: 6070
    targetPort: 6070
    protocol: TCP
  selector:
    app: ratelimit
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: ratelimit
spec:
  replicas: 1
  selector:
    matchLabels:
      app: ratelimit
  strategy:
    type: Recreate
  template:
    metadata:
      labels:
        app: ratelimit
        sidecar.istio.io/inject: "false"
    spec:
      containers:
        # Latest image from https://hub.docker.com/r/envoyproxy/ratelimit/tags
      - image: registry-cn-hangzhou.ack.aliyuncs.com/dev/envoyproxy/ratelimit:e059638d
        imagePullPolicy: Always
        name: ratelimit
        command: ["/bin/ratelimit"]
        env:
        - name: LOG_LEVEL
          value: debug
        - name: REDIS_SOCKET_TYPE
          value: tcp
        - name: REDIS_URL
          value: redis.default.svc.cluster.local:6379
        - name: USE_STATSD
          value: "false"
        - name: RUNTIME_ROOT
          value: /data
        - name: RUNTIME_SUBDIRECTORY
          value: ratelimit
        - name: RUNTIME_WATCH_ROOT
          value: "false"
        - name: RUNTIME_IGNOREDOTFILES
          value: "true"
        ports:
        - containerPort: 8080
        - containerPort: 8081
        - containerPort: 6070
        volumeMounts:
        - name: config-volume
          # $RUNTIME_ROOT/$RUNTIME_SUBDIRECTORY/$RUNTIME_APPDIRECTORY/config.yaml
          mountPath: /data/ratelimit/config
      volumes:
      - name: config-volume
        configMap:
          name: ratelimit-config

In the kubeconfig environment of the ACK cluster, run the following command to create a throttling service and its dependent Redis service in the cluster.
For more information about how to connect to a cluster using kubectl, see Obtain the kubeconfig file of a cluster and use kubectl to connect to the cluster.
```
kubectl apply -f ratelimit-svc.yaml
```

Deploy the Bookinfo sample application

Download the bookinfo.yaml file of the Bookinfo application from the Istio repository on GitHub.
To deploy the Bookinfo application to the ASM instance's cluster, run the following command in the kubeconfig environment of the ACK cluster.
```
kubectl apply -f bookinfo.yaml
```

Create a bookinfo-gateway.yaml that contains the following content:

Show the bookinfo-gateway.yaml file

apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: bookinfo-gateway
  namespace: default
spec:
  selector:
    istio: ingressgateway
  servers:
    - hosts:
        - bf2.example.com
      port:
        name: http
        number: 80
        protocol: http
---
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: bookinfo
  namespace: default
spec:
  gateways:
    - bookinfo-gateway
  hosts:
    - bf2.example.com
  http:
    - match:
        - uri:
            exact: /productpage
        - uri:
            prefix: /static
        - uri:
            exact: /login
        - uri:
            exact: /logout
        - uri:
            prefix: /api/v1/products
      name: productpage-route-name1
      route:
        - destination:
            host: productpage
            port:
              number: 9080

In the kubeconfig environment for the ASM instance, run the following command to create a routing rule for the Bookinfo application on the ingress gateway.
The routing rule is named productpage-route-name1 and matches requests for the bf2.example.com domain name. For more information about how to use kubectl to connect to an ASM instance, see Use kubectl on the control plane to access Istio resources.
```
kubectl apply -f bookinfo-gateway.yaml
```

Scenario 1: Configure a global throttling rule for a specific ingress gateway route

Configure a throttling rule for the productpage-route-name1 route associated with the domain name and port bf2.example.com:80. The productpage-route-name1 route is part of the booinfo virtual service created in the Preparations section. This route matches requests for paths such as /productpage, /static, /login, and /logout, and forwards the matched requests to the productpage service. After the throttling rule is configured, requests sent to these paths are subject to rate limiting.

Create a global-ratelimit-gw.yaml file that contains the following content:

Show the global-ratelimit-gw.yaml file

apiVersion: istio.alibabacloud.com/v1beta1
kind: ASMGlobalRateLimiter
metadata:
  name: global-test
  namespace: istio-system
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  rateLimitService: # The configuration of the throttling service deployed in the Preparations section.
    host: ratelimit.default.svc.cluster.local
    port: 8081
    timeout:
      seconds: 5
  isGateway: true
  configs:
  - name: productpage
    limit:
      unit: MINUTE
      quota: 1
    match:
      vhost:
        name: bf2.example.com # This name must be the same as the domain name in the VirtualService.
        port: 80 # This port number must match the ASM gateway port.
        route:
          name_match: productpage-route-name1  # This name must be the same as the routing rule in the VirtualService.

