To protect your services from traffic spikes, overloads, resource exhaustion, or malicious attacks, configure local throttling in the traffic management center. This feature keeps traffic within a controllable threshold, ensuring service availability and stable performance. Local throttling is implemented by the Envoy proxy, which uses a token bucket algorithm to control the request rate to your services. This algorithm adds tokens to a bucket at a regular interval. Each request consumes one token. When the bucket runs out of tokens, new requests are temporarily rejected, effectively preventing the service from being overwhelmed.
Prerequisites
-
An ASM instance is created and meets the following requirements:
-
For ASM Enterprise Edition (Professional or Ultimate), the instance version must be 1.14.3 or later. For more information about how to upgrade an ASM instance, see Upgrade an ASM instance.
-
For ASM Standard Edition, the instance version must be 1.9 or later. You can only use the native Istio method to configure local throttling. The documentation varies based on the Istio version. For the latest information, see the Istio documentation Enabling Rate Limits using Envoy.
-
-
Automatic sidecar proxy injection is enabled for the
defaultnamespace in the Kubernetes cluster. For more information, see Enable automatic sidecar proxy injection. -
The httpbin and sleep sample services are deployed, and the sleep service can access the httpbin service. For more information, see Deploy the httpbin application.
Scenario 1: Apply throttling to a service port
This scenario shows how to apply local throttling to port 8000 of the httpbin service. Once configured, the rule applies to all requests sent to this specific port.
-
Create a local throttling rule.
-
Log on to the ASM console. In the left-side navigation pane, choose .
-
On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose . On the page that appears, click Create.
-
On the Create page, configure the parameters and click OK.
Section
Parameter
Description
Basic Information About Throttling
Namespace
The namespace where the workload affected by local throttling resides. In this example, select default.
Name
A custom name for the local throttling configuration. In this example, enter httpbin.
Type of Effective Workload
The type of workload to which the throttling rule applies. Valid values: Application Service and Gateway. In this example, select Applicable Application.
Relevant Workload
Enter a set of label key-value pairs to select a specific workload. In this example, set Label Name to app and Label Value to httpbin.
List of Throttling Rules
Service Port
The port number declared in the Kubernetes Service of the service. This must be an HTTP port. In this example, enter the HTTP port 8000 of the httpbin service.
Throttling Configuration
Specify the time window and the maximum number of requests allowed within that window for the token bucket algorithm. If the number of requests sent within the time window exceeds this limit, subsequent requests are throttled. This example uses the following configuration:
-
Set Time Window for Throttling Detection to 60s.
-
Set Allowed requests in window to 10.
This configuration limits the service workload to a maximum of 10 requests in any 60-second window.
The following YAML file is an example of the local throttling configuration.
-
-
-
Verify the local throttling rule.
-
Run the following command to start a bash session in the sleep container:
kubectl exec -it deploy/sleep -- sh -
Run the following command to send 10 requests:
for i in $(seq 1 10); do curl -v http://httpbin:8000/headers; done -
Run the following command to send an 11th request:
curl -v http://httpbin:8000/headersExpected output:
* Trying 172.16.245.130:8000... * Connected to httpbin (172.16.245.130) port 8000 > GET /headers HTTP/1.1 > Host: httpbin:8000 > User-Agent: curl/8.5.0 > Accept: */* > < HTTP/1.1 429 Too Many Requests < x-local-rate-limit: true < content-length: 18 < content-type: text/plain < date: Tue, 26 Dec 2023 08:02:58 GMT < server: envoy < x-envoy-upstream-service-time: 2The output shows an HTTP 429 status code, which indicates that the request was throttled.
-
Scenario 2: Apply throttling to a request path
This scenario shows how to apply local throttling to requests sent to the /headers path on port 8000 of the httpbin service. Once configured, the rule applies only to requests matching this specific path and port.
-
Create a local throttling rule.
-
Log on to the ASM console. In the left-side navigation pane, choose .
-
On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose . On the page that appears, click Create.
-
On the Create page, configure the parameters and click OK.
Section
Parameter
Description
Basic Information About Throttling
Namespace
The namespace where the workload affected by local throttling resides. In this example, select default.
Name
A custom name for the local throttling configuration. In this example, enter httpbin.
Type of Effective Workload
The type of workload to which the throttling rule applies. Valid values: Application Service and Gateway. In this example, select Applicable Application.
