Rate Limiting

[mpstefan]

trafficstars

As an application developer using NGF I want to limit the amount of traffic originating from any one client So that a single or small set of clients cannot degrade the performance of my application by making too many requests.

Background

Rate limiting is the first of three major use cases that greatly improved by NGINX Plus' State Sharing capability. It is also one of the most common use cases for an API Gateway product in order to achieve a basic level of security against performance degradation. By building a capability around configuring rate limits and enabling state sharing, we set the groundwork to enable OAuth2 and Session Persistence use cases to be delivered in future releases.

State sharing is critically important for rate limiting once the user scales to multiple replicas, as without it, rate limits will only be tracked individually per nginx instance and gives the user no real way to configure a global rate limit for a client.

Acceptance Criteria

• NGF users are able to configure rate limits as a policy to attach to a Route or Gateway resource.

Definition of Done

• The Rate Limiting Extension successfully throttles requests as per the rate, key, delay, and burst configurations, similarly to NGINX Ingress Controller
• The extension integrates seamlessly with HTTPRoute and Gateways adheres to Gateway API standards.
• All configurations are validated, and invalid entries are rejected with clear error messages.
• Complete user documentation with examples is provided, including configuration fields, usage, and troubleshooting.

### Tasks
- [ ] https://github.com/nginxinc/nginx-gateway-fabric/issues/2886
- [ ] Implementation
- [ ] Functional Test
- [ ] Rate Limit Guide