The following table describes some of the fields. For more information, see Description of ASMGlobalRateLimiter fields.

Field	Description
`workloadSelector`	The workload on which the throttling rule takes effect. In this example, global throttling takes effect on the ingressgateway ingress gateway. Set this parameter to `istio: ingressgateway`.
`isGateway`	Specifies whether the rule applies to the gateway. In this example, this parameter is set to `true`.
`rateLimitService`	The domain name, port, and connection timeout settings of the throttling service. The following code block shows the settings of the throttling service deployed in Preparations: `host: ratelimit.default.svc.cluster.local port: 8081 timeout: seconds: 5`
`limit`	The throttling configuration parameters that take effect. `unit` specifies the time unit for throttling detection. `quota` specifies the total number of requests allowed per unit of time. In this example, `unit` is set to `MINUTE` and `quota` is set to `1`. This indicates that only one request can be sent per minute on the matching route. Excess requests are throttled.
`vhost`	The domain name and route item configuration that the throttling rule matches. The values of `name` and `port` must be the same as the domain name in the virtual service that is applied to the gateway and the ingress gateway port. The route name specified in `route.name_match` must be the same as the name of the route item in the virtual service.

In the kubeconfig environment of the ASM instance, run the following command to create a global throttling rule for the productpage-route-name1 route of the gateway.
```
kubectl apply -f global-ratelimit-gw.yaml
```

Run the following command to obtain the configuration of the global throttling rule:

kubectl get asmglobalratelimiter global-test -n istio-system -o yaml

Show the expected output

apiVersion: istio.alibabacloud.com/v1beta1
kind: ASMGlobalRateLimiter
metadata:
  name: global-test
  namespace: istio-system
spec:
  configs:
  - limit:
      quota: 1
      unit: MINUTE
    match:
      vhost:
        name: bf2.example.com
        port: 80
        route:
          name_match: productpage-route-name1
    name: productpage
  isGateway: true
  rateLimitService:
    host: ratelimit.default.svc.cluster.local
    port: 8081
    timeout:
      seconds: 5
  workloadSelector:
    labels:
      app: istio-ingressgateway
status:
  config.yaml: |
    descriptors:
    - key: generic_key
      rate_limit:
        requests_per_unit: 1
        unit: MINUTE
      value: RateLimit[global-test.istio-system]-Id[597770312]
    domain: ratelimit.default.svc.cluster.local
  message: ok
  status: successful

Copy the content of the config.yaml field from the status field of the ASMGlobalRateLimiter resource in the output of the previous step. Paste the content into a `ratelimit-config.yaml` file to generate the global throttling service configuration.
The string content of the config.yaml field, located under the status field of ASMGlobalRateLimiter, must be pasted exactly as is into the config.yaml field in the data section of the ConfigMap.
Show the ratelimit-config.yaml file
```
apiVersion: v1
kind: ConfigMap
metadata:
  name: ratelimit-config
data:
  config.yaml: |
    descriptors:
    - key: generic_key
      rate_limit:
        requests_per_unit: 1
        unit: MINUTE
      value: RateLimit[global-test.istio-system]-Id[597770312]
    domain: ratelimit.default.svc.cluster.local
```
In the kubeconfig environment of the ACK cluster, run the following command to update the global throttling service configuration in the cluster.
```
kubectl apply -f ratelimit-config.yaml
```
Run the following commands to access the Bookinfo application twice.
Replace <ASM gateway IP> with the actual IP address of the gateway. For more information about how to obtain the IP address of the gateway, see Obtain the ingress gateway address.
```
curl -H 'host: bf2.example.com'  http://<ASM gateway IP>/productpage -v
curl -H 'host: bf2.example.com'  http://<ASM gateway IP>/productpage -v
```
The following code block shows the expected output for the second access to the Bookinfo application:
```
< HTTP/1.1 429 Too Many Requests
< x-envoy-ratelimited: true
< x-ratelimit-limit: 1, 1;w=60
< x-ratelimit-remaining: 0
< x-ratelimit-reset: 48
< date: Thu, 26 Oct 2023 04:10:11 GMT
< server: istio-envoy
< content-length: 0
< 
* Connection #0 to host 116.62.XXX.XXX left intact
```
In the global throttling configuration, only one request is allowed to access the Bookinfo application within one minute. When you access the Bookinfo application twice within one minute, you can see that the first request is successful and throttling is triggered on the second request. This indicates that global throttling takes effect on the specific ingress gateway route.

