How to rate limit a firebase function with Cloud Armor
Question
I have one cloud function (firebase function) which is public accessible and I would like to rate limit this function with the help of Google Cloud Armor.
However this does not seem like a trivial task as I thought, I could not find much documentation on setting up something like this.
This document illustrate exactly what I need but does not provide any guidance to set this up for a cloud function.
When I try to add a Cloud Armor Policy in the GCP console I even can not add a target
I am on the Standard (not Managed Protection Plus) Plan but I think this should be fine.
3 answers
solution1
0 2021-12-02 14:19:49
Cloud Armor does not support rate limiting Cloud Functions. You should instead use maxInstances option directly within cloud functions. This will allow you to control the simultaneous execution of the function.
If an HTTP function is scaled up to the maxInstances limit, new requests are queued for 30 seconds and then rejected with a response code of 429 Too Many Requests if no instance is available by then.
solution2
0 2021-12-02 15:41:58
Cloud Armor is a WAF, Web Application Firewall to filter the traffic at the Application level of the OSI layers. It's not a rate limiter or authentication layer.
For that you need to add an API management layer that allow you to authenticate and rate limit the API. API Gateway can do that, but only based on an API key. If the user doesn't use API key, it's a common pool that is rate limited and a spammer can create an unavailability of the service by consuming all the quotas everytime.
APIGee is the other solution, but it's entreprise grade (with an entreprise grade billing plan).
Or, if it's for protecting your money, you can limit the number of function instances thanks to the great answer of Kunal Deo.
solution3
0 2021-12-05 12:44:53
Note that the solution provided before (only an API gateway) will provide rate limit at a service/application level if all users from that service use the same API key. A single user could deplete your entire quote and block function execution from other users.
If you need rate-limit by IP address (or similar), you could:
- Make your function private (no invoke privileges for allUsers or allAuthenticatedUsers, only to a service account). You can put an API Gateway in front of your functions if you'd like.
- Use a Load Balancer in front of your functions (serverless NEG) or your API gateway. The LB must have invoke privileges using the service account
- Add Cloud Armor to protect the Load Balancer and rate limit it.
At least from reading the docs, it should work:
https://cloud.google.com/load-balancing/docs/https/setting-up-https-serverless
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.