All Products
Search
Document Center

Alibaba Cloud Service Mesh:Configure local throttling

Last Updated:Jun 20, 2026

To protect your services from traffic spikes, overloads, resource exhaustion, or malicious attacks, configure local throttling in the traffic management center. This feature keeps traffic within a controllable threshold, ensuring service availability and stable performance. Local throttling is implemented by the Envoy proxy, which uses a token bucket algorithm to control the request rate to your services. This algorithm adds tokens to a bucket at a regular interval. Each request consumes one token. When the bucket runs out of tokens, new requests are temporarily rejected, effectively preventing the service from being overwhelmed.

Prerequisites

  • An ASM instance is created and meets the following requirements:

    • For ASM Enterprise Edition (Professional or Ultimate), the instance version must be 1.14.3 or later. For more information about how to upgrade an ASM instance, see Upgrade an ASM instance.

    • For ASM Standard Edition, the instance version must be 1.9 or later. You can only use the native Istio method to configure local throttling. The documentation varies based on the Istio version. For the latest information, see the Istio documentation Enabling Rate Limits using Envoy.

  • Automatic sidecar proxy injection is enabled for the default namespace in the Kubernetes cluster. For more information, see Enable automatic sidecar proxy injection.

  • The httpbin and sleep sample services are deployed, and the sleep service can access the httpbin service. For more information, see Deploy the httpbin application.

Scenario 1: Apply throttling to a service port

This scenario shows how to apply local throttling to port 8000 of the httpbin service. Once configured, the rule applies to all requests sent to this specific port.

  1. Create a local throttling rule.

    1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.

    2. On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose Traffic Management Center > Traffic Protection and Scheduling. On the page that appears, click Create.

    3. On the Create page, configure the parameters and click OK.

      Section

      Parameter

      Description

      Basic Information About Throttling

      Namespace

      The namespace where the workload affected by local throttling resides. In this example, select default.

      Name

      A custom name for the local throttling configuration. In this example, enter httpbin.

      Type of Effective Workload

      The type of workload to which the throttling rule applies. Valid values: Application Service and Gateway. In this example, select Applicable Application.

      Relevant Workload

      Enter a set of label key-value pairs to select a specific workload. In this example, set Label Name to app and Label Value to httpbin.

      List of Throttling Rules

      Service Port

      The port number declared in the Kubernetes Service of the service. This must be an HTTP port. In this example, enter the HTTP port 8000 of the httpbin service.

      Throttling Configuration

      Specify the time window and the maximum number of requests allowed within that window for the token bucket algorithm. If the number of requests sent within the time window exceeds this limit, subsequent requests are throttled. This example uses the following configuration:

      • Set Time Window for Throttling Detection to 60s.

      • Set Allowed requests in window to 10.

      This configuration limits the service workload to a maximum of 10 requests in any 60-second window.

      The following YAML file is an example of the local throttling configuration.

      Local throttling configuration YAML

      apiVersion: istio.alibabacloud.com/v1beta1
      kind: ASMLocalRateLimiter
      metadata:
        name: httpbin
        namespace: default
      spec:
        configs:
          - limit:
              fill_interval:
                seconds: 60
              quota: 10
            match:
              vhost:
                name: '*'
                port: 8000
                route:
                  header_match:
                    - invert_match: false
                      name: ':path'
                      prefix_match: /
        isGateway: false
        workloadSelector:
          labels:
            app: httpbin
  2. Verify the local throttling rule.

    1. Run the following command to start a bash session in the sleep container:

      kubectl exec -it deploy/sleep -- sh
    2. Run the following command to send 10 requests:

      for i in $(seq 1 10); do curl -v http://httpbin:8000/headers; done
    3. Run the following command to send an 11th request:

      curl -v http://httpbin:8000/headers

      Expected output:

      *   Trying 172.16.245.130:8000...
      * Connected to httpbin (172.16.245.130) port 8000
      > GET /headers HTTP/1.1
      > Host: httpbin:8000
      > User-Agent: curl/8.5.0
      > Accept: */*
      >
      < HTTP/1.1 429 Too Many Requests
      < x-local-rate-limit: true
      < content-length: 18
      < content-type: text/plain
      < date: Tue, 26 Dec 2023 08:02:58 GMT
      < server: envoy
      < x-envoy-upstream-service-time: 2

      The output shows an HTTP 429 status code, which indicates that the request was throttled.

