Skip to content
Kong Summit 2022: Where API Innovation Runs Wild  —Learn More →
Kong Logo | Kong Docs Logo
search
  • We're Hiring!
  • Docs
    • Kong Gateway
    • Konnect Cloud
    • Kong Mesh
    • Plugin Hub
    • decK
    • Kubernetes Ingress Controller
    • Insomnia
    • Kuma

    • Kong Konnect Platform

    • Docs contribution guidelines
  • Plugin Hub
  • Support
  • Community
  • Kong Academy
Request Demo
  • Kong Gateway
  • Konnect Cloud
  • Kong Mesh
  • Plugin Hub
  • decK
  • Kubernetes Ingress Controller
  • Insomnia
  • Kuma

  • Kong Konnect Platform

  • Docs contribution guidelines
  • 2.8.x (latest)
  • 2.7.x
  • 2.6.x
  • Older Enterprise versions (0.31-2.5)
  • Older OSS versions (0.13-2.5)
  • Archive (pre-0.13)
    • Overview of Kong Gateway
    • Version Support Policy
    • Changelog
    • Overview
    • Kubernetes
    • Helm
    • OpenShift with Helm
    • Docker
    • Amazon Linux
    • CentOS
    • macOS
    • Debian
    • RHEL
    • Ubuntu
    • Migrating from OSS to EE
    • Upgrade Kong Gateway
    • Upgrade Kong Gateway OSS
      • Configuring a Service
      • Configuring a gRPC Service
      • Enabling Plugins
      • Adding Consumers
      • Prepare to Administer
      • Expose your Services
      • Protect your Services
      • Improve Performance
      • Secure Services
      • Set Up Intelligent Load Balancing
      • Manage Administrative Teams
      • Publish, Locate, and Consume Services
    • Running Kong as a Non-Root User
    • Resource Sizing Guidelines
      • Deploy Kong Gateway in Hybrid Mode
    • Kubernetes Deployment Options
    • Control Kong Gateway through systemd
    • Performance Testing Framework
    • DNS Considerations
    • Default Ports
      • Access Your License
      • Deploy Your License
      • Monitor License Usage
      • Start Kong Gateway Securely
      • Keyring and Data Encryption
      • Kong Security Update Process
        • Getting Started
        • Advanced Usage
          • Environment Variables
          • AWS Secrets Manager
          • Hashicorp Vault
        • Reference Format
      • Authentication Reference
        • OpenID Connect with Curity
        • OpenID Connect with Azure AD
        • OpenID Connect with Google
        • OpenID Connect with Okta
        • OpenID Connect with Auth0
        • OpenID Connect with Cognito
        • OpenID Connect Plugin Reference
      • Allowing Multiple Authentication Methods
        • Create a Super Admin
        • Configure Networking
        • Configure Kong Manager to Send Email
        • Reset Passwords and RBAC Tokens
        • Configure Workspaces
        • Basic Auth
        • LDAP
        • OIDC
        • Sessions
        • Add a Role
        • Add a User
        • Add an Admin
      • Mapping LDAP Service Directory Groups to Kong Roles
    • Configure gRPC Plugins
    • GraphQL Quickstart
    • Logging Reference
    • Network and Firewall
    • Overview
    • Enable the Dev Portal
    • Structure and File Types
    • Portal API
    • Working with Templates
    • Using the Editor
        • Basic Auth
        • Key Auth
        • OIDC
        • Sessions
        • Adding Custom Registration Fields
      • SMTP
      • Workspaces
      • Manage Developers
      • Developer Roles and Content Permissions
        • Authorization Provider Strategy
        • Enable Application Registration
        • Enable Key Authentication for Application Registration
        • External OAuth2 Support
        • Set up Okta and Kong for external OAuth
        • Set Up Azure AD and Kong for External Authentication
        • Manage Applications
      • Easy Theme Editing
      • Migrating Templates Between Workspaces
      • Markdown Rendering Module
      • Customizing Portal Emails
      • Adding and Using JavaScript Assets
      • Single Page App in Dev Portal
      • Alternate OpenAPI Renderer
    • Helpers CLI
      • Metrics
      • Reports
      • Vitals with InfluxDB
      • Vitals with Prometheus
      • Estimate Vitals Storage in PostgreSQL
    • Prometheus plugin
    • Zipkin plugin
      • DB-less Mode
      • Declarative Configuration
      • Supported Content Types
      • Information Routes
      • Health Routes
      • Tags
      • Service Object
      • Route Object
      • Consumer Object
      • Plugin Object
      • Certificate Object
      • CA Certificate Object
      • SNI Object
      • Upstream Object
      • Target Object
      • Vaults Beta
        • Licenses Reference
        • Licenses Examples
        • Workspaces Reference
        • Workspace Examples
        • RBAC Reference
        • RBAC Examples
        • API Reference
        • Examples
      • Developers
        • API Reference
        • Examples
        • Event Hooks Reference
        • Examples
      • Audit Logging
      • Keyring and Data Encryption
      • Securing the Admin API
    • DB-less and Declarative Configuration
    • Configuration Reference
    • CLI Reference
    • Load Balancing Reference
    • Proxy Reference
    • Rate Limiting Library
    • Health Checks and Circuit Breakers Reference
    • Clustering Reference
      • kong.client
      • kong.client.tls
      • kong.cluster
      • kong.ctx
      • kong.ip
      • kong.log
      • kong.nginx
      • kong.node
      • kong.request
      • kong.response
      • kong.router
      • kong.service
      • kong.service.request
      • kong.service.response
      • kong.table
      • kong.vault
      • Introduction
      • File structure
      • Implementing custom logic
      • Plugin configuration
      • Accessing the datastore
      • Storing custom entities
      • Caching custom entities
      • Extending the Admin API
      • Writing tests
      • (un)Installing your plugin
    • Plugins in Other Languages

