Protect your API with rate limits using Azure API Management

This guide shows you how easy it is to add protection for your backend API by configuring rate limit and quota policies with Azure API Management.

In this tutorial, you will create a "Free Trial" API product that allows developers to make up to 10 calls per minute and up to a maximum of 200 calls per week to your API using the Limit call rate per subscription and Set usage quota per subscription policies. You will then publish the API and test the rate limit policy.

For more advanced throttling scenarios using the rate-limit-by-key and quota-by-key policies, see Advanced request throttling with Azure API Management.

To create a product

In this step, you will create a Free Trial product that does not require subscription approval.

Note

If you already have a product configured and want to use it for this tutorial, you can jump ahead to Configure call rate limit and quota policies and follow the tutorial from there using your product in place of the Free Trial product.

To get started, click Publisher portal in the Azure Portal for your API Management service.

Publisher portal

If you have not yet created an API Management service instance, see Create an API Management service instance in the Manage your first API in Azure API Management tutorial.

Click Products in the API Management menu on the left to display the Products page.

Add product

Click Add product to display the Add new product dialog box.

Add new product

In the Title box, type Free Trial.

In the Description box, type the following text: Subscribers will be able to run 10 calls/minute up to a maximum of 200 calls/week after which access is denied.

Products in API Management can be protected or open. Protected products must be subscribed to before they can be used. Open products can be used without a subscription. Ensure that Require subscription is selected to create a protected product that requires a subscription. This is the default setting.

If you want an administrator to review and accept or reject subscription attempts to this product, select Require subscription approval. If the check box is not selected, subscription attempts will be auto-approved. In this example, subscriptions are automatically approved, so do not select the box.

To allow developer accounts to subscribe multiple times to the new product, select the Allow multiple simultaneous subscriptions check box. This tutorial does not utilize multiple simultaneous subscriptions, so leave it unchecked.

After all values are entered, click Save to create the product.

Product added

By default, new products are visible to users in the Administrators group. We are going to add the Developers group. Click Free Trial, and then click the Visibility tab.

In API Management, groups are used to manage the visibility of products to developers. Products grant visibility to groups, and developers can view and subscribe to the products that are visible to the groups in which they belong. For more information, see How to create and use groups in Azure API Management.

Add developers group

Select the Developers check box, and then click Save.

To add an API to the product

In this step of the tutorial, we will add the Echo API to the new Free Trial product.

Each API Management service instance comes pre-configured with an Echo API that can be used to experiment with and learn about API Management. For more information, see Manage your first API in Azure API Management.

Click Products from the API Management menu on the left, and then click Free Trial to configure the product.

Configure product

Click Add API to product.

Add API to product

Select Echo API, and then click Save.

Add Echo API

To configure call rate limit and quota policies

Rate limits and quotas are configured in the policy editor. The two policies we will be adding in this tutorial are the Limit call rate per subscription and Set usage quota per subscription policies. These policies must be applied at the product scope.

Click Policies under the API Management menu on the left. In the Product list, click Free Trial.

Product policy

Click Add Policy to import the policy template and begin creating the rate limit and quota policies.

Add policy

Rate limit and quota policies are inbound policies, so position the cursor in the inbound element.

Policy editor

Scroll through the list of policies and locate the Limit call rate per subscription policy entry.

Policy statements

After the cursor is positioned in the inbound policy element, click the arrow beside Limit call rate per subscription to insert its policy template.

<rate-limit calls="number" renewal-period="seconds">
<api name="name" calls="number">
<operation name="name" calls="number" />
</api>
</rate-limit>

As you can see from the snippet, the policy allows setting limits for the product's APIs and operations. In this tutorial we will not use that capability, so delete the api and operation elements from the rate-limit element, such that only the outer rate-limit element remains, as shown in the following example.

<rate-limit calls="number" renewal-period="seconds">
</rate-limit>

In the Free Trial product, the maximum allowable call rate is 10 calls per minute, so type 10 as the value for the calls attribute, and 60 for the renewal-period attribute.