Scenario 2: Apply throttling to a request path

This scenario shows how to apply local throttling to requests sent to the /headers path on port 8000 of the httpbin service. Once configured, the rule applies only to requests matching this specific path and port.

  1. Create a local throttling rule.

    1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.

    2. On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose Traffic Management Center > Traffic Protection and Scheduling. On the page that appears, click Create.

    3. On the Create page, configure the parameters and click OK.

      Section

      Parameter

      Description

      Basic Information About Throttling

      Namespace

      The namespace where the workload affected by local throttling resides. In this example, select default.

      Name

      A custom name for the local throttling configuration. In this example, enter httpbin.

      Type of Effective Workload

      The type of workload to which the throttling rule applies. Valid values: Application Service and Gateway. In this example, select Applicable Application.

      Relevant Workload

      Enter a set of label key-value pairs to select a specific workload. In this example, set Label Name to app and Label Value to httpbin.

      List of Throttling Rules

      Service Port

      The port number declared in the Kubernetes Service of the service. This must be an HTTP port. In this example, enter the HTTP port 8000 of the httpbin service.

      Match Request Attributes

      Define the matching conditions for requests. The rule is applied only to requests that match these conditions. This example uses the following configuration:

      • Set Matched Attributes to Request Path.

      • Set Matching Method to Prefix Match.

      • Set Matched Content to /headers.

      Throttling Configuration

      Specify the time window and the maximum number of requests allowed within that window for the token bucket algorithm. If the number of requests sent within the time window exceeds this limit, subsequent requests are throttled. This example uses the following configuration:

      • Set Time Window for Throttling Detection to 60s.

      • Set Allowed requests in window to 10.

      This configuration limits the service workload to a maximum of 10 requests in any 60-second window.

  2. Verify the local throttling rule.

    1. Run the following command to start a bash session in the sleep container:

      kubectl exec -it deploy/sleep -- sh
    2. Run the following command to send 10 requests:

      for i in $(seq 1 10); do curl -v http://httpbin:8000/headers; done
    3. Run the following command to send an 11th request:

      curl -v http://httpbin:8000/headers

      Expected output:

      *   Trying 172.16.245.130:8000...
      * Connected to httpbin (172.16.245.130) port 8000
      > GET /headers HTTP/1.1
      > Host: httpbin:8000
      > User-Agent: curl/8.5.0
      > Accept: */*
      >
      < HTTP/1.1 429 Too Many Requests
      < x-local-rate-limit: true
      < content-length: 18
      < content-type: text/plain
      < date: Tue, 26 Dec 2023 08:02:58 GMT
      < server: envoy
      < x-envoy-upstream-service-time: 2

      The output shows an HTTP 429 status code, which indicates that the request was throttled.

    4. Run the following command to send a request to the /get path of the httpbin service:

      curl -v http://httpbin:8000/get

      Expected output:

      *   Trying 192.168.243.21:8000...
      * Connected to httpbin (192.168.243.21) port 8000 (#0)
      > GET /get HTTP/1.1
      > Host: httpbin:8000
      > User-Agent: curl/8.1.2
      > Accept: */*
      >
      < HTTP/1.1 200 OK
      < server: envoy
      < date: Thu, 11 Jan 2024 03:46:11 GMT
      < content-type: application/json
      < content-length: 431
      < access-control-allow-origin: *
      < access-control-allow-credentials: true
      < x-envoy-upstream-service-time: 1
      <
      {
        "args": {},
        "headers": {
          "Accept": "*/*",
          "Host": "httpbin:8000",
          "User-Agent": "curl/8.1.2",
          "X-Envoy-Attempt-Count": "1",
          "X-Forwarded-Client-Cert": "By=spiffe://cluster.local/ns/default/sa/httpbin;Hash=be10819991ba1a354a89e68b3bed1553c12a4fba8b65fbe0f16299d552680b29;Subject=\"\";URI=spiffe://cluster.local/ns/default/sa/sleep"
        },
        "origin": "127.0.0.6",
        "url": "http://httpbin:8000/get"
      }

      The output shows a 200 OK status code. This confirms that requests to other paths of the httpbin service are not affected by the throttling rule.

Related operations

View local throttling metrics

The local throttling feature generates the following metrics:

Metric

Description

envoy_http_local_rate_limiter_http_local_rate_limit_enabled

Total number of requests that triggered the rate limit filter.

envoy_http_local_rate_limiter_http_local_rate_limit_ok

Total number of requests that were allowed because a token was available.

envoy_http_local_rate_limiter_http_local_rate_limit_rate_limited

Total number of requests that were flagged for throttling because a token was unavailable. This does not mean the request was rejected.

envoy_http_local_rate_limiter_http_local_rate_limit_enforced

Total number of requests that were throttled, for example, returned a 429 response.