Relevant Workload
Enter a set of label key-value pairs to select a specific workload. In this example, set Label Name to app and Label Value to httpbin.
List of Throttling Rules
Service Port
The port number declared in the Kubernetes Service of the service. This must be an HTTP port. In this example, enter the HTTP port 8000 of the httpbin service.
Match Request Attributes
Define the matching conditions for requests. The rule is applied only to requests that match these conditions. This example uses the following configuration:
-
Set Matched Attributes to Request Path.
-
Set Matching Method to Prefix Match.
-
Set Matched Content to
/headers.
Throttling Configuration
Specify the time window and the maximum number of requests allowed within that window for the token bucket algorithm. If the number of requests sent within the time window exceeds this limit, subsequent requests are throttled. This example uses the following configuration:
-
Set Time Window for Throttling Detection to 60s.
-
Set Allowed requests in window to 10.
This configuration limits the service workload to a maximum of 10 requests in any 60-second window.
-
-
-
Verify the local throttling rule.
-
Run the following command to start a bash session in the sleep container:
kubectl exec -it deploy/sleep -- sh -
Run the following command to send 10 requests:
for i in $(seq 1 10); do curl -v http://httpbin:8000/headers; done -
Run the following command to send an 11th request:
curl -v http://httpbin:8000/headersExpected output:
* Trying 172.16.245.130:8000... * Connected to httpbin (172.16.245.130) port 8000 > GET /headers HTTP/1.1 > Host: httpbin:8000 > User-Agent: curl/8.5.0 > Accept: */* > < HTTP/1.1 429 Too Many Requests < x-local-rate-limit: true < content-length: 18 < content-type: text/plain < date: Tue, 26 Dec 2023 08:02:58 GMT < server: envoy < x-envoy-upstream-service-time: 2The output shows an HTTP 429 status code, which indicates that the request was throttled.
-
Run the following command to send a request to the
/getpath of the httpbin service:curl -v http://httpbin:8000/getExpected output:
* Trying 192.168.243.21:8000... * Connected to httpbin (192.168.243.21) port 8000 (#0) > GET /get HTTP/1.1 > Host: httpbin:8000 > User-Agent: curl/8.1.2 > Accept: */* > < HTTP/1.1 200 OK < server: envoy < date: Thu, 11 Jan 2024 03:46:11 GMT < content-type: application/json < content-length: 431 < access-control-allow-origin: * < access-control-allow-credentials: true < x-envoy-upstream-service-time: 1 < { "args": {}, "headers": { "Accept": "*/*", "Host": "httpbin:8000", "User-Agent": "curl/8.1.2", "X-Envoy-Attempt-Count": "1", "X-Forwarded-Client-Cert": "By=spiffe://cluster.local/ns/default/sa/httpbin;Hash=be10819991ba1a354a89e68b3bed1553c12a4fba8b65fbe0f16299d552680b29;Subject=\"\";URI=spiffe://cluster.local/ns/default/sa/sleep" }, "origin": "127.0.0.6", "url": "http://httpbin:8000/get" }The output shows a 200 OK status code. This confirms that requests to other paths of the httpbin service are not affected by the throttling rule.
-
Related operations
View local throttling metrics
The local throttling feature generates the following metrics:
|
Metric |
Description |
|
envoy_http_local_rate_limiter_http_local_rate_limit_enabled |
Total number of requests that triggered the rate limit filter. |
|
envoy_http_local_rate_limiter_http_local_rate_limit_ok |
Total number of requests that were allowed because a token was available. |
|
envoy_http_local_rate_limiter_http_local_rate_limit_rate_limited |
Total number of requests that were flagged for throttling because a token was unavailable. This does not mean the request was rejected. |
|
envoy_http_local_rate_limiter_http_local_rate_limit_enforced |
Total number of requests that were throttled, for example, returned a 429 response. |
Configure the proxyStatsMatcher setting on the sidecar proxy to report these metrics. Then, you can use Prometheus to collect and view them.
-
Configure the sidecar proxy to report throttling metrics by using
proxyStatsMatcher.When you configure
proxyStatsMatcher, select Regular Expression Match and set it to.*http_local_rate_limit.*. Alternatively, click Add Local Throttling Metrics. For more information, see proxyStatsMatcher. -
Redeploy the httpbin service. For more information, see Redeploy workloads.
-
Complete the local throttling configuration and send test requests as described in Scenario 1 or Scenario 2.
