WSO2 APIM v4 | Rate Limiting for Unauthenticated Requests

-

Hi All, Let me share an interesting topic of WSO2 API Manager. The scenario has been tested with WSO2 API Manager v4 series as on date. So, below is the use case and analysis of the same.

Use Case-
There came a scenario where we need to expose an API endpoint with no security i.e. API Gateway is just acting as a medium to route the traffic to the backend service while no security to be applied. So, the API would be accessible without access token or apikey.
To achieve this, I have disabled the security header via publisher for respective resource and published the same with new revision in API Manager 4 (apim 4.1.0 in my case). The API is having 1 resource with GET method; so directly calling the API URL in the browser was giving the response as expected. Also the Subscription quota was at API level with Unlimited Tier

Below screenshot shows how to disable the security for respective resource-
Figure- Disable Security of API Resource in WSO2 APIM via Publisher Portal
Figure- Disable Security of API Resource in WSO2 APIM via Publisher Portal

Problem Statement
When performed the performance tests, the APIs got throwing HTTP 429 too many requests with below error message-
{"code":"900804","message":"Message throttled out","description":"You have exceeded your quota .You can access API after 2024-Feb-15 09:12:00+0000 UTC","nextAccessTime":"2024-Feb-11 09:12:00+0000 UTC"}

Below is the screenshot of performance test - 100 Concurrent users for 2 mins
Figure- Performance test results 100 concurrent users for 2 mins
Figure- Performance test results 100 concurrent users for 2 mins

Root Cause
The APIs get's throttled despited of Subscription with Unlimited Tier. Further, it has been identified that the unlimited tier has quota of 2147483647 but still the throttling was happening.
Figure- Unlimited tier quota
Figure- Unlimited tier quota

The Resolution
Since we have disabled the security, hence the default subscription policy applicable in this scenario would be Unauthenticated instead Unlimited. The default value of Unauthenticated tier is 500 Request/Minute so the APIs will throttle after 500 requests in a minute. To overcome this situation, we must change the value to a higher one as per our requirement and it will resolve the throttling issue. Below screenshot shows the Unauthenticated tier and we can change the policy by editing the same-
Figure- Unauthenticated tier quota
Suggestion
Though we can change the value to a higher one but we must ensure our backend capacity accordingly before changing the values for Unauthenticated tier. So, let's say our backend can handle 2500 Requests/Minute, we must ensure the optimal value for Unauthenticated tier to avoid any attack on our backend since API Gateway can only do the throttling as per the quota specified in Unauthenticated Tier and there is no token/apikey validation happening on Gateway due to disabled security on resource.

NOTE: The same scenario could be applicable for authentication as Basic Auth too for an application.


Comments

Post a Comment

Popular posts from this blog

Oracle SOA Suite- Implementing Email Notification

-
Image
In this post, I am going to show how to implement email notifications in Oracle SOA Suite using BPEL process. So let's get started- Implementing email notification in Oracle SOA Suite consists of below steps: Environment- IDE- Oracle jDeveloper 11g Weblogic Server 12c Oracle SOA Suite 12c High Level Steps Keep ready email server settings. Configure & enable usermessagingdriver-email for target SOA servers via console. Setting up Email driver (usermessagingdriver-email )with email server settings via enterprise manager. Enable notifications for SOA workflows(make sure either All or EMail option is selected).. Create SOA composite application Deploy it on SOA server. Testing & done. 1. Keep ready email server settings. Keep ready your below email server settings: Outgoing Mail Server          : smtp.domain.com Outgoing Mail Server Port   : xxx Default From Address         : username@doamin.com Outgoing Username            : actualemailid@doma
Read more

Oracle SOA Suite 12c- PKIX path building failed & unable to find valid certification path to requested target

-
Image
Hi Everyone, in this blog I'll be writing one of the strange issue that has been encountered while working with a Oracle SOA composite running in Oracle IDAM environment and trying to invoke a SSL based remote service where SSL certification based exception has been thrown during the service invocation. Environment Oracle SOA Suite 12c  (HA Mode) Oracle IDAM 12c (HA Mode) Oracle Linux 7 External Web Service (SOAP Service) Problem Below is the exception thrown when trying to invoke an external webservice (SSL Based) via BPEL process- <bpelFault><faultType>0</faultType><remoteFault xmlns="http://schemas.oracle.com/bpel/extension"><part name="summary"><summary>oracle.fabric.common.FabricInvocationException: Unable to invoke endpoint URI "https://idam.uppclonline.com/soa-infra/services/default/DefaultOperationalApproval!5.12*soa_69e4734b-d8fe-4edf-b44e-e287f61c2ddf/SMSNotification%23ApprovalProcess/SMSNotification" succe
Read more

Migration of Oracle SOA Suite Composite from 11g to 12c

-
Image
Recently I have came across a scenario where I have a business requirement of  migration of Oracle SOA Suite 11g(11.1.1.7.0) to 12c(12.1.3.0). Below are the different mechanisms I have tried to do, few of them failed and one succeeded. Working in Oracle SOA Suite 11g is completely different from 12c. In 11g, we need to install the jDeveloper(11.1.1.7) then SOA extension separately to be installed either via offline file  (download available at  https://www.oracle.com/ocom/groups/public/@otn/documents/webcontent/156082.xml ) or through jDeveloper top menu >>  Help >> Check for Updates >> SOA Extension.  While working with 12c doesn't involves such tedious job. Only single installer is required for jDeveloper/SOA/Weblogic and is available as QuickStart Installer(download available at https://www.oracle.com/technetwork/middleware/soasuite/downloads/index.html). Approach 1- Compress(Zip) SOA composite code of 11g version (11.1.1.7.0) and unzip to a differe
Read more