Protect your Services

1. Access your Kong Manager instance and your default workspace.

2. Go to API Gateway > Plugins.

3. Click New Plugin.

4. Scroll down to Traffic Control and find the Rate Limiting Advanced plugin. Click Enable.

5. Apply the plugin as Global, which means the rate limiting applies to all requests, including every Service and Route in the Workspace.

   If you switched it to Scoped, the rate limiting would apply the plugin to only one Service, Route, or Consumer.

   Note: By default, the plugin is automatically enabled when the form is submitted. You can also toggle the This plugin is Enabled button at the top of the form to configure the plugin without enabling it. For this example, keep the plugin enabled.

6. Scroll down and complete only the following fields with the following parameters.
   1. config.limit: 5
   2. config.sync_rate: -1
   3. config.window_size: 30

   Besides the above fields, there may be others populated with default values. For this example, leave the rest of the fields as they are.

7. Click Create.

Note: This section sets up the basic Rate Limiting plugin. If you have a Kong Gateway instance, see instructions for Using Kong Manager to set up Rate Limiting Advanced with sliding window support instead.

Call the Admin API on port 8001 and configure plugins to enable a limit of five (5) requests per minute, stored locally and in-memory, on the node.

curl -i -X POST http://<admin-hostname>:8001/plugins \
  --data name=rate-limiting \
  --data config.minute=5 \
  --data config.policy=local

http -f post :8001/plugins \
  name=rate-limiting \
  config.minute=5 \
  config.policy=local

Note: This section sets up the basic Rate Limiting plugin. If you have a Kong Gateway instance, see instructions for Using Kong Manager to set up Rate Limiting Advanced with sliding window support instead.

1. Add a new plugins section to the bottom of your kong.yaml file. Enable rate-limiting with a limit of five (5) requests per minute, stored locally and in-memory, on the node:

    plugins:
    - name: rate-limiting
      config:
        minute: 5
        policy: local
   

   Your file should now look like this:

    _format_version: "1.1"
    services:
    - host: mockbin.org
      name: example_service
      port: 80
      protocol: http
      routes:
      - name: mocking
        paths:
        - /mock
        strip_path: true
    plugins:
    - name: rate-limiting
      config:
        minute: 5
        policy: local
   

   This plugin will be applied globally, which means the rate limiting applies to all requests, including every Service and Route in the Workspace.

   If you pasted the plugin section under an existing Service, Route, or Consumer, the rate limiting would only apply to that specific entity.

   Note: By default, enabled is set to true for the plugin. You can disable the plugin at any time by setting enabled: false.

2. Sync the configuration:

    deck sync
   

1. Enter <admin-hostname>:8000/mock and refresh your browser six times. After the 6th request, you’ll receive an error message.
2. Wait at least 30 seconds and try again. The service will be accessible until the sixth (6th) access attempt within a 30-second window.

To validate rate limiting, access the API six (6) times from the CLI to confirm the requests are rate limited.

curl -i -X GET http://<admin-hostname>:8000/mock/request

http :8000/mock/request

After the 6th request, you should receive a 429 “API rate limit exceeded” error:

{
"message": "API rate limit exceeded"
}