All Products
Search

This Product

    Alibaba Cloud Service Mesh:Configure local throttling for an ingress gateway

    Document Center

    Alibaba Cloud Service Mesh:Configure local throttling for an ingress gateway

    Last Updated:Mar 11, 2026

    Sudden traffic spikes from events like flash sales can overwhelm backend services. Local throttling lets you limit traffic on the ingress gateway to protect your system.

    How local throttling works

    Local throttling uses a token bucket algorithm. The quota parameter sets the number of requests allowed within the fill_interval time window. When the bucket is empty, the gateway responds with 429 Too Many Requests until the bucket refills.

    ParameterRole in the token bucketExample
    quotaBucket capacity -- maximum requests per interval10
    fill_intervalRefill period1 second

    Throttling granularity

    The ASMLocalRateLimiter custom resource defines throttling rules. Each rule targets a gateway workload and specifies rate limits at one of the following levels:

    LevelBehaviorUse case
    Single routeLimits traffic matching a specific VirtualService route; other routes remain unaffectedProtect a specific backend service
    Domain and portLimits all traffic to a host:port pair, regardless of routeApply a blanket rate limit across all services behind a domain
    Route with header matchingLimits only requests on a specific route that carry a designated header; other requests pass throughThrottle specific clients or request types based on headers

    Applicable scope

    Local throttling applies to ASM gateways and application services with sidecar proxies injected.

    Prerequisites

    Before you begin, make sure that you have:

    The following sections walk through all three throttling levels using the Bookinfo and Nginx sample services.

    Scenario diagram

    Create the Nginx service

    1. Create an nginx.yaml file with the following content:

      apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx
spec:
  selector:
    matchLabels:
      app: nginx
  replicas: 1
  template:
    metadata:
      labels:
        app: nginx
        sidecarset-injected: "true"
    spec:
      containers:
      - name: nginx
        image: nginx:1.14.2
        ports:
        - containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
  name: nginx
spec:
  ports:
    - name: http
      port: 80
      protocol: TCP
      targetPort: 80
  selector:
    app: nginx
  type: ClusterIP

    2. Deploy Nginx to the foo namespace:

      kubectl apply -f nginx.yaml -n foo

    Gateway YAML

    apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: bookinfo-gateway
  namespace: default
spec:
  selector:
 istio: ingressgateway
  servers:
  - hosts:
 - bf2.example.com
 port:
   name: http
   number: 80
   protocol: http

    VirtualService YAML

    apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: bookinfo
  namespace: default
spec:
  gateways:
  - bookinfo-gateway
  hosts:
  - bf2.example.com
  http:
  - match:
 - uri:
     exact: /productpage
 - uri:
     prefix: /static
 - uri:
     exact: /login
 - uri:
     exact: /logout
 - uri:
     prefix: /api/v1/products
 name: productpage-route-name1
 route:
 - destination:
     host: productpage
     port:
       number: 9080
  - match:
 - uri:
     prefix: /nginx
 name: nginx-route-name1
 rewrite:
   uri: /
 route:
 - destination:
     host: nginx.foo.svc.cluster.local
     port:
       number: 80

    Throttle a single virtual service route

    This configuration throttles the productpage-route-name1 route for bf2.example.com:80. Requests matching /productpage, /static, /login, /logout, and /api/v1/products are rate-limited. The /nginx route remains unaffected.

    Create the throttling rule

    1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.

    2. On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose Traffic Management Center > Traffic Protection and Scheduling.

    3. Click Create and configure the following parameters:

      SectionParameterValue
      Basic throttling informationNamespaceistio-system (all ASM gateways are deployed in this namespace)
      Nameingressgateway
      Effective workload typeApply to Gateway
      Associated workloadSelect bookinfo-gateway under Select Gateway Rule
      Throttling rule listGateway domain namebf2.example.com
      Gateway port80
      Match virtual service routeproductpage-route-name1
      Throttling configurationTime Window For Throttling Detection1 second
      Number of requests allowed in the time window10

    4. (Optional) Expand Show Advanced Settings to customize throttled responses. For example, enter {"ret_code": xxx,"message": "Your request be limited"} in Custom Throttling Response Body.

    5. Click OK.

    For parameter details, see ASMLocalRateLimiter CRD reference.

    YAML without advanced options

    apiVersion: istio.alibabacloud.com/v1beta1
kind: ASMLocalRateLimiter
metadata:
  name: ingressgateway
  namespace: istio-system
spec:
  configs:
 - limit:
     fill_interval:
       seconds: 1
     quota: 10
   match:
     vhost:
       name: bf2.example.com
       port: 80
       route:
         name_match: productpage-route-name1
  isGateway: true
  workloadSelector:
 labels:
   istio: ingressgateway

    YAML with custom response body

    apiVersion: istio.alibabacloud.com/v1beta1
kind: ASMLocalRateLimiter
metadata:
  name: ingressgateway
  namespace: istio-system
spec:
  configs:
 - limit:
     custom_response_body: '{"ret_code": xxx, "message": "Your request be limited" }'
     fill_interval:
       seconds: 1
     quota: 10
   match:
     vhost:
       name: bf2.example.com
       port: 80
       route:
         name_match: productpage-route-name1
  isGateway: true
  workloadSelector:
 labels:
   istio: ingressgateway

