How can I use API products to set spike arrest limits?

Not applicable

Depending on the product I want to be able to set the spike limit.

For instance:

Product A: 5ps

Product B: 10pm

I know I can set custom values in my products, but how do I retrieve them from within my Spike Arrest policy?

Solved Solved
2 6 4,766
1 ACCEPTED SOLUTION

Hi Friso,

If you are validating with an API Key, then you can do the following...

<SpikeArrest name="MySpikeArrest">

<Rate ref="verifyapikey.{policy_name}.apiproduct.{custom_attrib_name}"/>

</SpikeArrest>

If you are using OAuth you can use...

<SpikeArrest name="MySpikeArrest">

<Rate ref="apiproduct.{custom_attribute_name}"/>

</SpikeArrest>

Hope this helps!

View solution in original post

6 REPLIES 6

Hi Friso,

If you are validating with an API Key, then you can do the following...

<SpikeArrest name="MySpikeArrest">

<Rate ref="verifyapikey.{policy_name}.apiproduct.{custom_attrib_name}"/>

</SpikeArrest>

If you are using OAuth you can use...

<SpikeArrest name="MySpikeArrest">

<Rate ref="apiproduct.{custom_attribute_name}"/>

</SpikeArrest>

Hope this helps!

akoo
Participant V

Hi @Friso Denijs (frisodenijs),

You're already on the right trail-- good stuff. Using custom attributes like those available in Products would be the way to go. You could also use similar from App and Developer entities, just as well.

To use them, we'll need a mechanism to associate the Product/App/Developer entity with the API call. The easiest way to do this is to use Verify API Key policy or access token validation (via OAuth v2 policy). Chances are you are already using these policies in order to protect your resource from unauthorized traffic. Then after an API call is processing through one of those policies (with a valid and appropriate API key or access token, of course), you can access the custom attributes. For example, for Product custom attributes, following access token validation, use the following notation:

apiproduct.{custom_attribute_name}

After Verify API Key, you can use the following:

verifyapikey.{policy_name}.apiproduct.{custom_attribute_name}

Let us know how this works out!

Hi @Friso Denijs,

Not sure if you're still looking for the answer, if so, here it goes;

You can use create a custom variable at product level, for e.g. "spikeRateLimit"; set it's value let say "12ps"

In your proxy for spike arrest policy, you can reference this variable as follow;

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<SpikeArrest async="false" continueOnError="false" enabled="true" name="spikeArrest">
    <DisplayName>spikeArrest</DisplayName>
    <!-- reading spike count from product custom attribute, if this is not set, default 30 request per second -->
    <Rate ref="verifyapikey.verifyApiKey.apiproduct.spikeRateLimit">30ps</Rate>
    <UseEffectiveCount>true</UseEffectiveCount>
</SpikeArrest>

I hope this helps.

I believe this shoould be:

<Rateref="verifyapikey.verifyApiKey.apiproduct.spikeRateLimit"/>

variable spikeRateLimit going to referred from product then what is need of putting 30ps under Rate tag?

Hi @Pankaj Jain, your understanding is correct, however you missed the comment that I put in the above code.

<!-- reading spike count from product custom attribute, if this is not set, default 30 request per second -->

Spike arrest is a policy designed to regulate traffic flowing to your backend services, irrespective of where that traffic is coming from. You may wish to consider using Quota policy which is designed to do what you're trying to achieve.

https://docs.apigee.com/api-platform/develop/comparing-quota-spike-arrest-and-concurrent-rate-limit-...