Rate limiting on API Gateway and Lambda
The move to a Software-as-a-service (SaaS) delivery model carries the desire of the cost and operational efficiency.
Serverless model is a fast and flexible way to implement a SaaS based application in a multi-tenant environment.
Managing cost and operational efficiency is bit challenging and tricky in a multi-tenant environment where all the tenants are accessing the same resources either in pooled or in silo model depending on the subscription tier the have subscribed to. You need a proper mechanism to control the resource usage so that one aggressive tenant does not take over all the capacity and other tenants does not get any capacity.
This can be managed by the API Keys and Usage plans.
In this blog, I will give basic idea on how you can implement a Serverless multi-tenant SaaS project with API keys and Usage plans
All you need is,
- AWS Account
- SAM CLI installed on your machine
- Little understanding on AWS CloudFormation
- Create a serverless project using SAM CLI using one of the quick start template
This will create a project structure and it will look similar to this
2. Now you can build the project
sam build
Starting Build use cache
Manifest is not changed for (getAllItemsFunction, getByIdFunction, putItemFunction), running incremental build
Building codeuri: D:\>api-key-usage-demo runtime: nodejs20.x metadata: {} architecture: x86_64
functions: getAllItemsFunction, getByIdFunction, putItemFunction
Running NodejsNpmBuilder:NpmPack
Running NodejsNpmBuilder:CopyNpmrcAndLockfile
Running NodejsNpmBuilder:CopySource
Running NodejsNpmBuilder:CopySource
Running NodejsNpmBuilder:CleanUpNpmrc
Running NodejsNpmBuilder:LockfileCleanUp
Running NodejsNpmBuilder:LockfileCleanUp
Build Succeeded
Built Artifacts : .aws-sam\build
Built Template : .aws-sam\build\template.yaml
Commands you can use next
=========================
[*] Validate SAM template: sam validate
[*] Invoke Function: sam local invoke
[*] Test Function in the Cloud: sam sync --stack-name {{stack-name}} --watch
[*] Deploy: sam deploy --guided3. Deploy it. if you are deploying for the 1st time, it will prompt for few inputs
sam deployOnce its deployed successfully, it will show you something like this
2024-07-22 16:21:21 - Waiting for stack create/update to complete
CloudFormation events from stack operations (refresh every 5.0 seconds)
---------------------------------------------------------------------------------------------------------------------------------------------
ResourceStatus ResourceType LogicalResourceId ResourceStatusReason
---------------------------------------------------------------------------------------------------------------------------------------------
UPDATE_IN_PROGRESS AWS::CloudFormation::Stack api-key-usage-demo User Initiated
UPDATE_IN_PROGRESS AWS::Lambda::Function getAllItemsFunction -
UPDATE_IN_PROGRESS AWS::Lambda::Function getByIdFunction -
UPDATE_IN_PROGRESS AWS::Lambda::Function putItemFunction -
UPDATE_COMPLETE AWS::Lambda::Function getAllItemsFunction -
UPDATE_COMPLETE AWS::Lambda::Function getByIdFunction -
UPDATE_COMPLETE AWS::Lambda::Function putItemFunction -
UPDATE_IN_PROGRESS AWS::ApiGateway::UsagePlan SampleUsagePlan -
UPDATE_COMPLETE AWS::ApiGateway::UsagePlan SampleUsagePlan -
UPDATE_COMPLETE_CLEANUP_IN_PROGRE AWS::CloudFormation::Stack api-key-usage-demo -
SS
UPDATE_COMPLETE AWS::CloudFormation::Stack api-key-usage-demo -
---------------------------------------------------------------------------------------------------------------------------------------------
Successfully created/updated stack - api-key-usage-demo in us-east-1Now let’s start adding our own customization related to APIKey, APIGateway (by default this project template will create an API Gateway anyways even if you do not declare but I like to declare my own), UsagePlans etc.
Lets start with the API Gateway
On the API Gateway, we have made ApiKeyRequired: true and also added the CORS filter.
RestAPIGateway:
Type: AWS::Serverless::Api
Properties:
Name: !Sub "${AWS::StackName}-rest-api"
StageName: Prod
Auth:
ApiKeyRequired: true
Cors:
AllowMethods: "'DELETE,GET,HEAD,OPTIONS,PATCH,POST,PUT'"
AllowHeaders: "'Role,Authorization,Content-Type'"
AllowOrigin: "'*'"API Key:
SampleAPIKeys:
Type: AWS::ApiGateway::ApiKey
Properties:
Enabled: true
Name: Sample-API-KeyUsage plan:
We have applied the quota limit for 20 API calls per day
SampleUsagePlan:
Type: AWS::ApiGateway::UsagePlan
Properties:
ApiStages:
- ApiId: !Ref RestAPIGateway
Stage: Prod
Quota:
Limit: 20
Period: DAY
Description: Sample Usage Plan
UsagePlanName: Sample-Usage-PlanBind API key with usage plan:
SampleAPIKeyUsagePlan:
Type: AWS::ApiGateway::UsagePlanKey
Properties:
KeyId: !Ref SampleAPIKeys
KeyType: API_KEY
UsagePlanId: !Ref SampleUsagePlanAgain apply build and deploy command as earlier.
Once the stack is deployed successfully, you will be able to see the the API keys and the usage plans created
You need to copy the API key from the above and use the same in the subsequent API calls.
All set!!
You try to make the requests using this API key and it should allow you till your usage quota is not reached. In this case, its should allow you for 20 API calls.
Once you reach the limit, it will start throwing error as below.
This is how you can implement the API keys and Usage Plans to track usage and limit quotas for tenants.
You can refer to this repo for the same.
