All Products
Search
Document Center

Serverless App Engine:Traffic protection

Last Updated:Apr 01, 2026

Traffic spikes and slow downstream dependencies can cascade into application-wide failures. SAE integrates the traffic protection capabilities of Microservices Engine (MSE), letting you apply throttling, concurrency isolation, circuit breaking, and hotspot parameter protection rules to your microservices applications — all from the SAE console.

Prerequisites

Before you begin, make sure you have:

Cost considerations

MSE is billed separately from SAE. For pricing details, see Billing overview of Microservices Governance.

Limitations

Traffic protection applies only to microservices applications created on November 8, 2023 or later.

Open the Traffic Protection tab

  1. Log on to the SAE console. In the left-side navigation pane, choose Applications > Applications.

  2. In the top navigation bar, select a region. From the Namespace drop-down list, select a namespace, and then click the application name.

  3. In the left-side navigation pane, choose Microservice Governance > Traffic Governance, and click the Traffic Protection tab.

Configure rules

All rule types share the same three-step dialog workflow:

  1. Select Protection Scenario — specify the API type, traffic direction, and interface name.

  2. Configure Protection Rule — set thresholds and behavior.

  3. Configure Protection Behavior — associate a behavior (fallback response) with the rule.

After a rule is created, you can edit or delete it from its corresponding tab.

Create a throttling rule

A throttling rule monitors queries per second (QPS). When QPS reaches the threshold, the system intercepts or delays incoming traffic to keep your application stable during traffic spikes.

  1. On the Interface Flow Control tab, click Add Throttling Rule.

  2. In the Add Throttling Protection Rule dialog box, complete all three steps.

In the Configure Protection Rule step, set the following parameters:

ParameterDescriptionDefault
Whether to openToggle ON to activate the rule immediately after creation.Disabled
Stand-alone QPS thresholdThe QPS value that triggers the rule.
Flow control effectHow blocked requests are handled. See Choose a flow control effect.

Choose a flow control effect

EffectBehaviorUse when
Fast failureRequests exceeding the QPS threshold are rejected immediately. The response content is determined by the adaptation module configuration.You need hard cutoffs to protect backend capacity.
Waiting in lineRequests are processed at a constant rate; excess requests queue up. Requests queued longer than the timeout period fail. Must set a queuing timeout.You want peak-load shifting — delaying bursts rather than dropping them.

Create a concurrency isolation rule

A concurrency isolation rule caps the number of concurrent threads for an interface or dependency. When the cap is reached, excess requests are rejected until active threads drop below the threshold, preventing thread exhaustion from cascading into broader failures.

  1. On the Concurrency Isolation tab, click Add isolation rule.

  2. In the Add Isolation Protection Rule dialog box, complete all three steps.

In the Configure Protection Rule step, set the following parameters:

ParameterDescriptionDefault
Whether to openToggle ON to activate the rule immediately after creation.Disabled
Concurrency thresholdMaximum number of concurrent threads allowed to process requests.

Create a circuit breaking rule

A circuit breaking rule monitors the response time (RT) or abnormal request ratio of a downstream dependency. When the threshold is exceeded, the system immediately lowers the priority of the dependent downstream application and does not call it within the circuit breaking duration. After the duration elapses, the circuit breaker tests recovery based on the configured policy.

To create a circuit breaking rule:

  1. On the Circuit Breaking Rule tab, click Add Circuit Breaking Rule.

  2. In the Add Circuit Breaking Rule dialog box, complete all three steps.

In the Configure Protection Rule step, set the following parameters:

ParameterDescriptionDefault
Statistical window durationThe time window used to evaluate thresholds. Valid range: 1 second–120 minutes.
Minimum number of requestsThe minimum number of requests in the window required to trigger circuit breaking. Below this count, the rule does not trigger even if the threshold is met.
Threshold typeThe metric used to evaluate the rule: Slow call ratio (%) or Abnormal proportion (%).
Slow call RT*(Slow call ratio only)* Response time threshold in milliseconds. Requests exceeding this value count as slow calls.
Circuit Breaking Ratio ThresholdThe percentage of slow or abnormal calls that triggers circuit breaking.
Circuit Breaking Duration (s)*(Click Show Advanced Options)* How long the circuit stays open. During this period, all calls to the resource fail.
Circuit Breaking Policy*(Click Show Advanced Options)* How the circuit breaker tests recovery after the duration elapses. See Choose a circuit breaking policy.Single detection recovery

Choose a circuit breaking policy

PolicyBehaviorUse when
Single detection recoveryAfter the circuit breaking duration elapses, the next request is tested. If it passes (not slow or abnormal), the circuit closes. If it fails, the circuit opens again.The dependency recovers quickly and predictably.
Progressive recoveryTraffic is gradually re-admitted across N recovery stages. Each stage allows a larger percentage of requests (T%, 2T%, ... 100%, where T = 100/N). If any stage exceeds the threshold, circuit breaking triggers again. Set Number of recovery phases and Minimum number of passes per step.The dependency is unstable after an incident and needs gradual warm-up.

Progressive recovery example: With 3 recovery stages and a minimum of 5 passes per stage, traffic is admitted at 33%, 67%, and 100%. If requests in a stage reach 5, a threshold check runs. Failure at any stage re-opens the circuit.

Create a hotspot parameter protection rule for RPC

Hotspot parameter protection (RPC) identifies the parameters most frequently accessed during resource calls and applies per-parameter throttling. This prevents a small set of hot parameters from consuming disproportionate resources.

The parameter index corresponds to the position in SphU.entry(xxx, args). For example, in SphU.entry(resourceName, EntryType.IN, 1, paramA, paramB), paramA has index 0 and paramB has index 1.

  1. On the Hotspot Parameter Protection (RPC) tab, click Add Hotspot Parameter Protection (RPC) Rule.

  2. In the Add Hotspot Parameter Protection (RPC) Rule dialog box, complete all three steps.

In the Configure Protection Rule step, set the following parameters:

ParameterDescriptionDefault
Parameter position indexIndex of the hot parameter in SphU.entry(xxx, args).
Statistical dimensionNumber of requests: limits requests per period. Concurrent number: limits max concurrent requests.
Statistical cycle timeThe measurement period, in seconds. Example: cycle = 10 s, threshold = 5 means max 5 accesses per parameter per 10 seconds.
Single machine thresholdQPS threshold per hot parameter.
Flow control effect*(Available when Statistical dimension = Number of requests)* Fast failure or Waiting in line. In Fast failure mode, set Number of buffered requests to allow additional requests during bursts. In Waiting in line mode, requests exceeding the threshold are queued; set a timeout after which queued requests are rejected.
Whether to openToggle ON to activate the rule immediately after creation.Disabled

Create a hotspot parameter protection rule for HTTP requests

Hotspot parameter protection (HTTP requests) applies per-value throttling based on request attributes such as client IP, hostname, HTTP headers, or URL parameters. Use this for fine-grained control over web services.

  1. On the Hotspot Parameter Protection (HTTP Requests) tab, click New Hotspot Parameter Protection (HTTP Requests).

  2. In the New Hotspot Parameter Protection (HTTP Requests) dialog box, complete all three steps.

In the Configure Protection Rule step, set the following parameters:

ParameterDescriptionDefault
Parameter PropertiesThe request attribute to track: Client IP (uses X-Forwarded-For if proxied), Remote Host, Header (specify header name; supports matching mode), or URL Parameters (specify parameter name; supports matching mode).
Threshold typeThe metric used to evaluate the rule.Number of requests
ThresholdQPS threshold. Supported units: second, minute, hour, day. Example: 10 requests per minute means max 10 requests per minute per parameter value.
Whether to openToggle ON to activate the rule immediately after creation.Disabled
Flow Control Method*(Click Show Advanced Options)* Fast failure: requests exceeding the threshold are blocked; returns the custom behavior response or default HTTP 429. Waiting in line: requests queue at a constant rate; queued requests exceeding the timeout are rejected immediately. Set QPS to 1,000 per second or fewer when using this mode.
Burst size*(Click Show Advanced Options, only for Fast failure)* Number of additional requests allowed during traffic bursts.
Timeout Period*(Click Show Advanced Options, only for Waiting in line)* Maximum queuing duration in milliseconds. Requests queued longer than this are rejected.

Manage behaviors

A behavior defines the fallback response returned when a rule triggers. For example, after a web interface hits its throttling limit, the system can return a custom HTTP response instead of a generic error.

Create a behavior

  1. On the Behavior Management tab, click New behavior.

  2. In the New behavior dialog box, configure the parameters and click New.

Web resources

ParameterDescriptionExample
Behavior NameUnique name within the application. Max 128 characters.Test behavior
Resource TypeSelect Web.Web
Web Throttling PolicyDefault: Custom return. Customize the HTTP status code, content type, and response body.Custom return
HTTP Status CodeRequired when Web Throttling Policy = Custom return.429
Returned Content-TypePlain text or JSON.JSON
Returned HTTP TextThe response body returned when the rule triggers.{"message": "blocked oops"}

RPC resources

ParameterDescriptionExample
Behavior NameUnique name within the application. Max 128 characters.Test behavior
Resource TypeSelect Rpc.Rpc
Rpc current limiting processing strategyCustom return: return a custom response object (JSON). Custom exception: throw a custom exception.
Apache Dubbo versions 2.7.0–2.7.3 do not support custom behaviors. These versions return java.lang.RuntimeException containing SentinelBlockedException when throttling triggers.

When strategy = Custom return:

ParameterDescriptionExample
Custom Response Class NameFull class path. Generic types such as Map<K, V> and List<T> are not supported.com.alibaba.demo.OrderService:getOrder(long)
Custom Response Content (JSON Format)The JSON response body returned when the rule triggers.{"id": "123", "name": "test"}

When strategy = Custom exception:

ParameterDescriptionExample
Exception Class NameFull path of the exception class.java.lang.RuntimeException
Exception Message TextThe exception message returned when the rule triggers."Operation failed"

Associate a behavior with a rule

  1. On the Traffic Protection tab, open the tab for the rule type. Find the rule and click Edit in the Actions column.

  2. Complete the Select Protection Scenario and Configure Protection Rules steps.

  3. In the Configure Protection Behavior step, select a behavior from the Association Behavior drop-down list, or click New behavior to create one.