-
Run the following command to view the local throttling metrics for the httpbin service:
kubectl exec -it deploy/httpbin -c istio-proxy -- curl localhost:15020/stats/prometheus|grep http_local_rate_limitExpected output:
envoy_http_local_rate_limiter_http_local_rate_limit_enabled{} 37 envoy_http_local_rate_limiter_http_local_rate_limit_enforced{} 17 envoy_http_local_rate_limiter_http_local_rate_limit_ok{} 20 envoy_http_local_rate_limiter_http_local_rate_limit_rate_limited{} 17
Configure metric collection and alerts
After you configure metric reporting, you can set up metric collection in Prometheus and create alert rules based on key metrics to receive timely notifications when throttling occurs. The following example uses Managed Service for Prometheus.
-
In Managed Service for Prometheus, add the Alibaba Cloud ASM component to your data plane cluster or upgrade it to the latest version. This ensures that Managed Service for Prometheus can scrape the exposed local throttling metrics. For more information, see Integration management. If you have already integrated a self-managed Prometheus instance to collect service mesh metrics, you do not need to perform this step. For more information, see Integrate a self-managed Prometheus instance for mesh monitoring.
-
Create an alert rule for local throttling. For more information, see Create a Prometheus alert rule by using a custom PromQL query. The following table provides an example of how to configure the key parameters. You can configure the other parameters based on your requirements.
Parameter
Example
Description
Custom PromQL query
(sum by(namespace, pod_name) (increase(envoy_http_local_rate_limiter_http_local_rate_limit_enforced[1m]))) > 0
This PromQL query uses the
increasefunction to find the number of throttled requests over the last minute, grouped by the pod's namespace and name. An alert is triggered if the number of throttled requests in one minute is greater than 0.Alert message
Local throttling has occurred! Namespace: {{$labels.namespace}}, Pod: {{$labels.pod_name}}. Throttled requests in the last 1 minute: {{ $value }}
The content of the alert notification. This example message includes the namespace and name of the pod that triggered the alert, as well as the number of requests that were throttled in the last minute.
FAQ
Why is my throttling rule not working?
Incorrect service protocol
Local throttling supports only the HTTP protocol. Before you configure a throttling rule, ensure that your service communicates over HTTP or an application-layer protocol built on HTTP, such as gRPC or Dubbo3.
In addition, you must define the service's protocol correctly so that the service mesh can accurately identify it. For more information, see How to correctly define the protocol type for a service.
Sidecar CRD impact on inbound traffic
By default, the service mesh automatically configures an inbound traffic listener for the sidecar proxy based on the port declarations in the Service definition. Both local throttling and global rate limiting rely on this default behavior.
You might use a Sidecar custom resource definition (CRD) to modify the service's default inbound traffic configuration, for example, to allow other pods to access an application that listens on localhost. For more information, see How to expose a localhost application to other pods.
In this case, because the default listener is modified, specifying the Kubernetes Service port in the local throttling rule will not work. You must instead set the Service Port in the local throttling rule to the actual inbound port specified in the Sidecar CRD.
For example, if you configure the following Sidecar CRD for the httpbin service while trying to apply local throttling to port 8000:
apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: localhost-access
namespace: default
spec:
ingress:
- defaultEndpoint: '127.0.0.1:80'
port:
name: http
number: 80
protocol: HTTP
workloadSelector:
labels:
app: httpbin
When you create the local throttling rule, you must set the Service Port to 80, not 8000.
Related documents
-
If your ASM instance is version 1.19.0 or later, you can use the
limit_overridesfield in theASMLocalRateLimiterYAML to match requests based on other attributes, such as query parameters. For more information, see ASMLocalRateLimiter CRD reference. -
Use the
ASMGlobalRateLimiterCRD to configure global rate limiting for ingress gateways and application service traffic. For more information, see Configure global rate limiting for application services by using ASMGlobalRateLimiter. -
Configure local throttling or global rate limiting for an ingress gateway in the ASM console. For more information, see Configure local throttling for an ingress gateway and Configure global rate limiting for an ingress gateway.
-
Use the warm-up feature to gradually increase the request volume over a specified period, which helps prevent issues like request timeouts and data loss. For more information, see Use the ASM warm-up feature.
-
Configure a connection pool to implement circuit breaking, which protects your system from further damage during a failure or overload. For more information, see Configure a connection pool to implement circuit breaking.