Scenario 2: Configure a global throttling rule for a specific domain name and a specific port on an ingress gateway

You can configure a global throttling rule for the domain name and port combination bf2.example.com:80. After the rule is configured, requests sent to this domain name and port are rate-limited.

Create a global-ratelimit-gw.yaml file that contains the following content:

Show the global-ratelimit-gw.yaml file

apiVersion: istio.alibabacloud.com/v1beta1
kind: ASMGlobalRateLimiter
metadata:
  name: global-test
  namespace: istio-system
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  rateLimitService: # The configuration of the throttling service deployed in the Preparations section.
    host: ratelimit.default.svc.cluster.local
    port: 8081
    timeout:
      seconds: 5
  isGateway: true
  configs:
  - name: productpage
    limit:
      unit: MINUTE
      quota: 1
    match:
      vhost:
        name: bf2.example.com # This name must be the same as the domain name in the VirtualService.
        port: 80 # This port number must match the ASM gateway port.

The following table describes some of the fields. For more information, see Description of ASMGlobalRateLimiter fields.

Field	Description
`workloadSelector`	The workload on which the throttling rule takes effect. In this example, global throttling takes effect on the ingressgateway ingress gateway. Set this parameter to `istio: ingressgateway`.
`isGateway`	Specifies whether the rule applies to the gateway. In this example, this parameter is set to `true`.
`rateLimitService`	The domain name, port, and connection timeout settings of the throttling service. The following code block shows the settings of the throttling service deployed in Preparations: `host: ratelimit.default.svc.cluster.local port: 8081 timeout: seconds: 5`
`limit`	The throttling configuration parameters that take effect. `unit` specifies the time unit for throttling detection. `quota` specifies the total number of requests allowed per unit of time. In this example, `unit` is set to `MINUTE` and `quota` is set to `1`. This indicates that only one request can be sent per minute on the matching route. Excess requests are throttled.
`vhost`	The domain name and route item configuration that the throttling rule matches. The values of `name` and `port` must be the same as the domain name in the virtual service that is applied to the gateway and the ingress gateway port.

In the kubeconfig environment for the ASM instance, run the following command to create a global throttling rule that applies to the productpage-route-name1 route of the gateway.
```
kubectl apply -f global-ratelimit-gw.yaml
```

Run the following command to obtain the configuration of the global throttling rule:

kubectl get asmglobalratelimiter global-test -n istio-system -o yaml

Show the expected output

apiVersion: istio.alibabacloud.com/v1
kind: ASMGlobalRateLimiter
metadata:
  name: global-test
  namespace: istio-system
spec:
  configs:
  - limit:
      quota: 1
      unit: MINUTE
    match:
      vhost:
        name: bf2.example.com
        port: 80
    name: productpage
  isGateway: true
  rateLimitService:
    host: ratelimit.default.svc.cluster.local
    port: 8081
    timeout:
      seconds: 5
  workloadSelector:
    labels:
      istio: ingressgateway
status:
  config.yaml: |
    descriptors:
    - key: generic_key
      rate_limit:
        requests_per_unit: 1
        unit: MINUTE
      value: RateLimit[global-test.istio-system]-Id[2100900480]
    domain: ratelimit.default.svc.cluster.local
  message: ok
  status: successful

From the output of the previous step, copy the content of the config.yaml field within the status field of the ASMGlobalRateLimiter resource and paste it into the ratelimit-config.yaml file to create the global throttling service configuration.
Paste the string content from the config.yaml field, which is under the status field of the ASMGlobalRateLimiter resource, as is into the config.yaml field in the data section of the ConfigMap.
Show the ratelimit-config.yaml file
```
apiVersion: v1
kind: ConfigMap
metadata:
  name: ratelimit-config
data:
  config.yaml: |
    descriptors:
    - key: generic_key
      rate_limit:
        requests_per_unit: 1
        unit: MINUTE
      value: RateLimit[global-test.istio-system]-Id[2100900480]
    domain: ratelimit.default.svc.cluster.local
```
In the kubeconfig environment for the ACK cluster, run the following command to update the global throttling service configuration in the cluster.
```
kubectl apply -f ratelimit-config.yaml
```
Run the following commands to access the Bookinfo application twice.
Replace <ASM gateway IP> with the IP address of the gateway. For more information about how to obtain the gateway IP address, see Obtain the ingress gateway address.
```
curl -H 'host: bf2.example.com'  http://<ASM gateway IP>/productpage -v
curl -H 'host: bf2.example.com'  http://<ASM gateway IP>/productpage -v
```
The following code block shows the expected output for the second access to the Bookinfo application:
```
< HTTP/1.1 429 Too Many Requests
< x-envoy-ratelimited: true
< x-ratelimit-limit: 1, 1;w=60
< x-ratelimit-remaining: 0
< x-ratelimit-reset: 48
< date: Thu, 26 Oct 2023 04:10:11 GMT
< server: istio-envoy
< content-length: 0
< 
* Connection #0 to host 116.62.XXX.XXX left intact
```
The global throttling configuration allows only one request per minute for the bf2.example.com:80 domain name and port combination. When you access this domain name and port combination twice in a row, the first request is successful and the second request is throttled. This result indicates that the global throttling rule for the ingress gateway was configured successfully.

