consul/website/content/docs/agent/limits/index.mdx

53 lines
3.7 KiB
Markdown

---
layout: docs
page_title: Limit Traffic Rates Overview
description: Rate limiting is a set of Consul server agent configurations that you can use to mitigate the risks to Consul servers when clients send excessive requests to Consul resources.
---
# Traffic rate limiting overview
This topic provides overview information about the traffic rates limits you can configure for Consul datacenters.
## Introduction
Configuring rate limits on RPC and gRPC traffic mitigates the risks to Consul servers when client agents or services send excessive read or write requests to Consul resources. A _read_ request is defined as any request that does not modify Consul internal state. A _write_ request is defined as any request that modifies Consul internal state. Configure read and write request limits independently.
## Workflow
You can set global limits on the rate of read and write requests that affect individual servers in the datacenter. You can set limits for all source IP addresses, which enables you to specify a budget for read and write requests to prevent any single source IP from overwhelming the Consul server and negatively affecting the network. The following steps describe the general process for setting global read and write rate limits:
1. Set arbitrary limits to begin understanding the upper boundary of RPC and gRPC loads in your network. Refer to [Initialize rate limit settings](/consul/docs/agent/limits/usage/init-rate-limits) for additional information.
1. Monitor the metrics and logs and readjust the initial configurations as necessary. Refer to [Monitor rate limit data](/consul/docs/agent/limits/usage/monitor-rate-limit-data)
1. Define your final operational limits based on your observations. If you are defining global rate limits, refer to [Set global traffic rate limits](/consul/docs/agent/limits/usage/set-global-rate-limits) for additional information. For information about setting limits based on source IP, refer to [Limit traffic rates for a source IP](/consul/docs/agent/limits/usage/set-source-ip-rate-limits).
### Order of operations
You can define request rate limits in the agent configuration and in the control plane request limit configuration entry. The configuration entry also supports rate limit configurations for Consul resources. Consul perfroms the following order of operations when determing request rate limits:
1. Parse request.
1. Does the request reach a global server limit?
- No: Proceed to the next stage.
- Yes: Return an error that the requested resource has been exhausted.
1. Does the request reach a limit associated with its source IP address?
- No: Proceed to the next stage.
- Yes: Return an error that the requested resource has been exhausted.
1. Resolve the Consul Enterprise metadata.
1. Does the request reach a limit associated with the source partition?
- No: Proceed to the next stage.
- Yes: Return an error that the requested resource has been exhausted.
1. Does the request reach a limit associated with the source namespace?
- No: Proceed to the next stage.
- Yes: Return an error that the requested resource has been exhausted.
1. Resolve the ACL identity associated with the request.
1. Does the request reach a limit associated with its identity?
- No: Proceed to the next stage.
- Yes: Return an error that the requested resource has been exhausted.
1. Handle the request.
## Kubernetes
To define global rate limits, configure the `request_limits` settings in the Consul Helm chart. Refer to the [Helm chart reference](/consul/docs/k8s/helm) for additional information. Refer to the [control plane request limit configuration entry reference](/consul/docs/connect/config-entries/control-plane-request-limit) for information about applying a CRD for limiting traffic rates from source IPs.