The static rate limiter is used to rate limit the number of connections/ requests on virtual service in total. For instance, if the virtual service rate limit is configured for 1000 connections/ second, it will deny 1001’th connection/ request for the configured period.

Virtual Service Connection Rate Limiter

This is configured on virtual service by the attribute name connections_rate_limit. This rate limiter rate limits the number of incoming connections to the virtual service.

The virtual service performance limits allow overall rate limiting of connections and requests processed by the virtual service. The GUI supports configuring the below performance limits for HTTP virtual services:

  • Rate Limit Number of New TCP Connections

    • Applies to incoming TCP connections received by the virtual service.

    • The action to take for new TCP connections once the rate limit threshold is exceeded in a given time period are:

      • Drop Syn Packets: This action silently drops new TCP SYNs.

      • Send TCP Reset: This action sends a TCP RST when a new TCP SYN is received.

      • Report Only: A significant log will be generated but no other action taken

  • Rate Limit Number of New HTTP Requests

    • Applies to incoming HTTP requests received by the virtual service.

    • The action to take for new HTTP requests once the rate limit threshold is exceeded in a given time period are:

      • Close TCP Connection: This action closes the TCP connection (sends a TCP FIN) over which the request exceeding the rate limit was received.

      • Send HTTP Local Response: This action sends the configured HTTP response from the Service Engine for a request exceeding the rate limit.

      • Send HTTP Redirect: This action sends an HTTP redirect response to the client for a request that exceeds the rate limit.

      • Report Only: A significant log will be generated but no other action taken.

You can check the Performance Limits box in the Advanced tab of Applications > Virtual Service window.

Virtual service performance limits can also be applied to non-HTTP virtual services through the following command-line parameters:

[admin]: configure virtualservice vs1
[admin]: virtualservice> connections_rate_limit
[admin]: virtualservice:connections_rate_limit> rate_limiter 
[admin: virtualservice:connections_rate_limit:rate_limiter> count 1000
Overwriting the previously entered value for count
[admin]: virtualservice:connections_rate_limit:rate_limiter> period 1
Overwriting the previously entered value for count
[admin]: virtualservice:connections_rate_limit:rate_limiter> burst_sz 1000
Overwriting the previously entered value for burst_sz
[admin]: virtualservice:connections_rate_limit> action type rl_action_reset_conn

For TCP-based virtual services, the following action types can be configured for new connections that exceed the rate limit:

  • rl_action_drop_conn: This action silently drops new TCP SYNs.

  • rl_action_reset_conn: This action sends a TCP RST when a new TCP SYN is received.

  • rl_action_none: A significant log will be generated but no other action taken.

For UDP-based virtual services, the following action types can be configured for UDP packets that constitute a new connection that would exceed the rate limit:

  • rl_action_drop_conn: This action silently drops the UDP packet.

  • rl_action_reset_conn: This action drops the UDP packet and sends an ICMP Port Unreachable message to the client.

  • rl_action_none: A significant log will be generated but no other action taken.

If the virtual service is using a UDP per-packet network profile, each UDP packet received from the client is treated as a separate connection. For UDP Fast Path profiles, flow table entries are created; subsequent packets received from a client with the same source and destination port as an existing flow table entry are treated as part of the existing connection for rate limiting purposes.

Network Security Rate Limiter

This is a policy-based rate limiter that allows different rate limits to be applied to different sets of clients based on matching rules. The configured rate limit is applied across all client traffic that matches a given rule, rather than applying per-client.

Network Security Rate Limits can apply to both UDP and TCP traffic. Traffic that exceeds the rate limit is silently dropped.

Note:
  • If the virtual service is using a UDP per-packet network profile, each UDP packet received from the client is treated as a separate connection. For UDP Fast Path profiles, flow table entries are created; subsequent packets received from a client with the same source and destination port as an existing flow table entry are treated as part of the existing connection for rate limiting purposes.

  • This type of rate limiter has a fixed time period of 1 second.

For instance, assume that you want to rate limit user with IP subnet 172.100.200.0/24 for 1000 connections per second. The following is the CLI to execute the above request:

