infra: rate limiting policy - Githubissues

alphagov / consent-api

Service for sharing user consent to cookies across multiple domains

https://consent-api-bgzqvpmbyq-nw.a.run.app

MIT License

8 stars 0 forks source link

infra: rate limiting policy #210

Closed guilhem-fry closed 10 months ago

guilhem-fry commented 10 months ago

This PR introduces rate limiting on the backend services sitting behind the load balancers.

The policy implements the following behaviour:

Max 500 requests from a same IP in a 10 seconds window
If limit is reached, IP is banned for 60 seconds
Any request from the IP will be returned a 403

The infra change consists in:

Creating security rules
Creating a security policy that includes these rules
Attaching the security policy to the backend service

The default_rule is necessary: GCP requires all security policies to have a "default tule" at the highest priority.

guilhem-fry commented 10 months ago

We can see the rate limiting ban coming into action with 403s with this small script I ran from my machine against staging: