One of the most common use cases our customers are using Kong for is API rate limiting. There are a few common reasons for doing this:

1. Performance – How can you make sure your service will respond with the required service level agreement (SLA)?
2. Security – How can you block attempts to take down your application, such as a distributed denial of service (DDoS)?
3. Business – What if you want to give a paying customer better/upgraded service than one that doesn’t?

For all those and more, we’re able to easily add this functionality with Kong's rate limit advanced plugin.

The plugin can be applied at different levels such as service, route, specific consumer, or even in a global scope. By having this flexibility, one can set a generic global limit but then still overrule the global limit to allow for a more specific rate limit at a lower level.

However, after working with many of Kong customers, one use case couldn’t be met with the specificity highlighted above. This use case is how can Kong help when customers want to have different rate limits based on an organization, partner, or tenant? The answer is Kong’s feature of “Consumer Groups,” which we’ll expand on below (and is documented here).

Released on 2.7, the Kong API gateway allows you to define limits per consumer groups. This means that one can still use the general RL functionality as mentioned above, but also add specific limits to certain groups. Let’s see how we can make it work.

Add a service

Add a route

Add 2 consumer groups — we will assign different users to different groups later on to test our functionality

As seen above, both John and Sarah have a limit of 1000 RPM as we wanted.

Summary

As we can see, it is very easy to configure Kong to rate limit your traffic with the relevant requirement for your use case — be it security, performance, or business use case.