[admin:ctrl]: > configure networksecuritypolicy vs-vs1-Default-Cloud-ns
Updating an existing object. Currently, the object is:
+----------------------+-----------------------------------------------+
| Field                | Value                                                      -----------+------------------------------------------------------------+
| uuid                 | networksecuritypolicy-fbe7ec92-15bf-4ec8-a8bb-7145b03e3dba                                                            |
| name                 | vs-vs1-Default-Cloud-ns                        |            
| rules[1]             |                                                |            
|   name               | Rule 1                                         |            
|   index              | 1                                              |            
|   enable             | True                                           |            
|   match              |                                                |            
|     client_ip        |                                                |            
|       match_criteria | IS_IN                                          |            
|       prefixes[1]    | 172.100.200.0/24                               |            
|   action             | NETWORK_SECURITY_POLICY_ACTION_TYPE_RATE_LIMIT |            
|   log                | False                                          |            
|   rl_param           |                                                |            
|     max_rate         | 1000                                           |            
|     burst_size       | 1000                                           |            
|   age                | 0 min                                          |            
| tenant_ref           | admin                                          |            
+----------------------+------------------------------------------------+
[admin]: networksecuritypolicy> rules index 1
[admin]: networksecuritypolicy:rules> rl_param 
[admin]: networksecuritypolicy:rules:rl_param> max_rate 1000
No change in field value
[admin]: networksecuritypolicy:rules:rl_param> burst_size 1000
No change in field value
[admin]: networksecuritypolicy:rules:rl_param> save
[admin]: networksecuritypolicy:rules> save
[admin]: networksecuritypolicy> save

You can update this value in the IP Address field in Policies tab of Applications > Virtual Service window.

HTTP Security Rate Limiter

It rate limits the total number of incoming requests based on the HTTP security policy configuration. HTTP security policy now supports rate limit per client IP address, per URI path, or both for a given rate limit action.

The following rate limiters are available in this profile:

  • Rate Limit connections from a client (which is available in TCP/UDP as well)

  • Rate Limit Request from a Client to all URLs. The action types are as follows:

    • Report only (rl_action_none)

    • Close TCP connection (rl_action_close_conn. This should be populated as action rather than rl_action_reset_conn in case of HTTP).

    • Send HTTP local response (rl_action_local_rsp)

    • Send HTTP Redirect (rl_action_redirect)

  • Rate Limit failed requests from a client to all URLS. The action types are as follows:

    • Report only (rl_action_none)

    • Close TCP connection (rl_action_close_conn. This should be populated as action rather than rl_action_reset_conn in case of HTTP).

    • Send HTTP local response (rl_action_local_rsp)

    • Send HTTP Redirect (rl_action_redirect)

  • Rate Limit failed Requests from all client to a URL. The action types are as follows:

    • Report only (rl_action_none)

    • Close TCP connection (rl_action_close_conn. This should be populated as action rather than rl_action_reset_conn in case of HTTP).

    • Send HTTP local response (rl_action_local_rsp)

    • Send HTTP Redirect (rl_action_redirect)

  • Rate Limit all HTTP requests that map to any customer string all URLS of the virtual Service. The action types are as follows:

    • Report only (rl_action_none)

    • Close TCP connection (rl_action_close_conn. This should be populated as action rather than rl_action_reset_conn in case of HTTP)

    • Send HTTP local response (rl_action_local_rsp)

    • Send HTTP Redirect (rl_action_redirect)

  • Rate Limit failed requests from a client to a URL. The action types are as follows:

    • Report only (rl_action_none)

    • Close TCP connection (rl_action_close_conn. This should be populated as action rather than rl_action_reset_conn in case of HTTP).

    • Send HTTP local response (rl_action_local_rsp)

    • Send HTTP Redirect (rl_action_redirect)

  • Rate Limit scans from a Client to all URLS. The action types are as follows:

    • Report only (rl_action_none)

    • Close TCP connection (rl_action_close_conn. This should be populated as action rather than rl_action_reset_conn in case of HTTP).

    • Send HTTP local response (rl_action_local_rsp)

    • Send HTTP Redirect (rl_action_redirect)

  • Rate Limit scans from all client to all URLS. The action types are as follows:

    • Report only (rl_action_none)

    • Close TCP connection (rl_action_close_conn. This should be populated as action rather than rl_action_reset_conn in case of HTTP).

    • Send HTTP local response (rl_action_local_rsp)

    • Send HTTP Redirect (rl_action_redirect)

Note:

Client IP is subject to the option Use_True_Client_IP. Client IP might be equal to source IP from layer-3 header or equal to the fetched IP from user-defined HTTP header. For more information refer to True Client IP in L7 Securoty Features.

You can configure rate limiters to control the policy evaluation based on the different parameters. The rate limit objects are same the other rate limiters mentioned above:

  • Count

  • Period

  • Burst

You can configure rate profiles under the action attributes of the HTTP policy. Rate limiters are configured for the following:

  • per_client_ip

  • per_uri_path

The corresponding actions can be any one of the following:

  • Drop the connection

  • Send reset code

  • Log the information in virtual service logs

The following are the steps to configure HTTP security rate limiter:

  • Login to NSX Advanced Load Balancer CLI and use the configure httppolicyset <policy name> command to start configuring the http security policy for rate limiting.

