This documentation is for WSO2 API Manager 1.7.0 View documentation for the latest release.
Page Comparison - Managing Throttling Tiers (v.9 vs v.12) - API Manager 1.7.0 - WSO2 Documentation

All docs This doc

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • To protect your APIs from common types of security attacks such as denial of service (DOS)
  • To regulate traffic according to infrastructure availability
  • To make an API, application or a resource available to a consumer at different levels of service, usually for monetization purpose

...

API-level throttling tiers are defined when Managing APIs using the API Publisher portal. The UI looks as follows:

...

Resource-level throttling tiers are set to HTTP verbs of an API's resources at the time an API is created when Managing APIs using the API Publisher portal. This is shown below:The UI looks as follows:
Image Added

When a subscriber views an API using the API Store, s/he can see the resource-level throttling tiers using the Throttle Info tab as follows:
Image RemovedImage Added
Subscribers are not allowed to change these throttling tiers. They are simply notified of the limitations.

IP-level throttling

In IP address based -level throttling, you can limit the number of requests sent by a client IP (e.g., 10 calls from single client).

  1. Log in to the management console and click the Resources -> Browse menu.
  2. Navigate to the tiers.xml file in the registry location /_system/governance/apimgt/applicationdata.
  3. Add your policy. For example, the throttling policy shown below allows only 1 API call per minute for a client from 10.1.1.1 and 2 calls per minute for a client from any other IP address

:
  1. .

 

  1. Code Block
    language
html/
  1. xml
    <wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"  
    
    xmlns:throttle="http://www.wso2.org/products/wso2commons/throttle">   
    <throttle:MediatorThrottleAssertion>    
    <wsp:Policy>            
    <throttle:ID throttle:type="IP">10.1.1.1</throttle:ID>            
    <wsp:Policy>                
    <throttle:Control>                    
    <wsp:Policy>                        
    <throttle:MaximumCount>1</throttle:MaximumCount>                        
    <throttle:UnitTime>60000</throttle:UnitTime>                    
    </wsp:Policy>                
    </throttle:Control>           
    </wsp:Policy>        
    </wsp:Policy>
         
    <wsp:Policy>            
    <throttle:ID throttle:type="IP">other</throttle:ID>            
    <wsp:Policy>                
    <throttle:Control>                    
    <wsp:Policy>                        
    <throttle:MaximumCount>2</throttle:MaximumCount>                        
    <throttle:UnitTime>60000</throttle:UnitTime>                   
     </wsp:Policy>                
    </throttle:Control>            
    </wsp:Policy>        
    </wsp:Policy>    
    </throttle:MediatorThrottleAssertion></wsp:Policy> 
 

How throttling tiers work

  • When an API is invoked, it first checks whether the request is allowed by APIapplication-level throttling limit. If the consumer an application has exceeded his/her its maximum number of allowed API requests, the new request will be terminated.
  • If APIapplication-level limit is not exceeded, it then checks whether the request is allowed by applicationresource-level throttling limit. If it has exceeded, the request will be terminated.
  • If applicationresource-level limit is not exceeded, it finally checks whether the request is allowed by resourceAPI-level throttling limit. If the limit is not exceeded, then the request will be granted.

...