Create rate limiting tiers with Kong Gateway
To manage API traffic for various user tiers (such as free, basic, and premium subscribers), you can create Consumer Groups for each tier and assign individual Consumers to these groups. Then, configure the Rate Limiting Advanced plugin to apply specific rate limits based on these groups. This setup allows you to enforce customized request limits for each tier, ensuring fair usage and optimizing performance for high-value users.
Prerequisites
Kong Konnect
This is a Konnect tutorial and requires a Konnect personal access token.
-
Create a new personal access token by opening the Konnect PAT page and selecting Generate Token.
-
Export your token to an environment variable:
export KONNECT_TOKEN='YOUR_KONNECT_PAT'Copied to clipboard! -
Run the quickstart script to automatically provision a Control Plane and Data Plane, and configure your environment:
curl -Ls https://get.konghq.com/quickstart | bash -s -- -k $KONNECT_TOKEN --deck-outputCopied to clipboard!This sets up a Konnect Control Plane named
quickstart, provisions a local Data Plane, and prints out the following environment variable exports:export DECK_KONNECT_TOKEN=$KONNECT_TOKEN export DECK_KONNECT_CONTROL_PLANE_NAME=quickstart export KONNECT_CONTROL_PLANE_URL=https://us.api.konghq.com export KONNECT_PROXY_URL='http://localhost:8000'Copied to clipboard!Copy and paste these into your terminal to configure your session.
Set up Consumer authentication
We need to set up authentication to identify the Consumer and apply rate limiting. In this guide, we’ll be using the Key Auth plugin, but you can use any authentication plugin.
Run the following command to configure the Key Auth plugin:
echo '
_format_version: "3.0"
plugins:
- name: key-auth
config:
key_names:
- apikey
' | deck gateway apply -
Create Consumer Groups for each tier
Before you can enable rate limiting for tiers of users, we first have to create Consumer Groups for each tier and then add Consumers to those groups. Consumer Groups are solely a way to organize Consumers of your APIs. In this guide, we’ll create three tiers (Free, Basic, and Premium), so we need to create a unique Consumer Group for each tier:
echo '
_format_version: "3.0"
consumer_groups:
- name: Free
- name: Basic
- name: Premium
' | deck gateway apply -
Create Consumers
Now that you’ve added Consumer Groups for each tier, you can create three Consumers, one for each tier. Here, we’re manually adding Consumers for the sake of ease, but in a production environment, you could use a script that would automatically add Consumers to the correct groups as they sign up for a tier of service.
We’re also adding key auth credentials (key) to each Consumer so they can authenticate and we can test later that rate limiting was correctly configured for the different tiers:
echo '
_format_version: "3.0"
consumers:
- username: Amal
groups:
- name: Free
keyauth_credentials:
- key: amal
- username: Dana
groups:
- name: Basic
keyauth_credentials:
- key: dana
- username: Mahan
groups:
- name: Premium
keyauth_credentials:
- key: mahan
' | deck gateway apply -
Enable rate limiting on each tier
Enable the Rate Limiting Advanced plugin for each tier:
echo '
_format_version: "3.0"
plugins:
- name: rate-limiting-advanced
consumer_group: Free
config:
limit:
- 3
window_size:
- 30
window_type: fixed
retry_after_jitter_max: 0
namespace: free
- name: rate-limiting-advanced
consumer_group: Basic
config:
limit:
- 5
window_size:
- 30
window_type: sliding
retry_after_jitter_max: 0
namespace: basic
- name: rate-limiting-advanced
consumer_group: Premium
config:
limit:
- 10
window_size:
- 30
window_type: sliding
retry_after_jitter_max: 0
namespace: premium
' | deck gateway apply -
This configures the different tiers like the following:
- Free: This configuration sets the rate limit to three requests for every 30 seconds.
- Basic: This configuration sets the rate limit to five requests for every 30 seconds.
- Premium: This configuration sets the rate limit to ten requests for every 30 seconds.
Validate that rate limiting is working on each tier
Now we can test that each rate limiting tier is working as expected by sending a series of HTTP requests (for example, six for Free Tier and seven for Basic Tier) to the endpoint with the appropriate API key with the goal of exceeding the configured rate limit for that tier. The tests wait for one second between requests to avoid overwhelming the server and test rate limits more clearly.
Test the rate limiting of the Free tier:
for _ in {1..4}; do
curl -i $KONNECT_PROXY_URL/anything \
-H "apikey:amal"
echo
done
for _ in {1..4}; do
curl -i http://localhost:8000/anything \
-H "apikey:amal"
echo
done
On the last request, you should get a 429 response with the message API rate limit exceeded.
Test the rate limiting of the Basic tier:
for _ in {1..6}; do
curl -i $KONNECT_PROXY_URL/anything \
-H "apikey:dana"
echo
done
for _ in {1..6}; do
curl -i http://localhost:8000/anything \
-H "apikey:dana"
echo
done
On the last request, you should get a 429 response with the message API rate limit exceeded.
Test the rate limiting of the Premium tier:
for _ in {1..11}; do
curl -i $KONNECT_PROXY_URL/anything \
-H "apikey:mahan"
echo
done
for _ in {1..11}; do
curl -i http://localhost:8000/anything \
-H "apikey:mahan"
echo
done
On the last request, you should get a 429 response with the message API rate limit exceeded.
Cleanup
Clean up Konnect environment
If you created a new control plane and want to conserve your free trial credits or avoid unnecessary charges, delete the new control plane used in this tutorial.