WHY GARTNER’S “CONTEXT MESH” CHANGES EVERYTHING AI CONNECTIVITY: THE ROAD AHEAD DON’T MISS API + AI SUMMIT 2026 SEPT 30 – OCT 1
We're Entering the Age of AI Connectivity [Read more](/blog/news/the-age-of-ai-connectivity)Read moreProducts & Agents:
[Engineering](/blog/engineering)Engineering
July 5, 2022
2 min read

# How to rate limit your requests per consumer groups

Shlomi Tubul

One of the most common use cases our customers are using Kong for is [API rate limiting](https://konghq.com/blog/learning-center/what-is-api-rate-limiting)API rate limiting. There are a few common reasons for doing this:

  1. - **Performance** – How can you make sure your service will respond with the required service level agreement (SLA)?
  2. - **Security** – How can you block attempts to take down your application, such as a distributed denial of service (DDoS)?
  3. - **Business** – What if you want to give a paying customer better/upgraded service than one that doesn’t?

For all those and more, we’re able to easily add this functionality with [Kong's rate limit advanced plugin](https://docs.konghq.com/hub/kong-inc/rate-limiting-advanced/)Kong's rate limit advanced plugin.

The plugin can be applied at different levels such as service, route, specific consumer, or even in a global scope. By having this flexibility, one can set a generic global limit but then still overrule the global limit to allow for a more specific rate limit at a lower level.

However, after working with many of Kong customers, one use case couldn’t be met with the specificity highlighted above. This use case is how can Kong help when customers want to have different rate limits based on an organization, partner, or tenant? The answer is Kong’s feature of “Consumer Groups,” which we’ll expand on below (and is documented [here)](https://docs.konghq.com/gateway/latest/admin-api/consumer-groups/examples/)here).

Released on 2.7, the Kong API gateway allows you to define limits per consumer groups. This means that one can still use the general RL functionality as mentioned above, but also add specific limits to certain groups. Let’s see how we can make it work.

**Add a service**

➜  demo-environment git:(main) ✗ http post localhost:8001/services name=prod-backend url=http://httpbin.org/anything
 
 
HTTP/1.1 201 Created
 
{
    "ca_certificates": null,
    "client_certificate": null,
    "connect_timeout": 60000,
    "created_at": 1655216213,
    "enabled": true,
    "host": "httpbin.org",
    "id": "9c77f727-42d2-4f75-b194-9b6dd9fcfe5b",
    "name": "prod-backend",
    "path": "/anything",
    "port": 80,
    "protocol": "http",
    "read_timeout": 60000,
    "retries": 5,
    "tags": null,
    "tls_verify": null,
    "tls_verify_depth": null,
    "updated_at": 1655216213,
    "write_timeout": 60000
}

**Add a route**

➜  demo-environment git:(main) ✗ http post localhost:8001/services/prod-backend/plugins  name=rate-limiting-advanced config:='{"sync_rate": 0, "window_size": [60], "limit": [10], "enforce_consumer_groups":true, "consumer_groups": ["hr","marketing"]}'
 
 
 
HTTP/1.1 201 Created
{
    "config": {
        "consumer_groups": [
            "hr",
            "marketing"
        ],
        "dictionary_name": "kong_rate_limiting_counters",
        "enforce_consumer_groups": true,
        "header_name": null,
        "hide_client_headers": false,
        "identifier": "consumer",
        "limit": [
            10
        ],
        "namespace": "vCcg7OpfB1rGxRrCaJ3vEytelRyqUfyZ",
        "path": null,
        "redis": {
            "cluster_addresses": null,
            "connect_timeout": null,
            "database": 0,
            "host": null,
            "keepalive_backlog": null,
            "keepalive_pool_size": 30,
            "password": null,
            "port": null,
            "read_timeout": null,
            "send_timeout": null,
            "sentinel_addresses": null,
            "sentinel_master": null,
            "sentinel_password": null,
            "sentinel_role": null,
            "sentinel_username": null,
            "server_name": null,
            "ssl": false,
            "ssl_verify": false,
            "timeout": 2000,
            "username": null
        },
        "retry_after_jitter_max": 0,
        "strategy": "cluster",
        "sync_rate": 0,
        "window_size": [
            60
        ],
        "window_type": "sliding"
    },
    "consumer": null,
    "created_at": 1655216600,
    "enabled": true,
    "id": "cf9ade32-7be9-49c4-9414-1e2e25a4c74e",
    "name": "rate-limiting-advanced",
    "protocols": [
        "grpc",
        "grpcs",
        "http",
        "https"
    ],
    "route": null,
    "service": {
        "id": "9c77f727-42d2-4f75-b194-9b6dd9fcfe5b"
    },
    "tags": null
}

**Add 2 consumer groups — we will assign different users to different groups later on to test our functionality**

➜  demo-environment git:(main) ✗ http :8000/requests apikey:1kGHqaKRlFPuTh5T1GOyyNo4iG3Fsvfj
 
HTTP/1.1 200 OK
……
RateLimit-Limit: 10
RateLimit-Remaining: 9
…….
 
 
➜  demo-environment git:(main) ✗ http :8000/requests apikey:skIZ9Imx0fpJsAH36tP9PDpAELotbuuM
 
HTTP/1.1 200 OK
…….
RateLimit-Limit: 10
RateLimit-Remaining: 9
……

➜  demo-environment git:(main) ✗ http :8000/requests apikey:1kGHqaKRlFPuTh5T1GOyyNo4iG3Fsvfj
 
 
HTTP/1.1 200 OK
….
RateLimit-Limit: 2000
RateLimit-Remaining: 1999
……

**As seen above, both John and Sarah have a limit of 1000 RPM as we wanted.**

### **Summary**

As we can see, it is very easy to configure Kong to rate limit your traffic with the relevant requirement for your use case — be it security, performance, or business use case.

**Topics**
- [Rate Limiting](/blog/tag/rate-limiting)Rate Limiting- [Plugins](/blog/tag/plugins)Plugins
Shlomi Tubul

Recommended posts

## Ready to see Kong in action?

Get a personalized walkthrough of Kong's platform tailored to your architecture, use cases, and scale requirements.

[Get a Demo](/contact-sales)Get a Demo