WSO2 APIM v4 | Rate Limiting for Unauthenticated Requests

Hi All, Let me share an interesting topic of WSO2 API Manager. The scenario has been tested with WSO2 API Manager v4 series as on date. So, below is the use case and analysis of the same.

Use Case-
There came a scenario where we need to expose an API endpoint with no security i.e. API Gateway is just acting as a medium to route the traffic to the backend service while no security to be applied. So, the API would be accessible without access token or apikey.
To achieve this, I have disabled the security header via publisher for respective resource and published the same with new revision in API Manager 4 (apim 4.1.0 in my case). The API is having 1 resource with GET method; so directly calling the API URL in the browser was giving the response as expected. Also the Subscription quota was at API level with Unlimited Tier

Below screenshot shows how to disable the security for respective resource-
Figure- Disable Security of API Resource in WSO2 APIM via Publisher Portal
Figure- Disable Security of API Resource in WSO2 APIM via Publisher Portal

Problem Statement
When performed the performance tests, the APIs got throwing HTTP 429 too many requests with below error message-
{"code":"900804","message":"Message throttled out","description":"You have exceeded your quota .You can access API after 2024-Feb-15 09:12:00+0000 UTC","nextAccessTime":"2024-Feb-11 09:12:00+0000 UTC"}

Below is the screenshot of performance test - 100 Concurrent users for 2 mins
Figure- Performance test results 100 concurrent users for 2 mins
Figure- Performance test results 100 concurrent users for 2 mins

Root Cause
The APIs get's throttled despited of Subscription with Unlimited Tier. Further, it has been identified that the unlimited tier has quota of 2147483647 but still the throttling was happening.
Figure- Unlimited tier quota
Figure- Unlimited tier quota

The Resolution
Since we have disabled the security, hence the default subscription policy applicable in this scenario would be Unauthenticated instead Unlimited. The default value of Unauthenticated tier is 500 Request/Minute so the APIs will throttle after 500 requests in a minute. To overcome this situation, we must change the value to a higher one as per our requirement and it will resolve the throttling issue. Below screenshot shows the Unauthenticated tier and we can change the policy by editing the same-
Figure- Unauthenticated tier quota
Suggestion
Though we can change the value to a higher one but we must ensure our backend capacity accordingly before changing the values for Unauthenticated tier. So, let's say our backend can handle 2500 Requests/Minute, we must ensure the optimal value for Unauthenticated tier to avoid any attack on our backend since API Gateway can only do the throttling as per the quota specified in Unauthenticated Tier and there is no token/apikey validation happening on Gateway due to disabled security on resource.

NOTE: The same scenario could be applicable for authentication as Basic Auth too for an application.


Comments

Popular posts from this blog

Oracle SOA Suite- Implementing Email Notification

Oracle SOA Suite 12c- PKIX path building failed & unable to find valid certification path to requested target

Migration of Oracle SOA Suite Composite from 11g to 12c