github-edit-pageEdit this page

report-issueReport an issue

enterprise-switcher-iconSwitch to OSS

On this page
  • What is Rate Limiting?
  • Why Use Rate Limiting?
  • Set up Rate Limiting
  • Validate Rate Limiting
  • Summary and next steps
Kong Gateway
2.8.x (latest)
  • Home
  • Kong Gateway
  • Get started
  • Comprehensive

Protect your Services

In this topic, you’ll learn how to enforce rate limiting using the Rate Limiting plugin.

If you are following the getting started workflow, make sure you have completed Exposing Your Services before moving on.

What is Rate Limiting?

Kong’s Rate Limiting plugin lets you restrict how many requests your upstream services receive from your API consumers, or how often each user can call the API.

The Rate Limiting Advanced plugin provides support for the sliding window algorithm to prevent the API from being overloaded near the window boundaries, and adds Redis support for greater performance.

Why Use Rate Limiting?

Rate limiting protects the APIs from accidental or malicious overuse. Without rate limiting, each user may request as often as they like, which can lead to spikes of requests that starve other consumers. After rate limiting is enabled, API calls are limited to a fixed number of requests per second.

Set up Rate Limiting

Using Kong Manager
Using the Admin API
Using decK (YAML)
  1. Access your Kong Manager instance and your default workspace.

  2. Go to API Gateway > Plugins.

  3. Click New Plugin.

  4. Scroll down to Traffic Control and find the Rate Limiting Advanced plugin. Click Enable.

  5. Apply the plugin as Global, which means the rate limiting applies to all requests, including every Service and Route in the Workspace.

    If you switched it to Scoped, the rate limiting would apply the plugin to only one Service, Route, or Consumer.

    Note: By default, the plugin is automatically enabled when the form is submitted. You can also toggle the This plugin is Enabled button at the top of the form to configure the plugin without enabling it. For this example, keep the plugin enabled.