Scenario 3: Configure a global throttling rule for requests that contain specific headers and query parameters on a specific route in the virtual service for the ingress gateway

Note

In this scenario, the version of the ASM instance must be 1.19.0 or later. For more information about how to upgrade an ASM instance, see Update an ASM instance.

This scenario shows how to configure a throttling rule for the productpage-route-name1 route, which is associated with the domain name and port combination bf2.example.com:80. The rule applies only to requests that contain the ratelimit: "true" request header and the ratelimit=enabled query parameter. The rule matches requests for paths, such as /productpage, /static, /login, and /logout, and forwards the matched requests to the productpage service. After you configure the throttling rule, requests sent to these paths are subject to rate limiting.

Create a global-ratelimit-gw.yaml file that contains the following content:

Show the global-ratelimit-gw.yaml file

apiVersion: istio.alibabacloud.com/v1beta1
kind: ASMGlobalRateLimiter
metadata:
  name: global-test
  namespace: istio-system
spec:
  workloadSelector:
    labels:
      app: istio-ingressgateway
  rateLimitService:
    host: ratelimit.default.svc.cluster.local
    port: 8081
    timeout:
      seconds: 5
  isGateway: true
  configs:
  - name: productpage
    limit:
      unit: SECOND
      quota: 100000
    match:
      vhost:
        name: bf2.example.com
        port: 80
        route:
          name_match: productpage-route-name1  # This name must be the same as the route name in the virtual service.
    limit_overrides:
    - request_match:
        header_match:
        - name: ratelimit
          exact_match: "true"
        query_match:
        - name: ratelimit
          exact_match: "enabled"
      limit:
        unit: MINUTE
        quota: 1

The following table describes some of the fields. For more information, see Description of ASMGlobalRateLimiter fields.

Field	Description
`workloadSelector`	The workload on which the throttling rule takes effect. In this example, global throttling takes effect on the ingressgateway ingress gateway. Set this parameter to `istio: ingressgateway`.
`isGateway`	Specifies whether the rule applies to the gateway. In this example, this parameter is set to `true`.
`rateLimitService`	The domain name, port, and connection timeout settings of the throttling service. The following code block shows the settings of the throttling service deployed in Preparations: `host: ratelimit.default.svc.cluster.local port: 8081 timeout: seconds: 5`
`limit`	The throttling configuration parameters that take effect on the virtual service route. `unit` specifies the time unit for throttling detection. `quota` specifies the total number of requests allowed per unit of time. In this example, `unit` is set to `SECOND` and `quota` is set to `100000`. This indicates that 100,000 requests are allowed per second on the matching route. This setting is approximately equal to no throttling configured. It is intended that only requests that meet specified conditions are throttled, and other requests do not need to trigger throttling.
`vhost`	The domain name and route item configuration that the throttling rule matches. The values of `name` and `port` must be the same as the domain name in the virtual service that is applied to the gateway and the ingress gateway port. The route name specified in `route.name_match` must be the same as the name of the route item in the virtual service.
`limit_overrides`	Specifies whether to override the configured throttling threshold. You can use this field to specify a throttling threshold individually for specific requests. In this example: The `request_match` field in `limit_overrides` is set to exactly match requests that contain the `ratelimit: "true"` request header and have the `ratelimit=enabled` query parameter in the request path. In the `limit` field of `limit_overrides`, `unit` is set to `MINUTE` and `quota` is set to `1`. This indicates that for requests that meet the conditions specified by `request_match`, only one request is allowed per minute.

