Reputation: 2479
How to rate limit a firebase function with Cloud Armor
I have one cloud function (firebase function) which is public accessible and I would like to rate limit this function with the help of Google Cloud Armor.
However this does not seem like a trivial task as I thought, I could not find much documentation on setting up something like this.
This document illustrate exactly what I need but does not provide any guidance to set this up for a cloud function.
When I try to add a Cloud Armor Policy in the GCP console I even can not add a target
I am on the Standard (not Managed Protection Plus) Plan but I think this should be fine.
Upvotes: 2
Views: 1900
Answers (3)
Reputation: 316
Note that the solution provided before (only an API gateway) will provide rate limit at a service/application level if all users from that service use the same API key. A single user could deplete your entire quote and block function execution from other users.
If you need rate-limit by IP address (or similar), you could:
- Make your function private (no invoke privileges for allUsers or allAuthenticatedUsers, only to a service account). You can put an API Gateway in front of your functions if you'd like.
- Use a Load Balancer in front of your functions (serverless NEG) or your API gateway. The LB must have invoke privileges using the service account
- Add Cloud Armor to protect the Load Balancer and rate limit it.
At least from reading the docs, it should work:
https://cloud.google.com/load-balancing/docs/https/setting-up-https-serverless
https://cloud.google.com/armor/docs/rate-limiting-overview
Upvotes: 1
Reputation: 75725
Cloud Armor is a WAF, Web Application Firewall to filter the traffic at the Application level of the OSI layers. It's not a rate limiter or authentication layer.
For that you need to add an API management layer that allow you to authenticate and rate limit the API. API Gateway can do that, but only based on an API key. If the user doesn't use API key, it's a common pool that is rate limited and a spammer can create an unavailability of the service by consuming all the quotas everytime.
APIGee is the other solution, but it's entreprise grade (with an entreprise grade billing plan).
Or, if it's for protecting your money, you can limit the number of function instances thanks to the great answer of Kunal Deo.
Upvotes: 3
Reputation: 2298
Cloud Armor does not support rate limiting Cloud Functions. You should instead use maxInstances option directly within cloud functions. This will allow you to control the simultaneous execution of the function.
If an HTTP function is scaled up to the maxInstances limit, new requests are queued for 30 seconds and then rejected with a response code of 429 Too Many Requests if no instance is available by then.
Upvotes: 1
Related Questions
- How to rate limit a for each request
- Rate limiting for Google/Firebase cloud functions?
- Throttling requests to third-party APIs when using cloud functions
- Cloud functions rate limiter, not returning data
- Cloud functions "call" API limit
- How to rate limit per user?
- How to limit Firebase HTTP/Callable function request size?
- Read requests per 100 seconds per user - not affecting Firebase Functions
- Reinforce a Simultanious Rate Limit for Firebase Cloud Function
- Throttling callable https firebase cloud function execution per user?