How to perform additional rate limiting on successive invalid API requests

Alan Lawlor 0 Reputation points

I am currently rate-limiting the use of a B2B API using the following inbound API policy

<rate-limit-by-key calls="5000" renewal-period="60" counter-key="@(context.Request.IpAddress + context.Operation.Id)" />

It cannot be set to a lower limit (than the above 5000 calls per minute) as there will be high volume API calls to the same API from the same source

Our security team has recommended that an additional LOWER limit be set on the number of successive INVALID calls - e.g. where the request fails the OpenAPI definition validation or when our backend API has returned an error (4xx or 5xx).

Can someone please tell me if there is a way to do this using APIM policies via XML and/or C# ?

Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
1,794 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Alan Lawlor 0 Reputation points

    I figured out the answer - it ended up being an example on quotas in MS documentation

    By putting an increment condition on the quota, I can limit requests being counted to those with particular response status codes

    This one limits any particular IP address on any one API to 30 invalid request calls in a 5 minute (300 second) period. Unfortunately, APIM won't allow smaller interval than 5 minutes for the renewal-period

    <quota-by-key calls="30" renewal-period="300" counter-key="@(context.Request.IpAddress + context.Operation.Id)" increment-condition="@(context.Response.StatusCode > 202 && context.Response.StatusCode != 401 && context.Response.StatusCode != 403)" />
    0 comments No comments