Setting the Rate Limit for the Cloud Controller API

Page last updated:

This topic describes how to set the rate limit for the Cloud Controller API (CAPI).

Cloud Foundry lets you set rate limits on the number of requests third parties can make to CAPI. You can set different rate limits for authenticated and unauthenticated users.

Rate limits help to prevent servers from getting overloaded by poorly or maliciously-designed clients that could otherwise force the server to use all its resources servicing those calls instead of responding to legitimate requests.

When rate limiting is enabled, responses to CAPI calls contain information about the limit, how close the user is to reaching it, and when it will reset. For more information, see Rate limit information returned by the Cloud Controller API.

Use the following properties in the cloud_controller_ng BOSH job to define rate limits:

Property Description Default value
cc.rate_limiter.enabled Enable rate limiting for authenticated and unauthenticated CAPI endpoints per user or client false
cc.rate_limiter.general_limit The number of requests an authenticated user or client is allowed to make for all CAPI endpoints over the configured interval 2000
cc.rate_limiter.unauthenticated_limit The number of requests an unauthenticated client is allowed to make to CAPI endpoints over the configured interval 100
cc.rate_limiter.reset_interval_in_minutes The interval in minutes until a user’s available CAPI requests reset 60
cc.rate_limiter_v2_api.enabled Enable rate limiting for UAA-authenticated V2 API (v2/*, except v2/info) endpoints per user or client false
cc.rate_limiter_v2_api.general_limit The number of requests a user or client is allowed to make for v2/* endpoints that do not have a custom limit over the configured interval 2000
cc.rate_limiter_v2_api.admin_limit The number of requests an admin user or client is allowed to make for v2/* endpoints over the configured interval 2000
cc.rate_limiter_v2_api.reset_interval_in_minutes The interval in minutes after which a user’s available V2 API requests will be reset 60
cc.max_concurrent_service_broker_requests Maximum number of concurrent requests to endpoints related to service brokers. A request ends immediately after a response is sent, even if the request is for an ongoing asynchronous operation, such as creating a service instance. Set to 0 to not limit concurrent requests. 0

V2 API rate limit exemption

Users and clients are exempted from the V2 API rate limit if their JWT token includes the scope cloud_controller.v2_api_rate_limit_exempt. To exempt users of the CF CLI, the scope cloud_controller.v2_api_rate_limit_exempt must be added to the cf UAA client used by the CF CLI. Example:

uaac client update cf --scope "<existing scopes> cloud_controller.v2_api_rate_limit_exempt"

Alternativly cf-deployment ops-file enable-cc-v2-rate-limiting.yml can be used instead.

This will exempt users or clients including scope cloud_controller.v2_api_rate_limit_exempt from the V2 API rate limit.

Create a pull request or raise an issue on the source for this page in GitHub