<rate-limit calls="10" renewal-period="60">
</rate-limit>

To configure the Set usage quota per subscription policy, position your cursor immediately below the newly added rate-limit element within the inbound element, and then locate and click the arrow to the left of Set usage quota per subscription.

<quota calls="number" bandwidth="kilobytes" renewal-period="seconds">
<api name="name" calls="number" bandwidth="kilobytes">
<operation name="name" calls="number" bandwidth="kilobytes" />
</api>
</quota>

Similarly to the Limit call rate per subscription policy, Set usage quota per subscription policy allows setting caps for on the product's APIs and operations. In this tutorial we will not use that capability, so delete the api and operation elements from the quota element, as shown in the following example.

<quota calls="number" bandwidth="kilobytes" renewal-period="seconds">
</quota>

Quotas can be based on the number of calls per interval, bandwidth, or both. In this tutorial, we are not throttling based on bandwidth, so delete the bandwidth attribute.

<quota calls="number" renewal-period="seconds">
</quota>

In the Free Trial product, the quota is 200 calls per week. Specify 200 as the value for the calls attribute, and then specify 604800 as the value for the renewal-period attribute.

<quota calls="200" renewal-period="604800">
</quota>

Policy intervals are specified in seconds. To calculate the interval for a week, you can multiply the number of days (7) by the number of hours in a day (24) by the number of minutes in an hour (60) by the number of seconds in a minute (60): 7 * 24 * 60 * 60 = 604800.

When you have finished configuring the policy, it should match the following example.

<policies>
    <inbound>
        <rate-limit calls="10" renewal-period="60">
        </rate-limit>
        <quota calls="200" renewal-period="604800">
        </quota>
        <base />

</inbound>
<outbound>

    <base />

    </outbound>
</policies>

After the desired policies are configured, click Save.

Save policy

To publish the product

Now that the the APIs are added and the policies are configured, the product must be published so that it can be used by developers. Click Products from the API Management menu on the left, and then click Free Trial to configure the product.

Configure product

Click Publish, and then click Yes, publish it to confirm.

Publish product

To subscribe a developer account to the product

Now that the product is published, it is available to be subscribed to and used by developers.

Administrators of an API Management instance are automatically subscribed to every product. In this tutorial step, we will subscribe one of the non-administrator developer accounts to the Free Trial product. If your developer account is part of the Administrators role, then you can follow along with this step, even though you are already subscribed.

Click Users on the API Management menu on the left, and then click the name of your developer account. In this example, we are using the Clayton Gragg developer account.

Configure developer

Click Add Subscription.

Add subscription

Select Free Trial, and then click Subscribe.

Add subscription

Note

In this tutorial, multiple simultaneous subscriptions are not enabled for the Free Trial product. If they were, you would be prompted to name the subscription, as shown in the following example.

Add subscription

After clicking Subscribe, the product appears in the Subscription list for the user.

Subscription added

To call an operation and test the rate limit

Now that the Free Trial product is configured and published, we can call some operations and test the rate limit policy. Switch to the developer portal by clicking Developer portal in the upper-right menu.

Developer portal

Click APIs in the top menu, and then click Echo API.

Developer portal

Click GET Resource, and then click Try it.

Open console

Keep the default parameter values, and then select your subscription key for the Free Trial product.

Subscription key

Note

If you have multiple subscriptions, be sure to select the key for Free Trial, or else the policies that were configured in the previous steps won't be in effect.

Click Send, and then view the response. Note the Response status of 200 OK.

Operation results

Click Send at a rate greater than the rate limit policy of 10 calls per minute. After the rate limit policy is exceeded, a response status of 429 Too Many Requests is returned.

Operation results

The Response content indicates the remaining interval before retries will be successful.

When the rate limit policy of 10 calls per minute is in effect, subsequent calls will fail until 60 seconds have elapsed from the first of the 10 successful calls to the product before the rate limit was exceeded. In this example, the remaining interval is 54 seconds.

Next steps

  • Watch a demo of setting rate limits and quotas in the following video.