  4. Click Save.

To use the default fallback, select Default Behavior and leave API Type unspecified.
If the interface already has an associated behavior, associating a new one overwrites the existing behavior.
If API Type is not specified in the Select Protection Scenario step, the default behavior is associated automatically.
After API Type is set and a behavior is associated, the type cannot be changed.

Use cases

The following examples show how to configure each rule type for common scenarios.

Scenario 1: Peak-load shifting with throttling

Goal: Process requests at a constant rate during traffic spikes rather than dropping them.

In the Add Throttling Protection Rule dialog box, set:

  • Stand-alone QPS threshold: 5

  • Flow control effect: Waiting in line

  • Timeout: 5,000 milliseconds

Result: The system processes one request every 200 milliseconds and queues excess requests. Any request queued for more than 5,000 milliseconds fails immediately with the default throttling response.

Scenario 2: Preventing thread exhaustion with concurrency isolation

Goal: Isolate a slow database query so it cannot exhaust the application thread pool.

Example: An SQL query normally runs in 20 milliseconds with an expected QPS of 20.

In the Add Isolation Protection Rule dialog box, set:

  • Interface name: the interface calling the SQL query

  • Concurrency threshold: 10

Result: If the SQL query deadlocks or slows down, Application High Availability Service rejects excess requests and only 10 threads are occupied regardless of how many requests arrive. Once the query normalizes, threads are released and the concurrency count drops below the threshold, restoring full capacity automatically.

Scenario 3: Circuit breaking for slow downstream calls

Goal: Stop calling a slow third-party service when its response time degrades.

In the Add Circuit Breaking Rule dialog box, set:

ParameterValue
Interface nametest
Statistical window duration1 second
Minimum number of requests10
Threshold typeSlow call ratio (%)
Slow call RT1,000 milliseconds
Circuit Breaking Ratio Threshold80%
Circuit Breaking Duration (s)10
Circuit Breaking PolicySingle detection recovery

Result: If more than 80% of requests in a 1-second window exceed 1,000 ms and at least 10 requests have been made, the circuit opens for 10 seconds. After 10 seconds, the next request is tested. If its response time is under 1,000 ms, the circuit closes. Otherwise, it opens again.

Scenario 4: Circuit breaking for high error rates

Goal: Stop calling a dependency when its error rate spikes.

In the Add Circuit Breaking Rule dialog box, set:

ParameterValue
Interface nametest
Statistical window duration1 second
Minimum number of requests10
Threshold typeAbnormal proportion (%)
Circuit Breaking Ratio Threshold80%
Circuit Breaking Duration (s)10
Circuit Breaking PolicySingle detection recovery

Result: If more than 80% of requests in a 1-second window are abnormal and at least 10 requests have been made, the circuit opens for 10 seconds.

Scenario 5: Flash sale — queue RPC requests for hot products

Goal: Queue excess purchase requests during a flash sale rather than dropping them.

In the Add Hotspot Parameter Protection (RPC) Rule dialog box, set:

  • Interface name: the purchase API

  • Statistical dimension: Number of requests

  • Statistical cycle time: 1 second; Single machine threshold: 100

  • Flow control effect: Waiting in line

  • Timeout: 30 milliseconds

Result: If this API is called more than 100 times per second, excess requests are queued. Any request queued for more than 30 milliseconds fails immediately.

Scenario 6: Flash sale — cap concurrent order-modification requests

Goal: Prevent high-concurrency order modifications from saturating the database.

In the Add Hotspot Parameter Protection (RPC) Rule dialog box, set:

  • Interface name: the address-update API

  • Statistical dimension: Concurrent number

  • Statistical cycle time: 1 second; Single machine threshold: 100

  • Flow control effect: Fast failure

Result: The system allows up to 100 concurrent requests. Excess requests fail immediately.

Scenario 7: Flash sale — reject excess HTTP requests per product

Goal: Limit how many requests each product page receives per second.

In the New Hotspot Parameter Protection (HTTP Requests) dialog box, set:

  • Parameter Properties: URL Parameters; enter stockId in the URL Parameter Name field

  • Threshold: 100 requests per second

  • Flow Control Method: Fast failure

Select the URL parameter that identifies the product. In this example, stockId is the product ID parameter.

Result: Each unique product ID (stockId value) can receive at most 100 requests per second. Excess requests are rejected with the custom behavior response.

Scenario 8: Malicious request prevention

Goal: Rate-limit requests per source IP to protect against scraping or abuse during promotions.

In the New Hotspot Parameter Protection (HTTP Requests) dialog box, set:

  • Parameter Properties: Client IP

  • Threshold type: Number of requests (default)

  • Threshold: 100 requests per second

  • Flow Control Method: Waiting in line

  • Timeout Period: 30 milliseconds

  • Whether to open: On

Result: Each IP address is allowed one request every 10 milliseconds. Excess requests are queued. Any request queued for more than 30 milliseconds fails immediately.