How to use the developer app name to maintain the spike arrest

darpanjain420
Participant III

I want to use the developer app name in the spike arrest policy in the identifier tag. But I have following doubts:

1. spike arrest has to come at the start of proxy right?

2. If i configure dev app name as a custom attribute, I will still have to use the verify api key to get it populated in runtime?

3. Is there any other way or any other parameter I can use for as an identifier for the spike arrest policy ?

Basically I want to maintain separate count for separate app users. beside having it in proxy level.

Solved Solved
0 1 459
1 ACCEPTED SOLUTION

> 1. spike arrest has to come at the start of proxy right?

Yes, and no. The purpose of the spike arrest is to quickly, and with minimal effort, drop excess traffic. The more work done before the spike arrest drops an API call, the more work your message processors (and potentially other components and servers) need to do before the call is dropped. For this reason your spike arrest *should* be as early as possible in the proxy, but this is not a hard requirement.

> 2. If i configure dev app name as a custom attribute, I will still have to use the verify api key to get it populated in runtime?

You'll need to use something to get the app name from somewhere, but where and how are mostly up to you. If you're using OAuth, that's also a good option: https://docs.apigee.com/api-platform/reference/policies/oauthv2-policy?hl=en

> 3. Is there any other way or any other parameter I can use for as an identifier for the spike arrest policy ?

This obviously depends on what your business logic requirements are, but client.ip or client.cn (if you're using mTLS) would be potential choices as well.

View solution in original post

1 REPLY 1

> 1. spike arrest has to come at the start of proxy right?

Yes, and no. The purpose of the spike arrest is to quickly, and with minimal effort, drop excess traffic. The more work done before the spike arrest drops an API call, the more work your message processors (and potentially other components and servers) need to do before the call is dropped. For this reason your spike arrest *should* be as early as possible in the proxy, but this is not a hard requirement.

> 2. If i configure dev app name as a custom attribute, I will still have to use the verify api key to get it populated in runtime?

You'll need to use something to get the app name from somewhere, but where and how are mostly up to you. If you're using OAuth, that's also a good option: https://docs.apigee.com/api-platform/reference/policies/oauthv2-policy?hl=en

> 3. Is there any other way or any other parameter I can use for as an identifier for the spike arrest policy ?

This obviously depends on what your business logic requirements are, but client.ip or client.cn (if you're using mTLS) would be potential choices as well.