Scribd Logo
Upload

Welcome to Scribd!

  • WHDB API Throttling

    Uploaded by

    Kannan Mohan
    13 views5 pages
    The document discusses different options for API throttling including using a WAF, API Gateway, or ASP.NET MVC. It provides details on how each approach works, potential problems, and proposed solutions. Using an open source throttling library for ASP.NET MVC is recommended to avoid dependencies and process requests earlier in the pipeline. The document also outlines changes needed to implement throttling via API Gateway and WAF, such as using rate-based rules and modifying CloudFormation scripts.

    Original Description:

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document discusses different options for API throttling including using a WAF, API Gateway, or ASP.NET MVC. It provides details on how each approach works, potential problems, and proposed solutions. Using an open source throttling library for ASP.NET MVC is recommended to avoid dependencies and process requests earlier in the pipeline. The document also outlines changes needed to implement throttling via API Gateway and WAF, such as using rate-based rules and modifying CloudFormation scripts.

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    13 views5 pages

    WHDB API Throttling

    Uploaded by

    Kannan Mohan
    The document discusses different options for API throttling including using a WAF, API Gateway, or ASP.NET MVC. It provides details on how each approach works, potential problems, and proposed solutions. Using an open source throttling library for ASP.NET MVC is recommended to avoid dependencies and process requests earlier in the pipeline. The document also outlines changes needed to implement throttling via API Gateway and WAF, such as using rate-based rules and modifying CloudFormation scripts.

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 5

    WHDB API Throttling

    Review
    API Throttling - Options
    Rate limiting – WAF Throttling with API Gateway At application – ASP.NET MVC
    • Meant to protect DDos attacks. • Can protect from DDos attack. • Caches the IP from each request.
    • Can monitor each requests by IP, • Can set the rate limits per second. • When the request reaches the limit,
    and in a 5mins, the IP crosses the • Can set the burst limits pre second. returns 429
    rate it blocks further call for that IP. • Upon crossing the limit, Users gets
    • Unblocking the IP depends on the HTTP-429 responds (too many
    configurations requests).
    • Contacting Dev • No blocking / unblocking IPs.
    • Setting the cooldown period, • Timeouts are hard limit to 30s. But
    for automatic unblock. we need 60s.
    API Throttling – ASP.NET MVC
    Possibility Problems
    Using ActionFilterAttribute, intern uses HttpRuntime.Cache. • The Http cache is dependency that might not be available with new runtimes, like self-hosted options. It is
    best to avoid this dependency.
    Requirement:
    Enable throttling by configuration. For example: On-prem • The Filter is being processed 'too late in the game' within web API pipeline, so lots of resources are being
    deployment will not required throttle. spent before you decide that request should not be processed. The DelegatingHandler should be used
    because it can be set to run at the beginning of the Web API pipeline and cutting off the request prior doing
    any additional work.

    Ref:
    https://stackoverflow.com/questions/20817300/how-to-throttle-requests-in-a-web-api

    Solution
    Use Opensource https://github.com/stefanprodan/WebApiThrottle , also available as NuGet, under MIT.
    • Highly configurable and customizable. And easy to use.
    • Option to switch cache provider based on environment.
    • 1.2k stars on GitHub.
    • Much recommended for throttling using ASP.NET. Also available in .NET Core.
    API Throttling – API Gateway
    Current Change

    Regional WAF for API


    Gateway
    Global WAF for
    CloudFront

    Security Group - Inbound:


    Security Group - Inbound: Allows all CloudFront Ips
    Allows all CloudFront Ips
    HTTP_PROXY

    {stage}.dashboard.{URL} {stage}.alb.{URL} Load Balancer


    {stage}.dashboard.{URL} {stage}.alb.{URL} Load Balancer A record Throttling: origin
    A record origin Rate: 100
    Brust: 50
    Block access using
    Custom
    *.cloudfront.net
    Domain - edge.

    Changes
    • Changes at deploy / cloudformation has been done.
    • Refer dev24 environment which goes through API Gateway with throttling applied.
    PENDING:
    • Addressing backward compatibility for WAF, at script.
    • Blocking access using *.cloudfront.net at WAF level.
    API Throttling – WAF

    Global WAF for


    CloudFront

    With Rate based rule

    Security Group - Inbound:


    Allows all CloudFront Ips

    {stage}.alb.{URL} Load Balancer


    origin

    Required Changes
    • CloudFormation to create Rate based rule.
    • Script to attach the rule to the WAF. As there is no way for now to attach rate-based rule to WAF.
    Ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-wafregional-ratebasedrule.html

    You might also like