consul/website/content/docs/agent/limits/usage/limit-request-rates-from-ip...

73 lines
4.0 KiB
Plaintext
Raw Normal View History

---
layout: docs
page_title: Limit traffic rates for a source IP address
description: Learn how to set read and request rate limits on RPC and gRPC traffic from all source IP addresses to a Consul resource.
---
# Limit traffic rates from source IP addresses
This topic describes how to configure RPC and gRPC traffic rate limits for source IP addresses. This enables you to specify a budget for read and write requests to prevent any single source IP from overwhelming the Consul server and negatively affecting the network. For information about setting global traffic rate limits, refer to [Set a global limit on traffic rates](/consul/docs/agent/limits/usage/set-global-traffic-rate-limits). For an overview of Consul's server rate limiting capabilities, refer to [Limit traffic rates overview](/consul/docs/agent/limits).
<EnterpriseAlert>
This feature requires Consul Enterprise. Refer to the [feature compatibility matrix](/consul/docs/enterprise#consul-enterprise-feature-availability) for additional information.
</EnterpriseAlert>
## Overview
You can set limits on the rate of read and write requests from source IP addresses to specific resources, which mitigates the risks to Consul servers when consul clients send excessive requests to a specific resource type. Before configuring traffic rate limits, you should complete the initialization process to understand normal traffic loads in your network. Refer to [Initialize rate limit settings](/consul/docs/agent/limits/init-rate-limits) for additional information.
Complete the following steps to configure traffic rate limits from a source IP address:
1. Define rate limits in a control plan request limit configuration entry. You can set limits for different types of resources calls.
1. Apply the configuration entry to enact the limits.
You should also monitor read and write rate activity and make any necessary adjustments. Refer to [Monitor rate limit data](/consul/docs/agent/limits/usage/monitor-rate-limits) for additional information.
## Define rate limits
Create a control plane request limit configuration entry in the `default` partition. The configuration entry applies to all client requests targeting any partition. Refer to the [control plane request limit configuration entry](/consul/docs/connect/config-entries/control-plane-request-limit) reference documentation for details about the available configuration parameters.
Specify the following parameters:
- `kind`: This must be set to `control-plane-request-limit`.
- `name`: Specify the name of the service that you want to limit read and write operations to.
- `read_rate`: Specify overall number of read operations per second allowed from the service.
- `write_rate`: Specify overall number of write operations per second allowed from the service.
You can also configure limits on calls to the key-value store, ACL system, and Consul catalog.
## Apply the configuration entry
If your network is deployed to virtual machines, use the `consul config write` command and specify the control plane request limit configuration entry to apply the configuration. For Kubernetes-orchestrated networks, use the `kubectl apply` command.
<Tabs>
<Tab heading="HCL" group="hcl">
```shell-session
$ consul config write control-plane-request-limit.hcl
```
</Tab>
<Tab heading="JSON" group="json">
```shell-session
$ consul config write control-plane-request-limit.json
```
</Tab>
<Tab heading="Kubernetes" group="kubernetes">
```shell-session
$ kubectl apply control-plane-request-limit.yaml
```
</Tab>
</Tabs>
## Disable request rate limits
Set the [limits.request_limits.mode](/consul/docs/agent/config/config-files#mode-1) in the agent configuration to `disabled` to allow services to exceed the specified read and write requests limits. The `disabled` mode applies to all request rate limits, even limits specified in the [control plane request limits configuration entry](/consul/docs/connect/config-entries/control-plane-request-limit). Note that any other mode specified in the agent configuration only applies to global traffic rate limits.