Rate limiting

Use rate limit middleware to limit requests per second

The rate limit HTTP middleware allows restricting the maximum number of allowed HTTP requests per second. Rate limiting can protect your application from denial of service (DOS) attacks. DOS attacks can be initiated by malicious 3rd parties but also by bugs in your software (a.k.a. a “friendly fire” DOS attack).

Component format

In the following definition, the maximum requests per second are set to 10:

  1. apiVersion: dapr.io/v1alpha1
  2. kind: Component
  3. metadata:
  4.   name: ratelimit
  5. spec:
  6.   type: middleware.http.ratelimit
  7.   version: v1
  8.   metadata:
  9.   - name: maxRequestsPerSecond
  10.     value: 10

Spec metadata fields

FieldDetailsExample
maxRequestsPerSecondThe maximum requests per second by remote IP and path. Something to consider is that the limit is enforced independently in each Dapr sidecar and not cluster wide10

Once the limit is reached, the request will return HTTP Status code 429: Too Many Requests.

Alternatively, the max concurrency setting can be used to rate limit applications and applies to all traffic regardless of remote IP or path.

Dapr configuration

To be applied, the middleware must be referenced in configuration. See middleware pipelines.

  1. apiVersion: dapr.io/v1alpha1
  2. kind: Configuration
  3. metadata:
  4.   name: appconfig
  5. spec:
  6.   httpPipeline:
  7.     handlers:
  8.     - name: ratelimit
  9.       type: middleware.http.ratelimit

Related links

Last modified March 18, 2021: Merge pull request #1321 from dapr/aacrawfi/logos (9a399d5)