Azure-docs: Limit call rate by key is available in Consumption tier

Created on 11 Jan 2019 · 8Comments · Source: MicrosoftDocs/azure-docs

The documentation regarding "Limit call rate by key" (rate-limit-by-key) states that

This feature is unavailable in the Consumption tier of API Management.

I just tried this in my own consumption plan and technically it seems to work as I got a 429 on the sixth attempt:
<rate-limit-by-key calls="5" renewal-period="60" counter-key="@(context.Request.IpAddress)" increment-condition="@(context.Response.StatusCode == 200)" />

In the user interface of api management "Set usage quota per subscription" is greyed out and unavailable. Since "Limit call rate per key" is not, my assumption would be that the documentation is wrong. Unless it comes with some side effects when used on the consumption plan?

My region is west europe. Let me know if you need additional information.

(Also: you should keep the last update date in sync with the github commits. It currently says 11/28/2017 which gives a wrong impression since it has been updated since - the consumption plan, which is mentioned on the page, was introduced in December 2018..)

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

ID: 248a0753-0fa7-1cc0-d13a-d378ab182e95
Version Independent ID: 7efa247a-7184-6e7f-c1f5-3ff2531df357
Content: Azure API Management access restriction policies
Content Source: articles/api-management/api-management-access-restriction-policies.md
Service: api-management
GitHub Login: @vladvino
Microsoft Alias: apimpm

api-managemensvc assigned-to-author doc-bug triaged

Source

bremnes

Most helpful comment

Hello @mike-urnun-msft any news on when Limit call rate by key will be available in Consumption tier?

disclaimer: I cannot use tiers != consumption for budget reasons

This limit by call rate by IP is super important, here is why:
suppose you have an API accessed by a web site with a JavaScript call,
if an attacker keep requesting the API he will deny access to all other legit users
so this limitation is enforcing the DOS attackers 💪😈
the only solution I can see now is to implement an IP filter in my backend API, but this vanish the idea that cloud services take care of infrastructure and let us developers focus on business logic ☹

antogh on 21 May 2019

👍2

All 8 comments

@bremnes Thank you for the feedback! We are investigating this and will get back to you shortly.

AmanGarg-MSFT on 11 Jan 2019

@vladvino @miaojiang could you weigh in on the callout regarding feature availability in Consumption tier? Happy to remove the Note block and create a PR.

mike-urnun-msft on 15 Jan 2019

Hi @bremnes thanks for reporting. The policy is there by mistake and will be removed soon. We are currently making improvements to the policy and plan to make it available in the Consumption tier in the future.

miaojiang on 16 Jan 2019

Thanks for the feedback @miaojiang. We want to use this functionality and would prefer it to not be removed. Can you expand on why it will be removed and re-added later on? Bugs, performance issues, availability concerns, etc?

bremnes on 17 Jan 2019

@bremnes we need to address performance issues before making it available.

miaojiang on 17 Jan 2019

👍2

@bremnes We will now proceed to close this thread. If there are further questions regarding this matter, please reopen it and we will gladly continue the discussion.

mike-urnun-msft on 17 Jan 2019

Hello @mike-urnun-msft any news on when Limit call rate by key will be available in Consumption tier?

disclaimer: I cannot use tiers != consumption for budget reasons

antogh on 21 May 2019

👍2

@antogh We have no ETA or plan for rate limit by key support in the Consumption tier at this time.