Envoy local rate limit by IP address using remote_address not working

Trying to configure Envoy Local rate limit by user IP using remote_address.
The expected result is that each IP address will be rate limited by a token_bucket.
But since a value is required for each descriptor entry key in Istio Envoy. I am not able to configure descriptors with entries for remote_address with empty value as Global Rate Limit can do.

Below is my configuration:

kind: EnvoyFilter
metadata:
  name: filter-local-ratelimit-svc
spec:
  workloadSelector:
    labels:
      app: productpage
  configPatches:
    - applyTo: HTTP_FILTER
      match:
        context: SIDECAR_INBOUND
        listener:
          filterChain:
            filter:
              name: "envoy.filters.network.http_connection_manager"
      patch:
        operation: INSERT_BEFORE
        value:
          name: envoy.filters.http.local_ratelimit
          typed_config:
            "@type": type.googleapis.com/udpa.type.v1.TypedStruct 
            type_url: type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit
            value:
              stat_prefix: http_local_rate_limiter             
    - applyTo: HTTP_ROUTE
      match:
        context: SIDECAR_INBOUND
        routeConfiguration:
          vhost:
            name: "inbound|http|9080"
      patch:
        operation: MERGE
        value:
          route:
            rate_limits:
              - actions:
                - request_headers:
                    header_name: ":path"
                    descriptor_key: path
                - remote_address: {}
          typed_per_filter_config:
            envoy.filters.http.local_ratelimit:
              "@type": type.googleapis.com/udpa.type.v1.TypedStruct
              type_url: type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit
              value:
                stat_prefix: http_local_rate_limiter
                descriptors:
                 - entries:
                   - key: path
                     value: /api/v1/products
                   - key: remote_address
                   token_bucket:
                     max_tokens: 4
                     tokens_per_fill: 4
                     fill_interval: 60s                    
                filter_enabled:
                  runtime_key: local_rate_limit_enabled
                  default_value:
                    numerator: 100
                    denominator: HUNDRED
                filter_enforced:
                  runtime_key: local_rate_limit_enforced
                  default_value:
                    numerator: 100
                    denominator: HUNDRED
                response_headers_to_add:
                  - append: false
                    header:
                      key: x-local-rate-limit
                      value: 'true'
                token_bucket:
                  max_tokens: 15
                  tokens_per_fill: 15
                  fill_interval: 60s
1 Like

I faced the same issue. Any solution?

Hi @mohaghegh,
According to my investigation, remote_address can only be configured with some specific IPs for Local Rate Limit.
For Global Rate Limit, it is OK to configure with empty value to limit for each IP address. But since the configuration is for the rate limit service of Global Rate Limit. And Local Rate Limit has no such rate limit service and no storage for IPs.

Thanks @long .
As you said, currently the LocalRateLimit does not allow per remote address rate limiting, so I took the Global RL service.
I found this ralated issue at Envoy.

Hi @mohaghegh ,
Thanks for your kindly feedback.
With Global Rate Limit, yes. But it means we also need to manage a Rate Limit service which increase the complexity when we only need some simple rate limit configuration.

It is not such simple with Global Rate Limit then :grinning: