Comparing Quota and SpikeArrest policies

You're viewing Apigee Edge documentation.
View Apigee X documentation.

Quota and SpikeArrest policies — wondering which one to use to best meet your rate limiting needs? See the comparison chart below.

Quota SpikeArrest
Use it to: Limit the number of connections apps can make to your API proxy's target backend over a specific period of time. Protect your API proxy's target backend against severe traffic spikes and denial of service attacks.
Don't use it to:

Don't use it to protect your API proxy's target backend against traffic spikes.

For that, use the SpikeArrest policy.

Don't use it to count and limit the number of connections apps can make to your API proxy's target backend over a specific period of time.

For that, use the Quota policy.

Stores a count? Yes No
Best practices for attaching the policy:

Attach it to the ProxyEndpoint Request PreFlow, generally after the authentication of the user.

This enables the policy to check the quota counter at the entry point of your API proxy.

Attach it to the ProxyEndpoint Request PreFlow, generally at the very beginning of the flow.

This provides spike protection at the entry point of your API proxy.

HTTP status code when limit has been reached:

500 (Internal Server Error) *

500 (Internal Server Error) *

Good to know:
  • Quota counter is stored in Cassandra.
  • Configure the policy to synchronize the counter asynchronously to save resources.
  • Asynchronous counter synchronization may cause a delay in the rate limiting response, which may allow calls slightly in excess of the limit you've set.
  • Performs throttling based on the time at which the last traffic was received. This time is stored per message processor.
  • If you specify a rate limit of 100 calls per second, only 1 call every 1/100 second (10 ms) will be allowed on the message processor. A second call within 10 ms will be rejected.
  • Even with a high rate limit per second, nearly simultaneous requests may result in rejections.
Get more details: Quota policy SpikeArrest policy

* For the Quota policy and SpikeArrest policy, the default HTTP status code for exceeding the rate limit is a generic 500 Internal Server Error. You can change the status code for those policies to 429 Service Unavailable by adding an organization-level property (features.isHTTPStatusTooManyRequestEnabled). If you're a Cloud customer, contact Apigee Support to have the property enabled.