Rate Limiting
Rate limiting rules control how many requests a client or IP address can send to your application within a specific time window. This helps protect against abuse—such as brute-force attempts, credential stuffing, or denial-of-service attacks—by automatically throttling or blocking traffic that exceeds the allowed threshold. It ensures fair usage, reduces load on your application, and enhances overall security.
You can configure multiple custom rules in your service. Each rule is defined by:
- A condition to match requests against
- A request limit for matching traffic
- An action to take when the limit has been reached, along with the duration for that action
Example
Limit each IP address to 100 requests per minute to the /login
endpoint.
If a client exceeds this threshold, block further requests from that IP for 10 minutes.
Adding a Rate Limiting Rule
To add a rate limiting rule to your service:
- Navigate to your service.
- In the sidebar, select Security, then select Rate Limiting.
- Click the Create button.
- Fill out the new rate limiting rule form:
- Rule Name – Enter the name of the new rule.
- Condition – Define the condition that determines which requests the rule applies to. You can create complex rules with
OR
andAND
operators. - Counter – Enter the maximum number of requests allowed during the specified time window.
- Action – Select the action to take when requests hit the limit, and specify the duration for this action.
- Click Save.
Updating & Deleting a Rate Limiting Rule
To modify or delete a rate limiting rule in your service:
- Navigate to your service.
- In the sidebar, select Security, then select Rate Limiting.
- Find the rule you want to update or delete, then click the Edit icon to modify it, or the Delete icon to remove it.