Page MenuHomePhabricator
Create Task
Maniphest T295956

Proposal: add a per-service rate limit setting to API Gateway
Closed, ResolvedPublic
Actions

Description

Hi everybody,
not sure if there is already a task about this, I quickly checked and didn't find it, in case please close it as duplicate :)

If my understanding is correct, the current rate-limit settings for API-Gateway is around 500 requests/hour for anonymous users and 5000 for logged in users, applied globally for all services. I am wondering if we could add the possibility to have this rate-limit per service, so backend owners can decide the best values for their services without trying to come up with a compromise with other teams.

Another very nice feature would be to have a way to apply rate limits to a specific combination of client metadata, like UA and IP. The use case that I am thinking of is if a bot or a specific user generates too much traffic and a backend service owner wants to act on it without impacting other regular users (not impacting the service with their request flows).

The ML team is more than happy to help in the development of these features if you feel that they are sound and consistent with the current API-Gateway's plans.

Details

SubjectRepoBranchLines +/-
api-gateway: move route_name metadata to route leveloperations/deployment-chartsmaster+4 -4
api-gateway: allow discovery services to set custom rate limitsoperations/deployment-chartsmaster+97 -16
api-gateway: allow discovery services to set custom rate limitsoperations/deployment-chartsmaster+79 -14
api-gateway: bump chartoperations/deployment-chartsmaster+1 -1
Customize query in gerrit

Related Objects
Search...

Event Timeline

elukey created this task.Nov 18 2021, 8:32 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 18 2021, 8:32 AM
Urbanecm subscribed.Nov 18 2021, 11:01 AM

No problem with this (if there's an usecase here), but note that individual clients with an acceptable need for higher rate limit may be promoted to higher ratelimit tiers, which is a simpler measure that might be used before this gets implemented :-). According to my current understanding, there are three rate limits currently:

  • Default (5000 requests/hour)
  • Preferred (25,000 requests/hour)
  • Internal (100,000 requests/hour)

That being said, I'm not sure if the Machine-Learning-Team usecase is only for a few specific clients (so promoting them to higher tiers can make sense), or if the usecase is that almost all consumers of your API need higher limits than 5k reqs/hour.

elukey added a comment.Nov 18 2021, 12:16 PM

Hi @Urbanecm! Thanks for the link, very interesting, I didn't know it.

My understanding of the API-Gateway is still very high level, so I may have the wrong picture in my head. IIUC any limit/tier is related to a client making requests to any of the services behind API-Gateway, it doesn't really distinguish between use cases. For example, if we add the inference service to API-Gateway, a user can make requests to linkreccomendation, mw-api and inference regardless of the size and capabilities of their backends. I agree that we should have a high level global limit for the API-Gateway service itself (taking priority over the rest), but it would be nice to allow backend service owners to decide the user limits for their backends.

The tiers are great but IIUC they are about specific clients, there is nothing at the moment that would identify something like "ML traffic".

elukey added a parent task: T288789: API Gateway Integration.Nov 22 2021, 9:44 AM
elukey moved this task from Unsorted to Backlog/SRE on the Machine-Learning-Team board.Nov 22 2021, 4:27 PM
gerritbot added a comment.Nov 25 2021, 4:11 PM

Change 741937 had a related patch set uploaded (by Hnowlan; author: Hnowlan):

[operations/deployment-charts@master] api-gateway: allow discovery services to set custom rate limits

https://gerrit.wikimedia.org/r/741937

gerritbot added a project: Patch-For-Review.Nov 25 2021, 4:11 PM
hnowlan added a project: Platform Team Workboards (Platform Engineering Reliability).Nov 25 2021, 4:34 PM
elukey mentioned this in T288789: API Gateway Integration.Jan 20 2022, 5:33 PM
gerritbot added a comment.Feb 21 2022, 1:11 PM

Change 741937 merged by jenkins-bot:

[operations/deployment-charts@master] api-gateway: allow discovery services to set custom rate limits

https://gerrit.wikimedia.org/r/741937

Maintenance_bot removed a project: Patch-For-Review.Feb 21 2022, 2:10 PM
gerritbot added a comment.Feb 21 2022, 4:16 PM

Change 764409 had a related patch set uploaded (by Hnowlan; author: Hnowlan):

[operations/deployment-charts@master] api-gateway: bump chart

https://gerrit.wikimedia.org/r/764409

gerritbot added a project: Patch-For-Review.Feb 21 2022, 4:16 PM
gerritbot added a comment.Feb 21 2022, 4:38 PM

Change 764409 merged by jenkins-bot:

[operations/deployment-charts@master] api-gateway: bump chart

https://gerrit.wikimedia.org/r/764409

Maintenance_bot removed a project: Patch-For-Review.Feb 21 2022, 5:10 PM
gerritbot added a comment.Mar 1 2022, 11:03 AM

Change 767070 had a related patch set uploaded (by Hnowlan; author: Hnowlan):

[operations/deployment-charts@master] api-gateway: move route_name metadata to route level

https://gerrit.wikimedia.org/r/767070

gerritbot added a project: Patch-For-Review.Mar 1 2022, 11:03 AM
DAbad added a parent task: T306043: <API Platform> API Gateway MVP .Apr 26 2022, 1:57 PM
hnowlan added a comment.Jun 9 2022, 11:53 AM

One major issue with our previous approach to this problem was the use of the metadata_key field in config which assumes that the metadata pointed to by the label provided will be in the Envoy ratelimit format ("ratelimit": {"request_per_unit": 5000, "unit": "HOUR"}). This is fine for the JWT data as we quite literally encode envoy ratelimit headers in the data of the token. However, in the case of Envoy config we just want to configure a descriptor based on an attribute in metadata. I am not fully certain whether this is currently possible in Envoy - docs are fairly scant. I'm going to see if there's another approach we can take.

gerritbot added a comment.Jun 28 2022, 3:13 PM

Change 809198 had a related patch set uploaded (by Hnowlan; author: Hnowlan):

[operations/deployment-charts@master] api-gateway: allow discovery services to set custom rate limits

https://gerrit.wikimedia.org/r/809198

gerritbot added a comment.Jul 6 2022, 10:44 AM

Change 809198 merged by jenkins-bot:

[operations/deployment-charts@master] api-gateway: allow discovery services to set custom rate limits

https://gerrit.wikimedia.org/r/809198

hnowlan added a comment.Jul 7 2022, 11:14 AM

This has been implemented and deployed in production. We currently have no services requiring their own rate limit buckets but this can easily be configured for discovery services.

hnowlan moved this task from Backlog to In review on the Platform Team Workboards (Platform Engineering Reliability) board.Aug 29 2022, 2:10 PM
gerritbot added a comment.Sep 6 2022, 9:18 AM

Change 767070 abandoned by Hnowlan:

[operations/deployment-charts@master] api-gateway: move route_name metadata to route level

Reason:

Incorrect fix, outdated

https://gerrit.wikimedia.org/r/767070

Maintenance_bot removed a project: Patch-For-Review.Sep 6 2022, 9:31 AM
hnowlan moved this task from In review to Done on the Platform Team Workboards (Platform Engineering Reliability) board.Sep 8 2022, 2:09 PM
hnowlan closed this task as Resolved.Oct 4 2022, 4:28 PM
hnowlan claimed this task.
hnowlan mentioned this in T315652: Define custom rate limit tiers for machine learning projects .Mar 23 2023, 2:29 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL