One of the strongest, simplest, yet little used features of Azure APIM is throttling. Depending on your user base, the deployment of your APIM is inevitably based on some level of trust. But as we all know, once people get a taste of how great your code is, they are going to want it all the time and the last thing you want is your APIM implementation being overloaded along with your back-end resource.

Enter Throttling.

To give you an idea of how simple this is to implement, on one of our methods I am going to add the following line of code which to my “All” method (which is the one requesting a significant amount of data).

What this policy says is – “From this IP addresses, do not allow more than 5 calls to occur within a 60 second period.”

        <rate-limit-by-key calls=”5″ renewal-period=”60″ counter-key=”@(context.Request.IpAddress)” />

Once implemented, try calling your API multiple times and you’ll invariably get the following response.

This is definitely an area where you might want to change that status message and what gets returned to the user. The last thing you want is some malicious hacker being able to ascertain what the max requests for your API is. To do that, see the posts on customizing your response objects.

In the above Microsoft KB, there is a great reference to throttling based on size of data packets as well. This can be great to ensure that no one is using your “generous” APIs to download the world.