In the kubeconfig environment of the ASM instance, run the following command to create a global throttling rule for the productpage-route-name1 route of the gateway.
```
kubectl apply -f global-ratelimit-gw.yaml
```

Run the following command to obtain the configuration of the global throttling rule:

kubectl get asmglobalratelimiter global-test -n istio-system -o yaml

Show the expected output

apiVersion: istio.alibabacloud.com/v1
kind: ASMGlobalRateLimiter
metadata:
  name: global-test
  namespace: istio-system
spec:
  configs:
  - limit:
      quota: 100000
      unit: SECOND
    limit_overrides:
    - limit:
        quota: 1
        unit: MINUTE
      request_match:
        header_match:
        - exact_match: "true"
          name: ratelimit
        query_match:
        - exact_match: enabled
          name: ratelimit
    match:
      vhost:
        name: bf2.example.com
        port: 80
        route:
          name_match: productpage-route-name1
    name: productpage
  isGateway: true
  rateLimitService:
    host: ratelimit.default.svc.cluster.local
    port: 8081
    timeout:
      seconds: 5
  workloadSelector:
    labels:
      app: istio-ingressgateway
status:
  config.yaml: |
    descriptors:
    - descriptors:
      - descriptors:
        - key: query_match
          rate_limit:
            requests_per_unit: 1
            unit: MINUTE
          value: RateLimit[global-test.istio-system]-Id[1102463266]
        key: header_match
        value: RateLimit[global-test.istio-system]-Id[1102463266]
      key: generic_key
      rate_limit:
        requests_per_unit: 100000
        unit: SECOND
      value: RateLimit[global-test.istio-system]-Id[1102463266]
    domain: ratelimit.default.svc.cluster.local
  message: ok
  status: successful

To generate the global throttling service configuration, paste the content of the config.yaml field from the status field of the ASMGlobalRateLimiter resource (found in the previous step's output) into the `ratelimit-config.yaml` file.

The string content from the config.yaml field under the status field of the ASMGlobalRateLimiter resource must be pasted exactly as is into the config.yaml field in the data section of the ConfigMap.

Show the ratelimit-config.yaml file

apiVersion: v1
kind: ConfigMap
metadata:
  name: ratelimit-config
data:
  config.yaml: |
    descriptors:
    - descriptors:
      - descriptors:
        - key: query_match
          rate_limit:
            requests_per_unit: 1
            unit: MINUTE
          value: RateLimit[global-test.istio-system]-Id[1102463266]
        key: header_match
        value: RateLimit[global-test.istio-system]-Id[1102463266]
      key: generic_key
      rate_limit:
        requests_per_unit: 100000
        unit: SECOND
      value: RateLimit[global-test.istio-system]-Id[1102463266]
    domain: ratelimit.default.svc.cluster.local

In the kubeconfig environment of the ACK cluster, run the following command to update the global throttling service configuration in the cluster.
```
kubectl apply -f ratelimit-config.yaml
```
Run the following commands to access the Bookinfo application twice.
Replace <ASM gateway IP> with the actual IP address of the gateway. For more information about how to obtain the IP address of the gateway, see Obtain the ingress gateway address.
```
curl -H 'host: bf2.example.com'  http://<ASM gateway IP>/productpage -v
curl -H 'host: bf2.example.com'  http://<ASM gateway IP>/productpage -v
```
The following code block shows the expected output for the second access to the Bookinfo application:
```
< HTTP/1.1 429 Too Many Requests
< x-envoy-ratelimited: true
< x-ratelimit-limit: 1, 1;w=60
< x-ratelimit-remaining: 0
< x-ratelimit-reset: 48
< date: Thu, 26 Oct 2023 04:10:11 GMT
< server: istio-envoy
< content-length: 0
< 
* Connection #0 to host 116.62.XXX.XXX left intact
```
The global throttling configuration allows only one request per minute to the Bookinfo application for requests that contain the ratelimit: "true" request header and the ratelimit=enabled query parameter. When you access the Bookinfo application twice in a row with this request header and query parameter, the first request is successful and the second request is throttled. This indicates that the global throttling configuration for the ingress gateway is successfully matching specific requests.
Run the following command to access the Bookinfo application again, but do not include the ratelimit: "true" request header or the ratelimit=enabled query parameter in the request.
```
curl -H 'host: bf2.example.com'  http://<ASM gateway IP>/productpage -v
```
The output indicates that no 429 status code is found and the Bookinfo application is successfully accessed. This indicates that other requests on the route are not subject to the global throttling rule.

Scenario 4: Configure a global throttling rule for a specific client IP address on a specific route in the virtual service for the ingress gateway

Note

In this scenario, the version of the ASM instance must be 1.19.0 or later. For more information about how to upgrade an ASM instance, see Update an ASM instance.
To configure throttling for a specific client IP address on the ingress gateway, you must ensure that External Traffic Policy of the ingress gateway is set to Local. For more information about how to create an ingress gateway and the description of the ingress gateway parameters, see Create an ingress gateway.
You can obtain the client IP address of a request sent to the gateway from the downstream_remote_address field in the gateway's access log. In this example, configure the client IP address that you want to throttle as required.