  6. Scroll down and complete only the following fields with the following parameters.
    1. config.limit: 5
    2. config.sync_rate: -1
    3. config.window_size: 30

    Besides the above fields, there may be others populated with default values. For this example, leave the rest of the fields as they are.

  7. Click Create.

Note: This section sets up the basic Rate Limiting plugin. If you have a Kong Gateway instance, see instructions for Using Kong Manager to set up Rate Limiting Advanced with sliding window support instead.

Call the Admin API on port 8001 and configure plugins to enable a limit of five (5) requests per minute, stored locally and in-memory, on the node.

cURL
HTTPie
curl -i -X POST http://<admin-hostname>:8001/plugins \
  --data name=rate-limiting \
  --data config.minute=5 \
  --data config.policy=local
http -f post :8001/plugins \
  name=rate-limiting \
  config.minute=5 \
  config.policy=local

Note: This section sets up the basic Rate Limiting plugin. If you have a Kong Gateway instance, see instructions for Using Kong Manager to set up Rate Limiting Advanced with sliding window support instead.

  1. Add a new plugins section to the bottom of your kong.yaml file. Enable rate-limiting with a limit of five (5) requests per minute, stored locally and in-memory, on the node:

     plugins:
     - name: rate-limiting
       config:
         minute: 5
         policy: local
    

    Your file should now look like this:

     _format_version: "1.1"
     services:
     - host: mockbin.org
       name: example_service
       port: 80
       protocol: http
       routes:
       - name: mocking
         paths:
         - /mock
         strip_path: true
     plugins:
     - name: rate-limiting
       config:
         minute: 5
         policy: local
    

    This plugin will be applied globally, which means the rate limiting applies to all requests, including every Service and Route in the Workspace.

    If you pasted the plugin section under an existing Service, Route, or Consumer, the rate limiting would only apply to that specific entity.

    Note: By default, enabled is set to true for the plugin. You can disable the plugin at any time by setting enabled: false.

  2. Sync the configuration:

     deck sync
    

Validate Rate Limiting

Using a Web Browser
Using the Admin API
  1. Enter <admin-hostname>:8000/mock and refresh your browser six times. After the 6th request, you’ll receive an error message.
  2. Wait at least 30 seconds and try again. The service will be accessible until the sixth (6th) access attempt within a 30-second window.

To validate rate limiting, access the API six (6) times from the CLI to confirm the requests are rate limited.

cURL
HTTPie
curl -i -X GET http://<admin-hostname>:8000/mock/request
http :8000/mock/request

After the 6th request, you should receive a 429 “API rate limit exceeded” error:

{
"message": "API rate limit exceeded"
}

Summary and next steps

In this section:

  • If using the Admin API or decK, you enabled the Rate Limiting plugin, setting the rate limit to 5 times per minute.
  • If using Kong Manager, you enabled the Rate Limiting Advanced plugin, setting the rate limit to 5 times for every 30 seconds.

Next, head on to learn about proxy caching.

Thank you for your feedback.
Was this page useful?
  • Kong
    THE CLOUD CONNECTIVITY COMPANY

    Kong powers reliable digital connections across APIs, hybrid and multi-cloud environments.

    • Company
    • Customers
    • Events
    • Investors
    • Careers Hiring!
    • Partners
    • Press
    • Contact
  • Products
    • Kong Konnect
    • Kong Gateway
    • Kong Mesh
    • Get Started
    • Pricing
  • Resources
    • eBooks
    • Webinars
    • Briefs
    • Blog
    • API Gateway
    • Microservices
  • Open Source
    • Install Kong Gateway
    • Kong Community
    • Kubernetes Ingress
    • Kuma
    • Insomnia
  • Solutions
    • Decentralize
    • Secure & Govern
    • Create a Dev Platform
    • API Gateway
    • Kubernetes
    • Service Mesh
Star
  • Terms•Privacy
© Kong Inc. 2022