'APIM Combine throttling policy approach

In APIM currently we have product subscription key level throttling. But obviously if we have multiple API's within the same product, one API could consumes more quota than expected and prevent others being able to use the application. So as per the MS documentation (https://docs.microsoft.com/en-us/azure/api-management/api-management-sample-flexible-throttling) we can use combine policies.

The question is with that approach whether we can use as below,

    API-1 300 calls per 60 seconds where product subscription key =123
    API-2 200 calls per 60 seconds where product subscription key =123
    API-3 200 calls per 60 seconds where product subscription key =123

If so what could be the the total number of calls for the product subscription key? if it make sense.

I took below approach to have combine policies. But it doesn't like.

    <rate-limit-by-key calls="50" renewal-period="60" counter-key="@(&quot;somevalue&quot; + context.Request.Headers.GetValueOrDefault(&quot;Ocp-Apim-Subscription-Key&quot;))" />
    <rate-limit calls="10" renewal-period="30">  
        <api name="AddressSearch API dev" calls="5" renewal-period="30" />  
            <operation name="Search_GetAddressSuggestions" calls="3" renewal-period="30" />
    </rate-limit>
azure-api-managementapi-management


Solution 1:[1]

So to have the rate limiting API level I have come up with below which addressed my requirement. 

<choose>
<when condition="@(context.Operation.Id.Equals("End point name1"))">
<rate-limit-by-key calls="40" renewal-period="30" counter-key="@(context.Api.Name + context.Operation.Name + context.Request.Headers.GetValueOrDefault("Ocp-Apim-Subscription-Key"))" />
</when>
<when condition="@(context.Operation.Id.Equals("End point name2"))">
<rate-limit-by-key calls="20" renewal-period="30" counter-key="@(context.Api.Name + context.Operation.Name + context.Request.Headers.GetValueOrDefault("Ocp-Apim-Subscription-Key"))" />
</when>
<otherwise>
<rate-limit-by-key calls="15" renewal-period="30" counter-key="@(context.Api.Name + context.Operation.Name + context.Request.Headers.GetValueOrDefault("Ocp-Apim-Subscription-Key"))" />
</otherwise>
</choose>

Hope this helps.

Solution 2:[2]

It's important to understand that counters of rate-limit-by-key and rate-limit are independent.

When rate-limit-by-key allows request to pass it increases it's counter. When rate-limit allows request to pass it increases it's counters. In your configuration when rate-limit-by-key throttles request rate-limit will not be executed and will not count a request.

What that means is that in most cases lower limit wins. Your configuration will allow one subscription to make 50 calls per minute, but it's unlikely to make any difference, because second rate-limit policy will throttle after 10 calls to same product thus the first one will not have any chance to do anything.

If you want limits as in your sample, you could use configuration as follows:

<rate-limit calls="0" renewal-period="0">  
    <api name="API-1" calls="100" renewal-period="60" />  
    <api name="API-2" calls="200" renewal-period="60" />  
    <api name="API-3" calls="300" renewal-period="60" />  
</rate-limit>

Solution 3:[3]

Just to confirm - you are setting three throttling policies on an API level, based on the subscription key:

API-1: 300 calls per 60 seconds API-2: 200 calls per 60 seconds API-3: 200 calls per 60 seconds

In this case, if these are your only APIs, the maximum number of requests per subscription key per 60 seconds is: 300 + 200 + 200 = 700.

If you have more APIs, they will not be throttled unless you specify a policy for them as well.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 SMPH
Solution 2 Vitaliy Kurokhtin
Solution 3 mikebu

Related Questions

API Management with GIT and Octopus - Git PUSH / Git PULL

Need to modify request payload in Azure APIM set body to send modified request body to BE

Azure api management returns status 500 after enabling "assignment required" on Azure function Enterprise application properties

Azure API Management - Versioning

What are main difference between Subscription Key and OAth 2.0 in Azure API Management?

how to check value passed in header is Guid or not in azure APIM policy if not throw bad request

Azure api works locally but not in Azure deployment, for the endpoint which need data from Azure sql db. Endpoint with hardcoded data is fine though

How can I disable gzip compression on requests going through APIM?

APIM liquid How to check that the coming request include specific header?

How to get Pull Requests associated with a Work Item via the Azure DevOps API

Getting authentication failed error when calling APIM API which has Product scope from postman

Getting error while accessing Azure API developer portal while using Azure Application Gateway with Azure API Management service

Access-Control-Allow-Origin is added to the header when request is made from Python(Google Colab), but not when the request is made from ReactJS

Update Azure APIM Name (Api.Id) after cloning using Azure Portal?

Azure api management ssl certificate must have a private key