Configure a throttling rule for the productpage-route-name1 virtual service route under the domain name and port combination bf2.example.com:80. The throttling rule takes effect only on requests from a specific client IP address, while other requests on this route are not affected.

Create a global-ratelimit-gw.yaml file that contains the following content:

Show the global-ratelimit-gw.yaml file

apiVersion: istio.alibabacloud.com/v1beta1
kind: ASMGlobalRateLimiter
metadata:
  name: global-test
  namespace: istio-system
spec:
  workloadSelector:
    labels:
      app: istio-ingressgateway
  rateLimitService:
    host: ratelimit.default.svc.cluster.local
    port: 8081
    timeout:
      seconds: 5
  isGateway: true
  configs:
  - name: productpage
    limit:
      unit: SECOND
      quota: 100000
    match:
      vhost:
        name: bf2.example.com
        port: 80
        route:
          name_match: productpage-route-name1  # This name must be the same as the route name in the virtual service.
    limit_overrides:
    - request_match:
        remote_address:
          address: xxx.xxx.xxx.xxx # The IP address of the client.
          v4_prefix_mask_len: xx # The subnet mask of the client IP address range.
      limit:
        unit: MINUTE
        quota: 1

The following table describes some of the fields. For more information, see Description of ASMGlobalRateLimiter fields.

Field	Description
`workloadSelector`	The workload on which the throttling rule takes effect. In this example, global throttling takes effect on the ingressgateway ingress gateway. Set this parameter to `istio: ingressgateway`.
`isGateway`	Specifies whether the rule applies to the gateway. In this example, this parameter is set to `true`.
`rateLimitService`	The domain name, port, and connection timeout settings of the throttling service. The following code block shows the settings of the throttling service deployed in Preparations: `host: ratelimit.default.svc.cluster.local port: 8081 timeout: seconds: 5`
`limit`	The throttling configuration parameters that take effect on the virtual service route. `unit` specifies the time unit for throttling detection. `quota` specifies the total number of requests allowed per unit of time. In this example, `unit` is set to `SECOND` and `quota` is set to `100000`. This indicates that 100,000 requests are allowed per second on the matching route. This setting is approximately equal to no throttling configured. It is intended that only requests that meet specified conditions are throttled, and other requests do not need to trigger throttling.
`vhost`	The domain name and route item configuration that the throttling rule matches. The values of `name` and `port` must be the same as the domain name in the virtual service that is applied to the gateway and the ingress gateway port. The route name specified in `route.name_match` must be the same as the name of the route item in the virtual service.
`limit_overrides`	Specifies whether to override the configured throttling threshold. You can use this field to specify a throttling threshold individually for specific requests. In this example: In the `request_match` field, `remote_address.address` is used to match the source IP address of the client request, and `remote_addess.v4_prefix_mask_len` is used to match the subnet mask of the source IP address range of the client (optional). In the `limit` field of the `limit_overrides` field, `unit` is set to `MINUTE` and `quota` is set to `1`. This indicates that for requests that meet the conditions specified by `request_match`, only one request is allowed per minute.

In the kubeconfig environment of the ASM instance, run the following command to create a global throttling rule that applies to the productpage-route-name1 route of the gateway.
```
kubectl apply -f global-ratelimit-gw.yaml
```

Run the following command to obtain the configuration of the global throttling rule:

kubectl get asmglobalratelimiter global-test -n istio-system -o yaml

Show the expected output

apiVersion: istio.alibabacloud.com/v1
kind: ASMGlobalRateLimiter
metadata:
  name: global-test
  namespace: istio-system
spec:
  configs:
  - limit:
      quota: 100000
      unit: SECOND
    limit_overrides:
    - limit:
        quota: 1
        unit: MINUTE
      request_match:
        remote_address:
          address: 106.11.XX.XX
          v4_prefix_mask_len: 24
    match:
      vhost:
        name: bf2.example.com
        port: 80
        route:
          name_match: productpage-route-name1
    name: productpage
  isGateway: true
  rateLimitService:
    host: ratelimit.default.svc.cluster.local
    port: 8081
    timeout:
      seconds: 5
  workloadSelector:
    labels:
      app: istio-ingressgateway
status:
  config.yaml: |
    descriptors:
    - descriptors:
      - key: masked_remote_address
        rate_limit:
          requests_per_unit: 1
          unit: MINUTE
        value: xxxxxx
      key: generic_key
      rate_limit:
        requests_per_unit: 100000
        unit: SECOND
      value: RateLimit[global-test.istio-system]-Id[1102463266]
    domain: ratelimit.default.svc.cluster.local
  message: ok
  status: successful

