Create a hot parameter throttling rule for HTTP requests - Microservices Engine

Microservices Engine (MSE) supports hot parameter throttling rules for HTTP requests. You can create hot parameter throttling rules to implement fine-grained throttling for specific parameters in the HTTP requests to access applications that provide web services. For applications that use mainstream web frameworks such as Servlet containers, Spring Web, and Spring Boot, MSE uses hot parameter throttling rules for HTTP requests to parse the parameters of API requests and throttle resource calls based on dimensions such as the source IP address, hostname, request headers, and request parameters. This ensures the stability of your business and system. This topic describes how to create a hot parameter throttling rule for HTTP requests for an application.

Note

Hot parameter throttling rules for HTTP requests are formerly known as web application protection rules.

Background information

In scenarios in which web services are provided, you can create throttling rules for API requests to protect your applications. In addition, you can throttle resource calls based on dimensions such as the source IP address and request parameters to protect your business applications in various scenarios. For example, in a web service scenario with a large amount of traffic, you need to implement throttling for API requests, especially the source IP address or the product ID with the highest access frequency. Examples:

Access to the IDs of the most frequently purchased products in a period of time is restricted to prevent a large number of requests from being sent to a database due to cache breakdowns.
Access from the IP addresses from which requests are frequently sent in a period of time is restricted to prevent brushing.

Procedure

Log on to the MSE console, and select a region in the top navigation bar.
In the left-side navigation pane, choose Microservices Governance > Application Governance.
On the Application list page, click the resource card of the destination application.
On the details page of the application, click API Details in the left-side pane. On the WEB service tab of the page that appears, click the Hotspot Parameter Protection (HTTP Requests) tab. On the Hotspot Parameter Protection (HTTP Requests) tab, click New Hotspot Parameter Protection (HTTP Requests).
In the New Hotspot Parameter Protection (HTTP Requests) dialog box, configure the parameters and click New.
For more information about the parameters, see the Parameters section of this topic.
Find the rule that you created in the rule list and click Enable in the Status column.
In the Tips message, click OK.

Scenario 1: Flash sales of hot products

In scenarios such as flash sales, the system may fail to respond immediately or even stop responding due to a large amount of traffic. To ensure system stability, you can create a hot parameter throttling rule. If the specified threshold is exceeded, the system rejects the excess requests to access the hot products.

For example, if you want to specify that the system processes a maximum of 100 requests to access a product per second, you can configure the following rule information in the New Hotspot Parameter Protection (HTTP Requests) dialog box. After the rule is created, the system processes a maximum of 100 requests to access each product per second. In this case, the system rejects the excess requests to access each product and returns custom information.

Set the Parameter Properties parameter to URL Parameter.
Note
When you configure the Parameter Properties parameter, select the parameter that specifies the hot product ID. For example, if the stockId parameter specifies the product ID, you can select URL Parameter and enter stockId in the URL Parameter Name field.
Enter stockId in the URL Parameter Name field.
Set the Threshold parameter to 100 requests per second.
Set the Flow Control Method parameter to Fast failure.

Scenario 2: Prevention of malicious brushing

For example, if a large number of malicious brushing requests occur during a promotion, a large number of product inventory or server resources are occupied. In this case, the system can queue requests based on the source IP address and process the requests at a constant speed to prevent excess requests from affecting service stability.

To create a hot parameter throttling rule, configure the following rule information in the New Hotspot Parameter Protection (HTTP Requests) dialog box. After the rule is created, the system processes an API request from each IP address every 10 milliseconds and queues the excess requests. The blocked requests immediately fail if they are queued for more than 30 milliseconds.

Set the Parameter Properties parameter to Client IP.
By default, Number of requests is selected for the Threshold Type parameter.
Set the Threshold parameter to 100 requests per second.
Set the Flow Control Method parameter to Waiting in line.
Set the Timeout parameter to 30. Unit: millisecond.
Turn on Whether to open.

Parameters

The following table describes the parameters that you can configure in the New Hotspot Parameter Protection (HTTP Requests) dialog box.

Parameter		Description
Configure Protection Rule
Parameter Properties		The parameter of the API request to which you want to apply the rule. Client IP: the IP address of the client from which the request is sent. Note If the request is distributed by a proxy, the system first attempts to obtain the IP address from the X-Forwarded-For request header. If the IP address exists, the system uses the IP address as the actual client IP address. Remote Host: the hostname of the client from which the request is sent. Header: the HTTP headers of the request. After you specify a header, the rule applies to the hot values of the header. If you select Header, you can configure a matching mode for the values of request parameters. Only values that match the specified mode are collected in statistics and throttled. URL Parameters: the request parameters in the request body. You must specify the name of a request parameter. If you select URL Parameters, you can configure a matching mode for the values of request parameters. Only values that match the specified mode are collected in statistics and throttled.
(Optional) Match Pattern and Match String		If you select Header or URL Parameters for Parameter Properties, you can turn on Property Value Match, and specify Match Pattern and Match String. Match Pattern: accurate: The system matches values strictly based on a specified match string. Substring: If the request attribute value contains the specified substring, the matching is successful. For example, if the substring is set to ab, the strings aba and cabc can be matched, but the string cba cannot be matched. Regular: The system matches a string based on a specified regular expression.
Threshold Type		The threshold type. Default value: Number of requests.
Threshold		The queries per second (QPS) threshold that triggers the rule. You must specify an interval at which the system processes the requests. Supported units: second, minute, hour, and day. For example, if the threshold is set to 10 requests per minute, the system processes a maximum of 10 requests per minute.
Advanced settings	Flow Control Method	Fast failure: Requests are immediately blocked if the QPS threshold is reached. Note If the requests are blocked, the system returns the custom information that you configure in the Configure Protection Behavior step. If you do not configure custom information in the Configure Protection Behavior step, the default behavior that contains a 429 error code and the default text message is returned. Waiting in line: If you set the Threshold Type parameter to Number of requests, the blocked requests are processed at a constant speed. The excess requests can be queued. You must specify a timeout period. The estimated queuing duration is calculated when a request is queued. If the estimated queuing duration exceeds the specified timeout period, the request immediately fails without being queued. For example, if the QPS threshold is set to 10 requests per second, the system processes a request every 100 milliseconds and queues the excess requests. The timeout period indicates the maximum queuing duration. The requests whose queuing duration exceeds the timeout period are directly rejected. Note If you set the Flow control effect parameter to Waiting in line, we recommend that you set the QPS threshold to no more than 1,000 requests per second.
	Burst size	If you set the Flow Control Method parameter to Fast failure, you can specify the number of additionally allowed requests for traffic bursts.
	Expiration Time	If you set the Flow Control Method parameter to Waiting in line, you must specify a timeout period. Unit: millisecond. For example, if the QPS threshold is set to 5 requests per second, the system processes a request every 200 milliseconds and queues the excess requests. The timeout period indicates the maximum queuing duration. The requests whose queuing duration exceeds the timeout period are directly rejected.
Whether to open		On: The hot parameter throttling rule for HTTP requests immediately takes effect after it is created. Off: The hot parameter throttling rule for HTTP requests does not take effect after it is created.
Configure Protection Behavior
Association Behavior		Default Behavior: This is the default value. Note If you do not need to customize the behavior after throttling, you can set this parameter to Default Behavior. In this case, the default behavior that contains a 429 error code and the default text message is returned after throttling. New behavior: You can create a custom behavior after throttling. After the behavior is created, you can select the custom behavior from the Association Behavior drop-down list.