APIM Combine throttling policy approach

azure api management policies
throttling in apim
azure api management limits
azure application gateway rate limiting

In APIM currently we have product subscription key level throttling. But obviously if we have multiple API's within the same product, one API could consumes more quota than expected and prevent others being able to use the application. So as per the MS documentation (https://docs.microsoft.com/en-us/azure/api-management/api-management-sample-flexible-throttling) we can use combine policies.

The question is with that approach whether we can use as below,

API-1 300 calls per 60 seconds where product subscription key =123
API-2 200 calls per 60 seconds where product subscription key =123
API-3 200 calls per 60 seconds where product subscription key =123

If so what could be the the total number of calls for the product subscription key? if it make sense.

I took below approach to have combine policies. But it doesn't like.

<rate-limit-by-key calls="50" renewal-period="60" counter-key="@(&quot;somevalue&quot; + context.Request.Headers.GetValueOrDefault(&quot;Ocp-Apim-Subscription-Key&quot;))" />
<rate-limit calls="10" renewal-period="30">  
    <api name="AddressSearch API dev" calls="5" renewal-period="30" />  
        <operation name="Search_GetAddressSuggestions" calls="3" renewal-period="30" />

It's important to understand that counters of rate-limit-by-key and rate-limit are independent.

When rate-limit-by-key allows request to pass it increases it's counter. When rate-limit allows request to pass it increases it's counters. In your configuration when rate-limit-by-key throttles request rate-limit will not be executed and will not count a request.

What that means is that in most cases lower limit wins. Your configuration will allow one subscription to make 50 calls per minute, but it's unlikely to make any difference, because second rate-limit policy will throttle after 10 calls to same product thus the first one will not have any chance to do anything.

If you want limits as in your sample, you could use configuration as follows:

<rate-limit calls="0" renewal-period="0">  
    <api name="API-1" calls="100" renewal-period="60" />  
    <api name="API-2" calls="200" renewal-period="60" />  
    <api name="API-3" calls="300" renewal-period="60" />  

Throttling Use-Cases, with WSO2 API Controller · Importing APIs Via Dev First Approach · Migrating APIs to Throttling allows you to limit the number of successful hits to an API during a their combined load might hit the maximum capacity that can be handled by Advanced throttling policies allow an API Publisher to control access per API  Although the new throttling policies provide more control than the existing throttling policies, there is still value combining both capabilities. Throttling by product subscription key (Limit call rate by subscription and Set usage quota by subscription) is a great way to enable monetizing of an API by charging based on usage levels. The finer grained control of being able to throttle by user is complementary and prevents one user's behavior from degrading the experience of another.

So to have the rate limiting API level I have come up with below which addressed my requirement.

<when condition="@(context.Operation.Id.Equals("End point name1"))">
<rate-limit-by-key calls="40" renewal-period="30" counter-key="@(context.Api.Name + context.Operation.Name + context.Request.Headers.GetValueOrDefault("Ocp-Apim-Subscription-Key"))" />
<when condition="@(context.Operation.Id.Equals("End point name2"))">
<rate-limit-by-key calls="20" renewal-period="30" counter-key="@(context.Api.Name + context.Operation.Name + context.Request.Headers.GetValueOrDefault("Ocp-Apim-Subscription-Key"))" />
<rate-limit-by-key calls="15" renewal-period="30" counter-key="@(context.Api.Name + context.Operation.Name + context.Request.Headers.GetValueOrDefault("Ocp-Apim-Subscription-Key"))" />

Hope this helps.

Advanced request throttling with Azure API Management, Combined policies. Although the new throttling policies provide more control than the existing throttling policies, there is still value combining both  Open the synapse configuration file of a selected API you want to engage the policy, from the <API-M_HOME>/repository/deployment/server/synapse-configs/default/apidirectory. To engage the policy to a selected API, add it to your API definition. In this example, we add it to the login API under APIThrottleHandler.

Just to confirm - you are setting three throttling policies on an API level, based on the subscription key:

API-1: 300 calls per 60 seconds API-2: 200 calls per 60 seconds API-3: 200 calls per 60 seconds

In this case, if these are your only APIs, the maximum number of requests per subscription key per 60 seconds is: 300 + 200 + 200 = 700.

If you have more APIs, they will not be throttled unless you specify a policy for them as well.

Throttling pattern, The autoscaling and throttling approaches can also be combined to help keep the applications responsive and within SLAs. If the demand is  Click Application Tiers under the Throttle Policies section to see the set of existing throttling tiers. To add a new tier, click Add New Policy. Fill in the required details and click Save. You have added a new application-level throttling policy. Adding a new subscription-level throttling tier¶

Advanced API Security: OAuth 2.0 and Beyond, We can combine both the commands with a pipe. enforcing authentication policies, access control policies, and throttling policies in the runtime. having any dependency on other microservices. this approach can easily add overhead in  Adding a new advanced throttling policy. You can add advanced throttling policies to both APIs and resources. Sign in to the Admin Portal using the URL https://localhost:9443/admin and your admin credentials (admin/admin by default). Click Advanced Throttling under the Throttle Policies section to see the set of existing throttling tiers.

apiman Limiting Policies, The runtime core of apiman is the API Gateway and the policies that it applies rate limiting policies, where the upper limit for use of an API could be more flexible approach where the monthly quota policy is combined with  This policy can be used in the following policy sections and scopes. Policy sections: outbound; Policy scopes: all scopes; Get value from cache. Use the cache-lookup-value policy to perform cache lookup by key and return a cached value. The key can have an arbitrary string value and is typically provided using a policy expression.

API throttling and quota management, API throttling and quota management are incredibly valuable tools to manage to take a thoughtful approach to manage the API-related tasks and that combines comprehensive policy-based API throttling and quota  Tip. You can use access restriction policies in different scopes for different purposes. For example, you can secure the whole API with AAD authentication by applying the validate-jwt policy on the API level or you can apply it on the API operation level and use claims for more granular control.