Copy the content of the config.yaml field from the status field of the ASMGlobalRateLimiter resource in the output from the previous step. Paste this content into the ratelimit-config.yaml file to generate the global throttling service configuration.
The string content from the config.yaml field within the status field of the ASMGlobalRateLimiter resource must be pasted exactly as is into the config.yaml field in the data section of the ConfigMap.
Show the ratelimit-config.yaml file
```
apiVersion: v1
kind: ConfigMap
metadata:
  name: ratelimit-config
data:
  config.yaml: |
    descriptors:
    - descriptors:
      - key: masked_remote_address
        rate_limit:
          requests_per_unit: 1
          unit: MINUTE
        value: xxxxxx
      key: generic_key
      rate_limit:
        requests_per_unit: 100000
        unit: SECOND
      value: RateLimit[global-test.istio-system]-Id[1102463266]
    domain: ratelimit.default.svc.cluster.local
```
In the kubeconfig environment of the ACK cluster, run the following command to update the global throttling service configuration in the cluster.
```
kubectl apply -f ratelimit-config.yaml
```
Run the following commands to access the Bookinfo application twice.
Replace <ASM gateway IP> with the actual IP address of your gateway. For more information about how to obtain the IP address of the gateway, see Obtain the ingress gateway address.
```
curl -H 'host: bf2.example.com'  http://<ASM gateway IP>/productpage -v
curl -H 'host: bf2.example.com'  http://<ASM gateway IP>/productpage -v
```
The following code block shows the expected output for the second access to the Bookinfo application:
```
< HTTP/1.1 429 Too Many Requests
< x-envoy-ratelimited: true
< x-ratelimit-limit: 1, 1;w=60
< x-ratelimit-remaining: 0
< x-ratelimit-reset: 48
< date: Thu, 26 Oct 2023 04:10:11 GMT
< server: istio-envoy
< content-length: 0
< 
* Connection #0 to host 116.62.XXX.XXX left intact
```
In the global throttling configuration, only one request is allowed to access the Bookinfo application within one minute. The request must be sent from specific IP addresses or CIDR blocks. When you use a client that uses a specific IP address to access the ingress gateway, the first request is successful and throttling is triggered on the second request. This indicates that global throttling takes effect on the requests that are sent from the specific IP address.
Run the following command to access the Bookinfo application again using a different IP address:
```
curl -H 'host: bf2.example.com'  http://<ASM gateway IP>/productpage -v
```
The output indicates that no 429 status code is found and the Bookinfo application is successfully accessed. This indicates that other requests on the route are not subject to the global throttling rule.

Scenario 5: Configure separate throttling rules for different client IP addresses on a specific virtual service route of the ingress gateway

Note

This scenario requires an ASM instance of version 1.25.0 or later. For more information about how to upgrade an instance, see Update an ASM instance.
This scenario requires that the external traffic policy of the ASM ingress gateway is set to Local. For more information about creating an ingress gateway and its configuration items, see Create an ingress gateway.
You can obtain the client IP address of a request sent to the gateway from the downstream_remote_address field in the access log of the gateway. In this example, configure the client IP address that you want to throttle based on your requirements.

In this scenario, you configure a throttling rule for the productpage-route-name1 virtual service route at bf2.example.com:80. The rule specifies that each client IP address is throttled separately, allowing only one request per minute from each client IP.

Create a global-ratelimit-gw.yaml file.

apiVersion: istio.alibabacloud.com/v1beta1
kind: ASMGlobalRateLimiter
metadata:
  name: global-test
  namespace: istio-system
spec:
  workloadSelector:
    labels:
      app: istio-ingressgateway
  rateLimitService:
    host: ratelimit.default.svc.cluster.local
    port: 8081
    timeout:
      seconds: 5
  isGateway: true
  configs:
  - name: productpage
    limit:
      unit: SECOND
      quota: 100000
    target_services:
    - name: bookinfo
      namespace: default
      kind: VirtualService
      port: 80
      section_name: productpage-route-name1
    limit_overrides:
    - request_match:
        remote_address:
          distinct: true # Specifies that different client IP addresses are throttled separately.
      limit:
        unit: MINUTE
        quota: 1

The following table describes some of the fields. For more information about the fields, see ASMGlobalRateLimiter CRD description.

