2

I would like to hear the best recommendations about where to apply rate limit on APIs. We use k8s (microservices) with an ingress controller that is behind an API gateway, that is behind a firewall.

The ingress controller and API gateway are on private subnets. Our VPN users can access both subnets by being members of specific VPN groups. The API gateway can also be reached by the firewall via a subnet integration. The firewall is public and is the entrypoint for all our applications.

We are having a hard time deciding on which of those layers rate limit should be enforced due to lack of articles and topics about this subject.

Should rate limit be implemented on the application itself, the ingress controller, the API gateway, or on a firewall before even getting to our infrastructure, or even in multiple layers?

Felipe Emerim
  • 131
  • 1
  • Found [this answer](https://security.stackexchange.com/a/135813/265500) which recommends using the API gateway for rate-limiting. – Felipe Emerim Jan 25 '22 at 13:53
  • 1
    What's your goal in rate limiting? – schroeder Jan 25 '22 at 14:11
  • Our goal is to mitigate some attacks and usage abuse. Our API gateway has a limit of requests per second it can receive. – Felipe Emerim Jan 25 '22 at 14:23
  • 1
    ... then putting in rate-limiting after the gateway seems ... useless? – schroeder Jan 25 '22 at 14:27
  • I agree with you, but our security team said that the application itself should be secured and not having rate limit implemented on each application is a vulnerability. I am not a security expert which is why I asked this question to gather different arguments and experiences. – Felipe Emerim Jan 25 '22 at 14:42

0 Answers0