Rate limiting a specific route on a Cloud Run application

Google Cloud Serverless Applications
1

Hi,

We have an application that is deployed to Cloud Run, it’s a Python FastAPI api.

The Cloud Run service is exposed directly on the internet and is not managed through an API gateway for the moment.

I would like to rate-limit a specific route on the API. Besides doing it from the application itself, is there a way to handle this from GCP?

From my initial research, it would seem that it would require using an API Gateway like Cloud Endpoints or APIGee.

Cloud Armor is not seeing the specific services on the deployed Cloud Run application as they aren’t managed directly through GCP.

Have I missed something?

2

Every Google API (internal and external) enforces some degree of rate limiting or quota. This is a fundamental principle of service design at Google.

According to this documentations, Apigee is a well known product for enterprise grade advanced API gateway management, but has also enterprise grade cost while Cloud Endpoints or API Gateway use API keys for quotas and rate limit. And it’s not suitable for a large number of users because an API key identifies a project, not a key. Therefore, if you have more API keys generated on the same project, the quota will be shared among all those keys. To solve that, you must have one API key per project, to have a strict separation of quotas.

Cloud Armor Rate Limiting delivers new capabilities to protect security policy protected backend services from a large set of requests flooding the application instances and blocking access for legitimate users.

Google Cloud Armor has two types of rate-based rules:

  • Throttle: Rate limit requests matching a rule on a per-client basis.
  • Rate-based-ban: Rate limit requests matching a rule on a per-client basis and also ban those clients for a configured duration if they exceed a threshold.

Clients are identified by keys which could be all clients, or a group of clients identified by IP, HTTP Header, HTTP Cookie or IP in X-Forwarded-For header.

You can preview the effects of rate limiting rules in a security policy by using preview mode and examining your request logs.