SAP Cloud Platform, API Management offers many out of the box API Security best practices which can be customized based on your enterprise requirements.  These API Security Best Practices includes security policies for Authentication and Authorization,  Traffic Management and many more.

Rate limiting or Traffic Management is the process of controlling the rate of traffic sent or received by an API endpoint. Rate limiting can have many flavors like limiting the call based on no of hits to the APIs in a given time range, limit the calls for sudden spike in given time range, limit the calls for too many concurrent connections, limiting the calls for high amount of data. In SAP Cloud Platform, API Management we offer out of box security policies for all these use cases which are as follows:-

• Quota Policy enables rate limiting based on no of calls in a given time range


• Spike Arrest Policy enables rate limiting for a sudden spike in the calls


• Concurrent Rate Limit enables rate limiting on the number of concurrent connections to the target endpoint

API rate limits reduces massive API requests that can cause denial of services and is documented as one of the REST security protection in OWASP.  As per RFC, an API should return 429 Too many Requests when an API rate limiting is applied. In this blog, we describe how to apply rate limit using the Quota policies from SAP API Cloud Platform API Management and then extend the same to return a error message of 429 status code and retry interval when quota expires. The re-try interval can be used by the client to make the API call again after the quota interval expires

More best practices covered in API Security Best Practices blog series.

Prerequisites

• SAP Cloud Platform API Management tenant.

Launch API Portal

• Logon to your SAP Cloud Platform, API Management account (say https://account.hanatrial.ondemand.com/cockpit).


• Navigate to the Services tab, search for API Management service tile and click to open API Management service.

 

• Click on the link Access API Portal to open API Portal.

 

Create an API Proxy

If you already have an API Proxy to which you would like to apply Rate limit, then you can refer to the section Update an API Proxy.

• Navigate to the Define from the hamburger icon, then select the tab APIs and Click on the Create button

 

• Create a new API Proxy for any endpoint say GW Sample services (https://sapes4.sapdevcenter.com/sap/opu/odata/IWBEP/GWSAMPLE_BASIC/) from the SAP Gateway ES4 system. Provide the API Proxy details like Proxy name, title, description and base path and click on the Create button

• Click on the Save and Deploy button to activate the API Proxy.

 

 

With this we have activated an API Proxy which connects to the SAP Gateway OData API https://sapes4.sapdevcenter.com/sap/opu/odata/IWBEP/GWSAMPLE_BASIC/ and is accessible to any one on the public domain without any API rate limit.

Update an existing API Proxy

In this blog, we have extended the API Proxy with restricted access to specific IP address range as described in here

• Navigate to the Define from the hamburger icon, then select the tab APIs then we select the API Proxy to which API Rate limiting would be applied.

 

Rate Limit APIs call via Quota Policy

In this section, we would apply the Quota policy from SAP Cloud Platform, API Management to limit the API calls to 2 calls per minute.

• Click on the Policies button of the newly created API Proxy

 

• Click on the Edit button from the Policy designer, select PreFlow from the ProxyEndPoint and then click on the + button next to the Quota Policy available under the Traffic Management Policies segment.

 

• In the Create Policy dialog, provide the name of the policy say applyRateLimit.and click on the Add button.

 

• The default behavior of the policy execution is to exit the execution in case of error, in this case will continue even in case of error and then handle the error in the next execution step via RaiseFault Policy and therefore we will set the flag continueOnError to true as highlighted in the snippet below

 

<Quota async="false" continueOnError="true" enabled="true" type="calendar" xmlns="http://www.sap.com/apimgmt">

 	<Allow count="2"/>

 	<Interval>1</Interval>

	<Distributed>true</Distributed>

 	<StartTime>2015-2-11 12:00:00</StartTime>

	<Synchronous>true</Synchronous>

 	<TimeUnit>minute</TimeUnit>

</Quota>

 



 

• From the Policy designer, select PreFlow from the ProxyEndPoint and then click on the + button next to the Raise Fault Policy available under the Mediation Policies segment.

 

• In the Create policy screen specify the policy name say return429error and then click on the Add button

 



 

• In the policy editor,  select the newly created return429error policy and add the following policy snippet to return the error with status code 429 and message Too many Requests

<RaiseFault async="true" continueOnError="false" enabled="true" xmlns="http://www.sap.com/apimgmt">

	<!-- Defines the response message returned to the requesting client -->

	<FaultResponse>

		<Set>

			<!-- Sets or overwrites HTTP headers in the respone message -->

			<Headers>

			    <Header name="Retry-After">{ratelimit.applyRateLimit.expiry.time}</Header>

			    </Headers>

			<Payload contentType="text/plain">Your quota exceeded </Payload> 

			<StatusCode>429</StatusCode>

			<!-- sets the reason phrase of the response -->

			<ReasonPhrase>Too many Requests</ReasonPhrase>

		</Set>

	</FaultResponse>

	<IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>

</RaiseFault>

RaiseFault Policy allows to return custom error message to the client. The above policy snippet would return the error response with the HTTP status set to 429 and the reason phrase is set to Too many requests. Also the retry time would be set to the Quota time interval expiry settings as described in the RFC and for this we have used the flow variable ratelimit.{quotapolicyname}.expiry.time  

 



 

• The above added return429error  raise fault policy would have to be executed only in case of quota error and therefore in the Condition String field in the copy paste the condition value of  ratelimit.applyRateLimit.failed = "true". This condition ensures that only when the quota is exceeded, the error is returned to the API caller.

 



 

• Click on the Update button to save the Policy changes

 



 

• Click on the Save button to save the changes to API Proxy

 



 

With this we have successfully set the API rate limit using SAP Cloud API Management as described in the REST security protection in OWASP and following the rate limiting RFC standards for error handling.

 

Finally testing the flow

 

• Navigate to the Test tab from the hamburger icon

 



 

• From the APIs list search for the API Proxy that you would like to test say GatewayServiceRestrictedAccess and then click the API to test

 



 

 

• Click on the Send button multiple times so that API rate limiting is applied

 



 

• Click on the Headers tab to view the Retry-After header value

 



 

Further Reads

• Next part of the API security best practices blog series - Rate Limiting for OData Batch calls


• Previous part of the API security best practices blog series - Restrict access to APIs based on IP A...


• Traffic Management - Spike Arrest and Concurrent Rate limit


• Creating your own error codes via SAP Cloud Platform API Management


• For more blogs on SAP Cloud Platform API Management visit us at SAP Community