    Verify that the route is throttled

    1. Generate sustained load against both routes:

      hey -host bf2.example.com -c 10 -n 100000 http://<ASM gateway IP address>/productpage
hey -host bf2.example.com -c 10 -n 100000 http://<ASM gateway IP address>/nginx

    2. Send a request to the throttled /productpage path:

      curl -H 'host: bf2.example.com' http://<ASM gateway IP address>/productpage -v

      Expected output:

      < HTTP/1.1 429 Too Many Requests
< Content-Length: 18
< Content-Type: text/plain
< Date: Thu, 13 Jan 2022 03:03:09 GMT
< Server: istio-envoy
<
local_rate_limited

      The 429 Too Many Requests response confirms that the Bookinfo service is throttled.

    3. Send a request to the /nginx path:

      curl -H 'host: bf2.example.com' http://<ASM gateway IP address>/nginx -v

      A normal response without a 429 status code confirms that the Nginx route is not affected.

    Throttle all routes for a domain and port

    This configuration throttles the entire bf2.example.com:80 combination. All routes under this domain and port -- including both /productpage and /nginx -- are rate-limited.

    Create the throttling rule

    1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.

    2. On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose Traffic Management Center > Traffic Protection and Scheduling.

    3. Click Create and configure the following parameters:

      SectionParameterValue
      Basic throttling informationNamespaceistio-system
      Nameingressgateway
      Effective workload typeGateway
      Associated workloadSelect bookinfo-gateway under Select Gateway Rule
      Throttling rule listGateway domain namebf2.example.com
      Gateway port80
      Match virtual service routeLeave blank to match all routes
      Throttling configurationTime Window For Throttling Detection1 second
      Number of requests allowed in the time window10

    4. Click OK.

    YAML

    apiVersion: istio.alibabacloud.com/v1beta1
kind: ASMLocalRateLimiter
metadata:
  name: ingressgateway
  namespace: istio-system
spec:
  configs:
 - limit:
     fill_interval:
       seconds: 1
     quota: 10
   match:
     vhost:
       name: bf2.example.com
       port: 80
       route: {}
  isGateway: true
  workloadSelector:
 labels:
   istio: ingressgateway

    Verify that all routes are throttled

    1. Generate sustained load:

      hey -host bf2.example.com -c 10 -n 100000 http://<ASM gateway IP address>/nginx

    2. Send a request to the /nginx path:

      curl -H 'host: bf2.example.com' http://<ASM gateway IP address>/nginx -v

      A 429 Too Many Requests response confirms that all routes under bf2.example.com:80 are throttled.

    Throttle requests with a specific header on a single route

    This configuration throttles the nginx-route-name1 route for bf2.example.com:80, but only for requests that carry the ratelimit: true header. Requests without this header pass through normally.

    Create the throttling rule

    1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.

    2. On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose Traffic Management Center > Traffic Protection and Scheduling.

    3. Click Create and configure the following parameters:

      SectionParameterValue
      Basic throttling informationNamespaceistio-system
      Nameingressgateway
      Effective workload typeApplicable Gateway
      Associated workloadSelect bookinfo-gateway under Select Gateway Rule
      Throttling rule listGateway domain namebf2.example.com
      Gateway port80
      Match virtual service routenginx-route-name1
      Match request propertiesMatch AttributeSpecific Request Header
      Request Header Nameratelimit
      Matching MethodExact Match
      Matched Contenttrue
      Throttling configurationTime Window For Throttling Detection1 second
      Number of requests allowed in the time window10

    4. Click OK.

    YAML

    apiVersion: istio.alibabacloud.com/v1
kind: ASMLocalRateLimiter
metadata:
  name: ingressgateway
  namespace: istio-system
spec:
  configs:
 - limit:
     fill_interval:
       seconds: 1
     quota: 10
   match:
     vhost:
       name: bf2.example.com
       port: 80
       route:
         header_match:
           - exact_match: 'true'
             invert_match: false
             name: ratelimit
         name_match: nginx-route-name1
  isGateway: true
  workloadSelector:
 labels:
   istio: ingressgateway

    Verify that header-based throttling is applied

    1. Generate sustained load with the ratelimit: true header:

      hey -host bf2.example.com -H 'ratelimit: true' -c 10 -n 10000 http://<ASM gateway IP address>/nginx

    2. Send a request with the header:

      curl -H 'host: bf2.example.com' -H 'ratelimit: true' http://<ASM gateway IP address>/nginx -v

      A 429 Too Many Requests response confirms that requests carrying the ratelimit: true header are throttled.

    3. Send a request without the header:

      curl -H 'host: bf2.example.com' http://<ASM gateway IP address>/nginx -v

      A normal response without a 429 status code confirms that requests without the header are not affected.

    Delete a throttling rule

    1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.

    2. On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose Traffic Management Center > Traffic Protection and Scheduling.

    3. Find the target throttling rule and click Delete in the Actions column. In the Confirm dialog box, click OK.

    4. Verify that throttling is removed:

      curl -H 'host: bf2.example.com' http://<ASM gateway IP address>/nginx -v

      A normal response without a 429 status code confirms that the throttling rule has been removed.

    References