Solved: How can Protect my APIs against my subscribed tran...

Report Inappropriate Content · 09-12-2016 05:01 PM

HI , My permitted transactions count per month is 1M Apigee api proxy calls. How can I protect my APIs so that any erroneous developer application makes 1M calls a day and consume all my one month subscription? Quota,Spike and rate limit seems to be used for protecting backed/target services.Could you please throw some light on this?

bala

@Krishna Prasad - Purpose of using Edge is to not only manage your APIs but also protect your backends. If a erroneous or malicious developer tries to make a lot of calls where it is not warranted, Edge will either block them (if the authentication fails) or stop (when quota or spike arrest limit is reached). In either of the cases the product is doing the job. Hence all those calls count against the 1M call entitlement.

If you have a genuine need to protect against bots or malicious developers please do take a look at our product Apigee Sense.

Anil, we count every request and successful response as an API call and counts against the entitlements, not just responses with 2xx.

View solution in original post

anilsr

Great Question @Krishna Prasad ,

I believe we count API when it reaches target server & comes back to the client. Someone needs to reconfirm same here. Quota & Other rate limiting policies can help you restrict the number of API calls in Apigee Edge proxy.

@Dino , @Carlos Eberhardt What do you think about same ?

Report Inappropriate Content

@Krishna Prasad,

I feel you could use quota policy to achieve this requirement. If you place a quota policy in your proxy endpoint flow (preferably in pre flow) with the quota threshold value, then upon reaching the threshold, the policy would start rejecting the further incoming traffics, until the timer is reset.

More information can be found here.

Hope this helps.!

anilsr

@Meghdeep Basu , Above question is more about Quarterly transaction count & How API transactions are counted. Do you think API transaction is counted against quarterly limits if Quota Policy kicks in & restricts access to target ? Because there is a request & response back to the client from proxy even if quota limits are applied. Does Apigee count this transaction or not is the question.

Report Inappropriate Content

@Anil Sagar,

Thanks for the clarity.

Actually by looking at the question, I though the requirement was to protect the API from client making more than 1 M calls per month, and yes the Quota threshold can be applied per month basis as well. Also, without a target server present in the flow, the quota policy works.

Report Inappropriate Content

@Krishna Prasad

As requirement is to distribute available capacity i.e. 1 M calls / month to multiple Apps and ensure that none of the App consumes available capacity. Quota policy is the simple way to solve it. Also, different quota value (API calls as well as duration e.g. duration can be day rather than month) can be configured for each App like I would configure high quota value to important Apps. Once quota is reached at its limit, remaining requests as part of the interval will be rejected.

anilsr

@rdoda , Still the question is unanswered, Do we count the API if quota policy restricts the API hitting the backend ? YES / NO ?

Report Inappropriate Content

@Anil Sagar, No, such requests are not counted as these are really not served.

anilsr

So, If i am not wrong, "we count API when it reaches target server & comes back to the client." Is that statement right in the context of quarterly limits ?

sarthak

All calls hitting Apigee are counted unless it is an Apigee platform error. We don't make a distinction if the call went to the backend or not.

Because you might even have caching or a no-target or a node.js app inside Apigee and even in those cases the calls won't go to the backend.

anilsr

@sarthak , Does that mean even if some rogue app makes calls to APIs that returns spike arrest faults / quota limit faults are counted ?

sarthak

Yes, correct. Apigee has no mechanism to know which one is rogue call vs. which are legitimate calls failing.

anilsr

@sarthak , Thank you for clarification, It's helpful. Just thinking, Does Apigee Sense has any context here ?

sarthak

Yes, absolutely. If Apigee Sense is used it will be sitting in front of Edge and will stop bots from coming in. I am not sure if those calls will be counted or not. But Sense should be able to block some of those traffic.

bala

@Krishna Prasad - Purpose of using Edge is to not only manage your APIs but also protect your backends. If a erroneous or malicious developer tries to make a lot of calls where it is not warranted, Edge will either block them (if the authentication fails) or stop (when quota or spike arrest limit is reached). In either of the cases the product is doing the job. Hence all those calls count against the 1M call entitlement.

If you have a genuine need to protect against bots or malicious developers please do take a look at our product Apigee Sense.

Anil, we count every request and successful response as an API call and counts against the entitlements, not just responses with 2xx.

anilsr

Thank you @bala@apigee.com for more details, It's helpful.

Report Inappropriate Content

Seems It is a security/treat (not exactly security, its threat) issue for us. As the quarterly limit is applied to all the enviroments and development team also consuming this quota. And there is another layer of application development team also hitting production APIs. If anything goes during development or testing, which creates loop hit the APIs can consume all our quota over a night. I am not sure Apigee sense is a complete shielding for these type of scenarios ..

How can Protect my APIs against my subscribed transaction count with Apigee?