APIM Combine throttling policy approach

Question

In APIM currently we have product subscription key level throttling. But obviously if we have multiple API's within the same product, one API could consumes more quota than expected and prevent others being able to use the application. So as per the MS documentation (https://learn.microsoft.com/en-us/azure/api-management/api-management-sample-flexible-throttling) we can use combine policies.

The question is with that approach whether we can use as below,

    API-1 300 calls per 60 seconds where product subscription key =123
    API-2 200 calls per 60 seconds where product subscription key =123
    API-3 200 calls per 60 seconds where product subscription key =123

If so what could be the the total number of calls for the product subscription key? if it make sense.

I took below approach to have combine policies. But it doesn't like.

    <rate-limit-by-key calls="50" renewal-period="60" counter-key="@(&quot;somevalue&quot; + context.Request.Headers.GetValueOrDefault(&quot;Ocp-Apim-Subscription-Key&quot;))" />
    <rate-limit calls="10" renewal-period="30">  
        <api name="AddressSearch API dev" calls="5" renewal-period="30" />  
            <operation name="Search_GetAddressSuggestions" calls="3" renewal-period="30" />
    </rate-limit>

Answer 1

It's important to understand that counters of rate-limit-by-key and rate-limit are independent.

When rate-limit-by-key allows request to pass it increases it's counter. When rate-limit allows request to pass it increases it's counters. In your configuration when rate-limit-by-key throttles request rate-limit will not be executed and will not count a request.

What that means is that in most cases lower limit wins. Your configuration will allow one subscription to make 50 calls per minute, but it's unlikely to make any difference, because second rate-limit policy will throttle after 10 calls to same product thus the first one will not have any chance to do anything.

If you want limits as in your sample, you could use configuration as follows:

<rate-limit calls="0" renewal-period="0">  
    <api name="API-1" calls="100" renewal-period="60" />  
    <api name="API-2" calls="200" renewal-period="60" />  
    <api name="API-3" calls="300" renewal-period="60" />  
</rate-limit>

Answer 2

So to have the rate limiting API level I have come up with below which addressed my requirement.

<choose>
<when condition="@(context.Operation.Id.Equals("End point name1"))">
<rate-limit-by-key calls="40" renewal-period="30" counter-key="@(context.Api.Name + context.Operation.Name + context.Request.Headers.GetValueOrDefault("Ocp-Apim-Subscription-Key"))" />
</when>
<when condition="@(context.Operation.Id.Equals("End point name2"))">
<rate-limit-by-key calls="20" renewal-period="30" counter-key="@(context.Api.Name + context.Operation.Name + context.Request.Headers.GetValueOrDefault("Ocp-Apim-Subscription-Key"))" />
</when>
<otherwise>
<rate-limit-by-key calls="15" renewal-period="30" counter-key="@(context.Api.Name + context.Operation.Name + context.Request.Headers.GetValueOrDefault("Ocp-Apim-Subscription-Key"))" />
</otherwise>
</choose>

Hope this helps.

Answer 3

Just to confirm - you are setting three throttling policies on an API level, based on the subscription key:

API-1: 300 calls per 60 seconds API-2: 200 calls per 60 seconds API-3: 200 calls per 60 seconds

In this case, if these are your only APIs, the maximum number of requests per subscription key per 60 seconds is: 300 + 200 + 200 = 700.

If you have more APIs, they will not be throttled unless you specify a policy for them as well.