Envoy rate limit config

Question

I am trying to figure out how to set the rate limit in front-envoy to other services.

I referred their documentation but was unable to see how the configuration actually works. Also came across lyft ratelimit but here also how to use this config is not specified.

Can anybody help me with this?

Answer 1

Envoy's rate limit filter relies on a global gRPC rate limit service such as Lyft's reference implementation. To use theirs, you'll have to build it. Thankfully, a contributor merged in a Dockerfile that you could use, but you'll need to add CMD ./bin/ratelimit to tell the Docker image to run when it starts.

The simplest way to explain the rate limit filter is that it allows for matching on rules that are configured in the actual rate limit service (i.e. the rate limits aren't actually set in Envoy config).

For example, given the Network rate limit filter config:

- name: envoy.ratelimit
  typed_config:
    "@type": "type.googleapis.com/envoy.config.filter.network.rate_limit.v2.RateLimit"
    stat_prefix: ratelimiter
    domain: myservice-ratelimiter
    descriptors:
    - entries:
      - key: path
        value: "/"
    failure_mode_deny: true
    rate_limit_service:
      grpc_service:
        envoy_grpc:
          cluster_name: my-ratelimit-cluster # define a Cluster pointing to the ratelimit service

You can then configure Lyft's ratelimit service as follows (see Lyft's example config.yaml):

domain: myservice-ratelimiter
descriptors:
  - key: path
    value: "/"
    rate_limit:
      unit: second
      requests_per_unit: 50

The configuration looks slightly different for the HTTP rate limit filter, but this should get you pointed in the right direction.