Field	Description
`workloadSelector`	The workload on which the throttling rule takes effect. In this example, global throttling takes effect on the ingressgateway ingress gateway. Set this parameter to `istio: ingressgateway`.
`isGateway`	Specifies whether the rule applies to the gateway. In this example, this parameter is set to `true`.
`rateLimitService`	The domain name, port, and connection timeout of the throttling service. Based on the throttling service deployed in the Preparations section, the configuration is as follows: `host: ratelimit.default.svc.cluster.local port: 8081 timeout: seconds: 5`
`limit`	The throttling configuration parameters that take effect on the virtual service route. In this parameter: `unit` specifies the time unit for throttling detection. `quota` specifies the total number of requests allowed per unit of time. In this example, `unit` is set to `SECOND` and `quota` is set to `100000`. This indicates that 100,000 requests are allowed per second on the matching route. This setting is approximately equal to no throttling configured. It is intended that only requests that meet specified conditions are throttled, and other requests do not need to trigger throttling.
`limit_overrides`	The throttling threshold override configuration. You can use this field to specify a separate throttling threshold for specific requests. In this example: In the `request_match` field: `remote_address.address` is used to match the source IP address of the client request. `remote_address.address.disinct` is set to `true` to enable separate throttling for different client IP addresses. `remote_addess.v4_prefix_mask_len` matches the subnet mask of the source IP address range of the client (optional). In the `limit` field of the `limit_overrides` field, `unit` is set to `MINUTE` and `quota` is set to `1`. This indicates that for requests that meet the conditions specified by `request_match`, only one request is allowed per minute.
`target_services`	The virtual service route configuration that the throttling item matches. In this parameter: `kind` specifies that the throttling rule takes effect on a virtual service route. `namespace` and `name` specify the namespace and name of the virtual service. `port` specifies that the throttling rule takes effect only on traffic routes on port 80. `section_name` specifies that the throttling rule takes effect on the route item named `productpage-route-name1` in the virtual service.

Deploy the global throttling rule.

kubectl apply -f global-ratelimit-gw.yaml

Obtain the configuration of the reconciled global throttling rule.

kubectl get asmglobalratelimiter global-test -n istio-system -o yaml |grep status: -A 50

Expected output:

status:
  config.yaml: |
    descriptors:
    - descriptors:
      - key: remote_address
        rate_limit:
          requests_per_unit: 1
          unit: MINUTE
      key: generic_key
      rate_limit:
        requests_per_unit: 100000
        unit: SECOND
      value: RateLimit[global-test.istio-system]-Id[537612397]
    domain: ratelimit.default.svc.cluster.local
  message: ok
  status: successful

Update the config.yaml field in the data section of the ConfigMap from the Preparations section with the output from the previous step.

kubectl edit ConfigMap ratelimit-config

Updated content:

apiVersion: v1
kind: ConfigMap
metadata:
  name: ratelimit-config
data:
  config.yaml: |
    descriptors:
    - descriptors:
      - key: remote_address
        rate_limit:
          requests_per_unit: 1
          unit: MINUTE
      key: generic_key
      rate_limit:
        requests_per_unit: 100000
        unit: SECOND
      value: RateLimit[global-test.istio-system]-Id[537612397]
    domain: ratelimit.default.svc.cluster.local

Access the Bookinfo application twice in a row from different clients.

export GATEWAY_URL=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
curl -H 'host: bf2.example.com' http://$GATEWAY_URL:80/productpage -v
curl -H 'host: bf2.example.com' http://$GATEWAY_URL:80/productpage -v

Expected output for the second access:

< HTTP/1.1 429 Too Many Requests
< x-envoy-ratelimited: true
< x-ratelimit-limit: 1, 1;w=60
< x-ratelimit-remaining: 0
< x-ratelimit-reset: 48
< date: Thu, 26 Jul 2025 04:10:11 GMT
< server: istio-envoy
< content-length: 0
< 
* Connection #0 to host 116.62.XXX.XXX left intact

The second request is throttled, which indicates that the global throttling configuration for the ingress gateway is successful.

References

If you want to implement throttling without using a throttling service or in a method that consumes fewer resources, you can configure local throttling in ASM. For more information, see Configure local throttling in Traffic Management Center.
If you want to control and limit inbound traffic directed to services into which sidecar proxies are injected, you can configure global throttling. For more information, see Use ASMGlobalRateLimiter to configure global throttling for ingress gateways and inbound traffic directed to services.