Set a cluster-wide limit on traffic rates

This topic describes how to configure RPC and gRPC traffic rate limits globally for your entire Consul datacenter.

Configuring traffic rate limits globally lets you specify a budget for read and write requests to prevent any single source IP from overwhelming the Consul server and negatively affecting the network. For information about setting global traffic rate limits, refer to Set a global limit on traffic rates. For an overview of Consul's server rate limiting capabilities, refer to Limit traffic rates overview.

Overview

You can set limits on the rate of read and write requests globally on your entire Consul datacenter. Global rate limits are intended as an emergency measure to recover a datacenter failing under heavy traffic or to temporarily limit traffic over your datacenter to perform maintenance operations. The limit applies to each server individually — a ReadRate of 500 allows up to 500 read requests on each server, not 500 read requests shared across all servers. Before configuring traffic rate limits, you should complete the initialization process to understand normal traffic loads in your network. Refer to Initialize rate limit settings for additional information.

Configure global traffic rate limits

Complete the following steps to configure global traffic rate limits:

1. Define rate limits in a global rate limit configuration entry. You can set limits for read and write calls.

2. Apply the configuration entry to enact the limits.

You should also monitor read and write rate activity and make any necessary adjustments. Refer to Monitor rate limit data for additional information.

Define rate limits

Create a global rate limit configuration entry. The configuration entry applies to all client requests targeting any partition. Refer to the rate limit configuration entry reference documentation for details about the available configuration parameters.

Specify the following parameters:

• kind: This must be set to rate-limit.
• name: This must be set to global.
• read_rate: Specify overall number of read operations per second allowed from the service.
• write_rate: Specify overall number of write operations per second allowed from the service.

Apply the configuration entry

If your network is deployed to virtual machines, use the consul config write command and specify the rate limit configuration entry to apply the configuration. For Kubernetes-orchestrated networks, use the kubectl apply command.

$ consul config write rate-limit.hcl

$ consul config write rate-limit.json

$ kubectl apply rate-limit.yaml

Disable request rate limits

Set the config.priority in the configuration file to false and re-apply the configuration entry to allow disabling the rate limit. Consul still applies other traffic limitations.

Exempted entry points

The config entry rate limiter specifically exempts ConfigEntry.Apply and ConfigEntry.Delete operations to avoid misconfigured global rate limits to prevent operations over your Consul datacenter.

Other entry points exempted by the configuration are:

• Operator.AutopilotGetConfiguration
• Operator.AutopilotSetConfiguration
• Operator.AutopilotState
• Operator.RaftGetConfiguration
• Operator.RaftRemovePeerByAddress
• Operator.RaftRemovePeerByID
• Operator.ServerHealth
• Status.Leader
• Status.Peers
• Status.Ping
• Status.RaftStats
• ConfigEntry.Apply
• ConfigEntry.Delete