DR REST API Rate Limiter

The DR REST API Rate Limiter is a mechanism to manage the risks of API resource exhaustion and brute force attacks.

The rate limiter is available in the DR REST API of Site Recovery Manager 8.8 and later and vSphere Replication 8.8 and later. The DR REST API Rate Limiter is a trade off between security and performance.

Table 1. DR REST API Request Rate Limit Tiers
Tier	Description	Configuration	Default Value
IP address	Considers requests per IP address.	`ipRateLimitQuota`	100
IP address	Considers requests per IP address.	`ipRateLimitWindow`	60 000 in ms (1 min)
Service	Considers requests per DR REST API service name. In DR REST API there are three service names: `srm`, `vr`, and `configure`. The 'srm v1' and 'srm v2' have the same service name of 'srm'.	`serviceRateLimitQuota`	1000
Service		`serviceRateLimitWindow`	60 000 in ms (1 min)
Session	Considers requests per session.	`sessionRateLimitQuota`	50
Session	Considers requests per session.	`sessionRateLimitWindow`	60000 in ms (1 min)
n/a	Periodic clean of obsolete request rate limiter data structures to reduce the runtime memory fingerprint. Value of 0 (zero) means no cleanup is performed at all.	`rateLimitLogPurgeInterval`	7 200 000 in ms (2h)

DR REST API Rate Limiter consists of three tiers which work in a chain to rate limit the incoming requests against the tier's criteria. In case the tier's criteria is met a request response is returned immediately thus skipping the rest of the tier chain. DR REST API Rate Limiter tier chain is IP address, Service, Session in that particular order.

You change the DR REST API Rate Limiter configuration by adding or updating the values of the specified properties in the dr-rest-api.properties file. The file is located in the /opt/vmware/dr-rest/lib/ folder. If a Rate Limiter property is not explicitly defined in the DR REST API dr-rest-api.properties configuration file, the Rate Limiter uses the default value. To predefine a configuration value, add the corresponding configuration if missing, and set the required value. The updated values become effective when a new rate limit window begins.

Example of dr-rest-api.properties file

...
ipRateLimitQuota=100
ipRateLimitWindow=60000
serviceRateLimitQuota=1000
serviceRateLimitWindow=60000
sessionRateLimitQuota=50
sessionRateLimitWindow=60000
rateLimitLogPurgeInterval=0
...

HTTP Response

Every DR REST API request response has the following headers.

RateLimit-Limit - the server's quota for requests by the client in the time window.
RateLimit-Remaining - the remaining quota in the current window.
RateLimit-Reset - the time remaining in the current window, specified in milliseconds.

Attention: When an HTTP request is rate limited, the response error code is 429 Too Many Requests and header RateLimit-Remaining is 0 (zero). DR REST API responses contain Rate Limit headers from the last rate limit tier which processed the client request.

Best practices for setting the optimal Rate Limit configuration

Setting up the optimal Rate Limit configuration requires taking into consideration various factors.

Begin with the default values of the Rate Limiter configurations.
- ipRateLimitQuota, ipRateLimitWindow, serviceRateLimitQuota, serviceRateLimitWindow, sessionRateLimitQuota, sessionRateLimitWindow
- rateLimitLogPurgeInterval
Listen for request responses with error code 429 Too Many Requests and take actions accordingly.
- Wait for the next rate limit window and repeat the requests which were rate limited.
- Decrease the request intensity at the client side.
- Update the Rate Limit configurations - increase the related configuration RateLimitQuota and or decrease the related configuration RateLimitWindow.
Analyze the response headers RateLimit-Limit, RateLimit-Remaining, and RateLimit-Reset and takes actions accordingly.
- Change the request intensity at the client side in the required direction.
- Update the Rate Limit configurations in the required direction.