API-level throttling tiers are defined whenusing the API Publisher portal. The UI looks as follows:
After API-level throttling tiers are set and the API is published,, the consumers of the API can log in to the API Store and select which tier they are interested in as follows:
According to the tiers the subscriber selects, s/he is granted a maximum number of requests to the API. The default tiers are as follows:
- Bronze: 1 request per minute
- Silver: 5 requests per minute
- Gold: 20 requests per minute
- Unlimited: Allows unlimited access (you can disable the Unlimited tier by editing the
<TierManagement>node of the
Setting tier permissions: Users with
Manage Tiers permission can set role-based permissions to API-level access throttling tiers. This is done using the Tier Permissions menu in the API Publisher as shown below. For each tier, you can specify a comma-separated list of roles and either Allow or Deny access to the list.
A subscriber logged into the API Store can consume APIs using a specific tier only if s/he is assigned to a role that is allowed access. In the API Store, the subscriber sees a list of tiers that is filtered based on the subscriber's role. Only the ALLOWED roles appear here. By default, all tiers are allowed to everyone.
In IP-based throttling, you can limit the number of requests sent by a client IP (e.g., 10 calls from single client).
- Log in to the management console and click the Resources -> Browse menu.
Navigate to the
tiers.xmlfile in the registry location
Add your policy. For example, the throttling policy shown below allows only 1 API call per minute for a client from 10.1.1.1 and 2 calls per minute for a client from any other IP address.
Code Block language xml
<wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:throttle="http://www.wso2.org/products/wso2commons/throttle"> <throttle:MediatorThrottleAssertion> <wsp:Policy> <throttle:ID throttle:type="IP">10.1.1.1</throttle:ID> <wsp:Policy> <throttle:Control> <wsp:Policy> <throttle:MaximumCount>1</throttle:MaximumCount> <throttle:UnitTime>60000</throttle:UnitTime> </wsp:Policy> </throttle:Control> </wsp:Policy> </wsp:Policy> <wsp:Policy> <throttle:ID throttle:type="IP">other</throttle:ID> <wsp:Policy> <throttle:Control> <wsp:Policy> <throttle:MaximumCount>2</throttle:MaximumCount> <throttle:UnitTime>60000</throttle:UnitTime> </wsp:Policy> </throttle:Control> </wsp:Policy> </wsp:Policy> </throttle:MediatorThrottleAssertion></wsp:Policy>
If you need to add a list of IPs / subnets for throttling you can derive the IP range from CIDR (Classless Inter-Domain Routing) notation and add it to the throttling policy configuration as follows.
If IP / subnet is "10.1001.41.961/27" in CIDR notation, the IP address range is between "10.1001.41.97 1 - 10.1001.41.12630" (if we keep 127 31 for broadcast). Therefore you can add throttling for the IP range as follows.
<throttle:ID throttle:type="IP">10.1001.41.971 - 10.1001.41.126<30</throttle:ID>
How throttling tiers work