[admin]: > configure httppolicyset example_rl_policy [admin]: httppolicyset> http_security_policy [admin]: httppolicyset:http_security_policy> rules index 1
  • Configure the rate profiles under the action attributes of the HTTP policy as shown below. In the below example rate profile is chosen as per_uri_path and rate limiter count as 10.

[admin]: httppolicyset:http_security_policy:rules:action> rate_profile
[admin]: httppolicyset:http_security_policy:rules:action:rate_profile> per_uri_path
[admin]: httppolicyset:http_security_policy:rules:action:rate_profile> rate_limiter
[admin]: httppolicyset:http_security_policy:rules:action:rate_profile:rate_limiter> count 10
Overwriting the previously entered value for count
[admin]: httppolicyset:http_security_policy:rules:action:rate_profile:rate_limiter> save 
  • Configure the required action once the rate limit is reached as per the configured policies mentioned above. You can set the following configuration to set the action type as rl_action_local_rsp with the response code as http_local_respose_status_code_403.

[admin]: httppolicyset:http_security_policy:rules:action:rate_profile> action
[admin]: httppolicyset:http_security_policy:rules:action:rate_profile:action>
[admin]: httppolicyset:http_security_policy:rules:action:rate_profile:action> type rl_action_local_rsp
Overwriting the previously entered value for type
[admin]: httppolicyset:http_security_policy:rules:action:rate_profile:action> status_code http_local_response_status_code_403
Overwriting the previously entered value for status_code
[admin]: httppolicyset:http_security_policy:rules:action:rate_profile:action> save
[admin]: httppolicyset:http_security_policy:rules:action:rate_profile> save
[admin]: httppolicyset:http_security_policy:rules:action> save
[admin]: httppolicyset:http_security_policy:rules> save
[admin]: httppolicyset:http_security_policy> save
[admin]: httppolicyset> save   
  • The final configuration output is shown below which exhibits the action to send response code as 403 if the incoming requests cross the limit of 10 requests per 10 seconds for the associated HTTP security policy and the virtual service.

 +-------------------------+--------------------------------------------+
  | Field                  | Value                                                +--------------------------+--------------------------------------------+
  | uuid                   | httppolicyset-91f02717-7dc6-42ff-9b00-1f411d3723df                                                            |
  | name                   | example_rl_policy                          |        
  | http_security_policy   |                                            |        
  |   rules[1]             |                                            |        
  |     name               | rl_rule_1                                  |        
  |     index              | 1                                          |        
  |     enable             | True                                       |        
  |     match              |                                            |        
  |       client_ip        |                                            |        
  |         match_criteria | IS_NOT_IN                                  |        
  |         prefixes[1]    | 192.168.100.0/24                           |        
  |     action             |                                            |        
  |       action           | HTTP_SECURITY_ACTION_RATE_LIMIT            |        
  |       rate_profile     |                                            |        
  |         rate_limiter   |                                            |        
  |           count        | 10                                         |        
  |           period       | 10 sec                                     |        
  |           burst_sz     | 0                                          |        
  |         action         |                                            |        
  |           type         | RL_ACTION_LOCAL_RSP                        |        
  |           status_code  | HTTP_LOCAL_RESPONSE_STATUS_CODE_403        |        
  |         per_client_ip  | True                                       |        
  |         per_uri_path   | True                                       |        
  | is_internal_policy     | False                                      |        
  | tenant_ref             | admin                                      |        
  +------------------------+--------------------------------------------+

DNS Policy Rate Limiter

This is a policy-based rate limiter that allows different rate limits to be applied to different sets of clients and/or DNS queries based on matching rules. The configured rate limit is applied across all DNS queries from clients that match a given rule, rather than applying per-client.

For instance, the DNS Policy Rate Limiter can be used to rate limit DNS queries for particular domains to prevent the authorative DNS servers that are being load balanced from being overwhelmed.

The following is the CLI to execute the above request:

[admin]: > configure dnspolicy dns1-Policy
[admin]: dnspolicy> rule index 1
[admin]: dnspolicy:rule> action 
[admin]: dnspolicy:rule:action> dns_rate_limiter
[admin]: dnspolicy:rule:action:dns_rate_limiter> rate_limiter_object 
[admin]: dnspolicy:rule:action:dns_rate_limiter:rate_limiter_object> count 1000
Overwriting the previously entered value for count
[admin]: dnspolicy:rule:action:dns_rate_limiter:rate_limiter_object> burst_sz 1000
Overwriting the previously entered value for burst_sz
[admin]: dnspolicy:rule:action:dns_rate_limiter:rate_limiter_object> period 1
Overwriting the previously entered value for period
[admin]: dnspolicy:rule:action:dns_rate_limiter:rate_limiter_object> save

You can check Enable box in the DNS Policy tab in thePolicies tab of Applications > Virtual Services window.

For more information, refer to DNS Policy.