December 21, 2021
3 min read

Set API Bandwidth Limits With This Hackathon Award-Winning Plugin

Narendra Patel

This year, we hosted our inaugural Kong Summit Hackathon. This virtual competition engaged our open source community and offered recognition and prizes for hacks in various categories. The community delivered with ingenious plugins, hacks and documentation.

This blog post highlights our Kong Gateway plugin winner, Narendra Patel. Narendra is a senior DevOps engineer at Egnyte with close to 10 years of experience as a developer, DevOps engineer, SRE and in RPA (robotics process automation). See Narendra's API bandwidth limit plugin on GitHub, and look into his thought process for creating this plugin below.

Interested in participating in next year’s Hackathon? Sign up for updates here.

Bandwidth pricing is a major component of the cloud services model. And for a content-heavy service like a video or document store, egress costs can quickly spiral out of control. To mitigate this, it is important to limit the amount of data that can be downloaded in a given interval. However, bandwidth limiting for a multi-tenant SaaS product adds a few interesting challenges.

At Egnyte, we deal with petabytes of data, and as such, we must keep a close eye on bandwidth consumption. Cloud services need protection against sudden high volume spikes or brute force attempts.

We consolidated our needs into one comprehensive bandwidth limiting plugin to address this issue internally. And now, we have open sourced the bandwidth rate limiter because we believe this is a common problem, and our solution applies to a lot of content-heavy services.

The download rate limiter plugin includes the following capabilities:

  • Rate limiting based on bandwidth consumption
  • Configurable per customer, user or entity
  • Able to filter specific requests in or out
  • Allows limit extensions on weekends
  • Configurable jitter

How the Rate Limiter Works

Our plugin, developed on Kong Gateway (OSS), helps you define per-day download limits on your APIs, which ultimately helps avoid runaway egress fees. You can configure it to filter specific requests or APIs, extract user-defined headers and enforce limits based on custom rules. It can also rate limit/throttle requests based on bandwidth consumption per user, customer or custom entity on a daily consumption basis.

See the Kong documentation for more information on using Kong Gateway and its plugins.

Here is a sample configuration using the plugin:

The configuration instructs Kong Gateway to:

  • Rate limit whenever we have an incoming request with the header set as "X-Domain" (configurable) with a value of test and request URI beginning with /mock/200.
  • Set the limit threshold to 1,000 bytes; an extension of 20% is allowed on weekends, with a max jitter of 10%.
  • Exclude from rate limiting all requests with "X-Domain" as test and "X-Header" as bypass.
  • Make all requests with "X-Domain" as test and "X-Agent" as limit eligible for rate limiting.

Once the set threshold of 1,000 bytes is breached, the plugin would start rate limiting the requests with the HTTP 429 error response status code.

We designed the plugin with considerations for performance and monitoring. And since we built it on OSS, it can be used by everyone.

Check out the plugin here. The GitHub repository contains a detailed description, along with a configuration example to walk you through the setup.

See the API Bandwidth Limit Plugin in Action

I demoed how the plugin works at a Kong user call. Check out the full video below (or on YouTube).

Have questions or want to stay in touch with the Kong community? Join us wherever you hang out:

Star us on GitHub

🐦 Follow us on Twitter

🌎 Join the Kong Community

🍻 Join our Meetups

❓ ️Ask and answer questions on Kong Nation

💯 Apply to become a Kong Champion