Configure the proxyStatsMatcher setting on the sidecar proxy to report these metrics. Then, you can use Prometheus to collect and view them.

  1. Configure the sidecar proxy to report throttling metrics by using proxyStatsMatcher.

    When you configure proxyStatsMatcher, select Regular Expression Match and set it to .*http_local_rate_limit.*. Alternatively, click Add Local Throttling Metrics. For more information, see proxyStatsMatcher.

  2. Redeploy the httpbin service. For more information, see Redeploy workloads.

  3. Complete the local throttling configuration and send test requests as described in Scenario 1 or Scenario 2.

  4. Run the following command to view the local throttling metrics for the httpbin service:

    kubectl exec -it deploy/httpbin -c istio-proxy -- curl localhost:15020/stats/prometheus|grep http_local_rate_limit

    Expected output:

    envoy_http_local_rate_limiter_http_local_rate_limit_enabled{} 37
    envoy_http_local_rate_limiter_http_local_rate_limit_enforced{} 17
    envoy_http_local_rate_limiter_http_local_rate_limit_ok{} 20
    envoy_http_local_rate_limiter_http_local_rate_limit_rate_limited{} 17

Configure metric collection and alerts

After you configure metric reporting, you can set up metric collection in Prometheus and create alert rules based on key metrics to receive timely notifications when throttling occurs. The following example uses Managed Service for Prometheus.

  1. In Managed Service for Prometheus, add the Alibaba Cloud ASM component to your data plane cluster or upgrade it to the latest version. This ensures that Managed Service for Prometheus can scrape the exposed local throttling metrics. For more information, see Integration management. If you have already integrated a self-managed Prometheus instance to collect service mesh metrics, you do not need to perform this step. For more information, see Integrate a self-managed Prometheus instance for mesh monitoring.

  2. Create an alert rule for local throttling. For more information, see Create a Prometheus alert rule by using a custom PromQL query. The following table provides an example of how to configure the key parameters. You can configure the other parameters based on your requirements.

    Parameter

    Example

    Description

    Custom PromQL query

    (sum by(namespace, pod_name) (increase(envoy_http_local_rate_limiter_http_local_rate_limit_enforced[1m]))) > 0

    This PromQL query uses the increase function to find the number of throttled requests over the last minute, grouped by the pod's namespace and name. An alert is triggered if the number of throttled requests in one minute is greater than 0.

    Alert message

    Local throttling has occurred! Namespace: {{$labels.namespace}}, Pod: {{$labels.pod_name}}. Throttled requests in the last 1 minute: {{ $value }}

    The content of the alert notification. This example message includes the namespace and name of the pod that triggered the alert, as well as the number of requests that were throttled in the last minute.

FAQ

Why is my throttling rule not working?

Incorrect service protocol

Local throttling supports only the HTTP protocol. Before you configure a throttling rule, ensure that your service communicates over HTTP or an application-layer protocol built on HTTP, such as gRPC or Dubbo3.

In addition, you must define the service's protocol correctly so that the service mesh can accurately identify it. For more information, see How to correctly define the protocol type for a service.

Sidecar CRD impact on inbound traffic

By default, the service mesh automatically configures an inbound traffic listener for the sidecar proxy based on the port declarations in the Service definition. Both local throttling and global rate limiting rely on this default behavior.

You might use a Sidecar custom resource definition (CRD) to modify the service's default inbound traffic configuration, for example, to allow other pods to access an application that listens on localhost. For more information, see How to expose a localhost application to other pods.

In this case, because the default listener is modified, specifying the Kubernetes Service port in the local throttling rule will not work. You must instead set the Service Port in the local throttling rule to the actual inbound port specified in the Sidecar CRD.

For example, if you configure the following Sidecar CRD for the httpbin service while trying to apply local throttling to port 8000:

apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
  name: localhost-access
  namespace: default
spec:
  ingress:
    - defaultEndpoint: '127.0.0.1:80'
      port:
        name: http
        number: 80
        protocol: HTTP
  workloadSelector:
    labels:
      app: httpbin

When you create the local throttling rule, you must set the Service Port to 80, not 8000.

Related documents