Rate Limits
Rate Limits
Rate limiting is a crucial security feature that helps protect your applications from abuse, DDoS attacks, and resource exhaustion. Our platform supports multiple types of rate limiting that can be configured at the ingress level.
Types of Rate Limits
Limit Connections
Controls the maximum number of concurrent connections allowed from a single IP address or client. This prevents connection flooding attacks and helps maintain server stability.
Use Cases:
- Prevent connection exhaustion attacks
- Protect against slowloris attacks
- Maintain server performance under high load
Limit RPS (Requests Per Second)
Restricts the number of HTTP requests a client can make per second. This is effective against rapid-fire attacks and API abuse.
Use Cases:
- Prevent API abuse and scraping
- Protect against brute force attacks
- Control traffic spikes
Limit RPM (Requests Per Minute)
Limits the total number of requests a client can make within a one-minute window. This provides broader protection against sustained attacks.
Use Cases:
- Prevent sustained attack campaigns
- Control long-term usage patterns
- Protect against automated bots
Configuration
Rate limits can be configured through the platform interface as shown in the image above. You can set different values for each type of limit based on your application's needs and expected traffic patterns.
Important Considerations
Note: Rate limit values are applied and counted per ingress. This means that if you have multiple ingress points (e.g., multiple domains, subdomains, or load balancers), the rate limiting may not be 100% effective as each ingress maintains its own separate counter. For clients who need precise rate limiting, we suggest implementing it at the application level.
Best Practices
- Start Conservative: Begin with higher limits and gradually reduce them based on monitoring
- Layer Defense: Combine rate limiting with other security measures like WAF
- Test Thoroughly: Ensure rate limits don't block legitimate users