When a small number of parameter values receive disproportionate traffic -- such as a popular product ID during a flash sale or a single IP flooding your API -- Microservices Engine (MSE) can throttle requests at the parameter level. MSE parses each incoming HTTP request, tracks the frequency of each unique parameter value, and throttles only the values that exceed the threshold. Other values continue to be processed normally.
Hot parameter throttling rules for HTTP requests were formerly known as web application protection rules.
How it works
MSE inspects the parameters of each HTTP request and maintains per-value counters. When the request rate for a specific value exceeds the configured threshold, MSE applies the flow control method (immediate rejection or queuing) to that value only.
Supported frameworks: Servlet containers, Spring Web, and Spring Boot.
Throttling dimensions:
| Dimension | What MSE tracks |
|---|---|
| Client IP | Source IP address of each request. If the request passes through a proxy, MSE reads the X-Forwarded-For header first. |
| Remote Host | Hostname of each request. |
| Header | A specific HTTP header value. Specify the header name after selecting this option. Supports value matching. |
| URL Parameters | A specific URL parameter value. Specify the parameter name after selecting this option. Supports value matching. |
Typical scenarios:
Flash sale protection -- Limit requests per product ID to prevent cache breakdowns when a few popular items receive massive traffic.
Anti-brushing -- Limit requests per IP address to block fraudulent bulk access patterns.
Prerequisites
Before you begin, make sure that you have:
An MSE-managed application running on a supported web framework (Servlet, Spring Web, or Spring Boot)
Access to the MSE console
The target API endpoint identified for throttling
Create a rule
Log on to the MSE console and select a region in the top navigation bar.
In the left-side navigation pane, choose Microservices Governance > Application Governance.
On the Application list page, click the resource card of the target application.
In the left-side pane, click API Details. On the Hotspot Parameter Protection (HTTP Requests) tab, click the Hotspot Parameter Protection (HTTP Requests) tab, and then click New.
In the New dialog box, configure the rule parameters. For details about each parameter, see Parameter reference.
Click New.
In the rule list, find the rule and click Enable in the Status column.
In the Tips message, click OK.
Example: Throttle flash sale traffic by product ID
During a flash sale, a few popular product IDs can generate enough traffic to overwhelm your system. A hot parameter throttling rule rejects excess requests to those product IDs while keeping the rest of your API responsive.
Goal: Allow a maximum of 100 requests per second for each product ID. Reject excess requests immediately.
Configure the following settings in the New dialog box:
| Setting | Value | Why |
|---|---|---|
| Parameter Properties | URL Parameter | Throttle by the URL parameter that identifies the product |
| URL Parameter Name | stockId | The product ID parameter in your API |
| Threshold | 100 requests per second | Maximum rate per unique stockId value |
| Flow Control Method | Fast failure | Reject excess requests immediately instead of queuing |
Result: MSE processes up to 100 requests per second for each unique stockId value. When a stockId exceeds this threshold, MSE immediately rejects the excess requests and returns the response configured in Association Behavior -- a 429 status code with a default text message unless you configure a custom response.
Set Parameter Properties to match the parameter that identifies the product. For example, if stockId is the product ID parameter in your API, select URL Parameter and enter stockId in the URL Parameter Name field.
Example: Throttle suspicious IP addresses
During a promotion, a single IP address may send a large volume of requests to hoard inventory or exhaust server resources. A hot parameter throttling rule queues excess requests from each IP address and processes them at a constant rate.
Goal: Allow 100 requests per second from each IP address. Queue excess requests and process them at a steady rate, with a 30-millisecond timeout.
Configure the following settings in the New dialog box:
| Setting | Value | Why |
|---|---|---|
| Parameter Properties | Client IP | Throttle by source IP address |
| Threshold Type | Number of requests (default) | Count requests rather than other metrics |
| Threshold | 100 requests per second | Maximum rate per unique IP address |
| Flow Control Method | Waiting in line | Queue excess requests instead of rejecting immediately |
| Expiration Time | 30 (milliseconds) | Maximum time a request can wait in the queue |
| Whether to open | On | Activate the rule immediately after creation |
Result: MSE processes one request from each IP address every 10 milliseconds (100 requests/second) and queues the excess. If a queued request would wait longer than 30 milliseconds, it is rejected immediately.
When Flow Control Method is set to Waiting in line, set the QPS threshold to no more than 1,000 requests per second.
Parameter reference
The following tables describe the parameters in the New dialog box.
Configure Protection Rule
Parameter Properties
The request dimension to throttle. Select one of the following options:
| Option | Description |
|---|---|
| Client IP | The source IP address of the client. If the request passes through a proxy, MSE reads the X-Forwarded-For header first and uses that as the actual client IP. |
| Remote Host | The hostname of the client. |
| Header | A specific HTTP header value. Specify the header name after selecting this option. Supports value matching (see below). |
| URL Parameters | A specific URL parameter value. Specify the parameter name after selecting this option. Supports value matching (see below). |
Match Pattern and Match String (optional)
Available when Parameter Properties is set to Header or URL Parameters. Turn on Property Value Match to filter which parameter values are tracked and throttled.
| Match Pattern | Behavior | Example |
|---|---|---|
| accurate | Exact string match. Only values identical to the match string are throttled. | Match string abc matches only abc. |
| Substring | Matches if the value contains the specified string. | Substring ab matches aba and cabc but not cba. |
| Regular | Matches values based on a regular expression. | Pattern ^user_\d+$ matches user_123. |
Threshold
| Parameter | Description | Default |
|---|---|---|
| Threshold Type | The metric used to measure traffic. | Number of requests |
| Threshold | The maximum request rate that triggers throttling. Specify a number and a time unit (second, minute, hour, or day). For example, 10 requests per minute allows a maximum of 10 requests per minute for each unique parameter value. | -- |
Flow control
| Parameter | Description | Default |
|---|---|---|
| Flow Control Method | How MSE handles excess requests. See details below. | -- |
| Burst size | The number of additional requests allowed beyond the threshold to handle traffic spikes. Available only with Fast failure. | -- |
| Expiration Time | The maximum queue wait time in milliseconds. Available only with Waiting in line. Requests whose estimated wait exceeds this timeout are rejected immediately. | -- |
| Whether to open | Controls whether the rule takes effect immediately after creation. On: takes effect immediately. Off: created but inactive until manually enabled. | Off |
Flow Control Method options:
Fast failure -- Rejects excess requests immediately. Returns the custom response configured in Configure Protection Behavior, or a default
429status code with a text message if no custom response is set.Waiting in line -- Queues excess requests and processes them at a constant rate. MSE calculates the estimated wait time when a request enters the queue. If the estimated wait exceeds the Expiration Time, the request is rejected without being queued. For example, at a threshold of 10 requests per second, MSE processes one request every 100 milliseconds and queues the rest. At 5 requests per second, MSE processes one request every 200 milliseconds.
When using Waiting in line, set the QPS threshold to no more than 1,000 requests per second.
Configure Protection Behavior
| Parameter | Description | Default |
|---|---|---|
| Association Behavior | The response returned to throttled clients. Default Behavior: returns a 429 status code with a default text message. New behavior: create a custom response, then select it from the Association Behavior drop-down list. | Default Behavior |