APIGEE Spike Arrest 前端集成的最佳实践/实用用法
[英]APIGEE Spike Arrest Best practise / Pragmatic usage for Front End Integration
问题描述
Was dealing with the APIGEE gateway development recently and found out that the usage of Spike Arrest is very limiting to certain integrations (Backend only).
最近在处理 APIGEE 网关开发,发现 Spike Arrest 的使用非常受限于某些集成(仅限后端)。 As per recommended by APIGEE, we should avoid the usage of concurrent rate limit here and potentially replaced it with spike arrest.根据 APIGEE 的建议,我们应该避免在此处使用并发速率限制,并可能将其替换为峰值抑制。
But the way how Spike Arrest is implemented is kinda dodgy, Eg spike arrest of 10 tps indicates that it will return trigger spike arrest limit exception when it receives more than 1 request per 100ms.但是 Spike Arrest 的实现方式有点狡猾,例如 10 tps 的尖峰停止表示当它每 100 毫秒收到超过 1 个请求时,它将返回触发尖峰停止限制异常。
With such behaviour, it looks like the rate control has to be control at the client side.有了这种行为,看起来速率控制必须在客户端进行控制。 It is definitely possible to do it from the client backend, but what about those APIs which are used directly from the Front End?绝对可以从客户端后端进行,但是那些直接从前端使用的 API 呢?
Would like to understand what is the recommended identifier for a Spike Arrest under different scenarios想了解在不同情况下推荐的尖峰制动标识符是什么
Backend Integration后端集成
- Probably by per client id via API key or auth token可能通过每个客户端 ID 通过 API 密钥或身份验证令牌
Front End / SPA前端/SPA
A hard one, as unlike backend it is impossible to control request rate from the browser considering multiple user multiple tab, however, I have considered很难,因为与后端不同,考虑到多个用户多个选项卡,无法控制来自浏览器的请求率,但是,我已经考虑过
- IP? IP? (but single IP != single user session) (但单个 IP != 单个用户会话)
- Browser SessionId?浏览器 SessionId?
- Rest client to be spike arrest error aware and to perform a retry? Rest 客户端是否能够感知秒杀错误并执行重试?
- Should not use spike arrest?不应该使用秒杀?
Any insights are welcome and appreciated欢迎和赞赏任何见解
1 个解决方案
解决方案1
1 2020-11-30 20:06:17
I believe you are thinking correctly about this space.我相信你对这个空间的思考是正确的。 Useful quick reference: https://docs.apigee.com/api-platform/develop/comparing-quota-spike-arrest-and-concurrent-rate-limit-policies As you noted the ConcurrentRateLimit policy is deprecated, but between Quota policy (by call allotment) and SpikeArrest (controlled by rate) you can easily control load to your services.有用的快速参考: https://docs.apigee.com/api-platform/develop/comparing-quota-spike-arrest-and-concurrent-rate-limit-policies正如您所指出的,不推荐使用 ConcurrentRateLimit 策略,但介于配额策略之间(通过调用分配)和 SpikeArrest(由速率控制)您可以轻松控制服务的负载。 Both policies allow you to specify an attribute in order to maintain separate counters or rate calculations based on the value you set for the attribute.这两种策略都允许您指定一个属性,以便根据您为该属性设置的值维护单独的计数器或速率计算。 This gives you many options for your front-end use case, which may be better served by a quota or a plain rate.这为您的前端用例提供了许多选项,通过配额或普通费率可能会更好。 I think of rates as more raw protection, and quotas to be more product-management governed in type, but either (or both) can work.我认为费率是更原始的保护,而配额是更多类型的产品管理,但其中任何一个(或两者)都可以工作。 Consider a Quota policy based on SessionID and a safety-net SpikeArrest policy set very high as a second layer of protection against overloading your services.考虑基于 SessionID 的配额策略和设置非常高的安全网 SpikeArrest 策略,作为防止服务过载的第二层保护。 In any case though, yes, your clients should be HTTP-429-aware and know how to retry.无论如何,是的,您的客户端应该能够识别 HTTP-429 并知道如何重试。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.