Rate Limit Information Returned by the Cloud Controller API

Page last updated:

This topic describes rate limit information that is returned by the Cloud Controller API (CAPI).

For information about how to configure rate limits, see Setting the Rate Limit for the Cloud Controller API.

Rate Limit Responses: General

CAPI includes rate limit information in the HTTP header. Each header includes the following:

X-RateLimit-Limit: 60
X-RateLimit-Remaining: 56
X-RateLimit-Reset: 1372700873

Use this table to understand the rate limit header.

Field Value Description
X-RateLimit-Limit The maximum number of attempts per User Account and Authentication (UAA) user, if a user is authenticated. The maximum number of attempts per IP address, if no user is authenticated.
X-RateLimit-Remaining The estimated number of attempts remaining.
X-RateLimit-Reset The time when the rate limit counter resets, in UTC epoch seconds.

Requests are counted separately in each Cloud Controller instance and each produces an estimate for the total number of remaining requests. The estimate is based on the fraction remaining on the Cloud Controller instance, rounded down to the nearest 10%, multiplied by the global maximum number of attempts. This might result in inconsistent values for the X-RateLimit-Remaining header when running multiple instances of CAPI, such as some requests still being allowed when the header value is 0.

When requests exceed the maximum rate limit value, CAPI returns a 429: Too Many Requests error code.

Rate Limit Responses: Service Brokers

Operators can optionally limit the number of concurrent requests per user, for each Cloud Controller instance, for operations related to service brokers that can be made to CAPI endpoints for the following resource types:

Note: Unlike the CAPI rate limit, which caps the requests a user can make across the whole Cloud Foundry platform, service broker rate limits apply per CAPI instance. For example, if the limit is 3 and there are 2 instances, the maximum number of concurrent requests a user can make is 6.

A request finishes when CAPI sends a response. This occurs even if that response is 202 Accepted, indicating that an asynchronous operation is to be performed, such as a service broker creating a service instance. For more information, see Asynchronous Operations in the CAPI V3 documentation. This rate limit does not cap the number of asynchronous operations that can be in progress at any one time for any of the above service-related endpoints.

Any requests that breach the concurrency are rate limited, and receive a 429 Too Many Requests response with the body CF-ServiceBrokerRateLimitExceeded (10016) and a Retry-After header. The header gives an absolute time suggesting when the client should attempt to make their request again. This is the current time plus a random number of seconds between 0.5x and 1.5x of the configured value for cc.broker_client_timeout_seconds.

If this property is not set, it defaults to 60 seconds, and the header suggests a random retry time between 30 and 90 seconds in the future.

Create a pull request or raise an issue on the source for this page in GitHub