July 5, 2022
2 min read

How to rate limit your requests per consumer groups

Shlomi Tubul

One of the most common use cases our customers are using Kong for is rate limiting. There are a few common reasons for doing this:

  1. Performance – How can you make sure your service will respond with the required service level agreement (SLA)?
  2. Security – How can you block attempts to take down your application, such as a distributed denial of service (DDoS)?
  3. Business – What if you want to give a paying customer better/upgraded service than one that doesn’t?

For all those and more, we’re able to easily add this functionality with Kong's rate limit advanced plugin.

The plugin can be applied at different levels such as service, route, specific consumer, or even in a global scope. By having this flexibility, one can set a generic global limit but then still overrule the global limit to allow for a more specific rate limit at a lower level.

However, after working with many of Kong customers, one use case couldn’t be met with the specificity highlighted above. This use case is how can Kong help when customers want to have different rate limits based on an organization, partner, or tenant? The answer is Kong’s feature of “Consumer Groups,” which we’ll expand on below (and is documented here).

Released on 2.7, the Kong API gateway allows you to define limits per consumer groups. This means that one can still use the general RL functionality as mentioned above, but also add specific limits to certain groups. Let’s see how we can make it work.

Add a service

Add a route

Add Advanced Rate Limiting plugin on the service level, and enforce it to work with 2 consumer groups.

Add key authentication plugin for our consumers

Add 3 consumers

Create Keys for the users for authentication

Add 2 consumer groups — we will assign different users to different groups later on to test our functionality

Let’s see that we are able to access our service and actually get limited requests regardless of the user. We will call our service with Ann and Sarah:

As we can see, both users are limited to 10 calls per minute.

Next phase is to Link between consumer groups and consumers:

Now, let’s change the consumer group functionality and assign different rates to different groups. We will set up the limit of 2000 requests per minute for "hr" group and 1000 requests per minute for "marketing":

Now, lets see what we get when we test with Ann:

As you can see, Ann now has a limit of 2000 RPM, while the plugin general config is 10. One can also test this with John and Sarah and confirm that the grouping is indeed working:

As seen above, both John and Sarah have a limit of 1000 RPM as we wanted.


As we can see, it is very easy to configure Kong to rate limit your traffic with the relevant requirement for your use case — be it security, performance, or business use case.