Rate Limit API Usage with Quotas

Risk Level: Medium (should be achieved)

Ensure that API Gateway APIs are configured to use rate limiting with quotas to prevent abuse, protect backend services from overload, and ensure fair and optimal usage by limiting the number of requests a client can make within a specified time.

Reliability

Performance
efficiency

With API Gateway, you can define quotas to control the rate at which applications access your API. By setting quotas, you can specify usage limits to safeguard your API from an overwhelming number of requests, which may result from simple errors like typos or poorly designed systems making unnecessary calls. Implement rate limits and quotas based on your usage patterns and client profiles. Setting quotas ensures that no single application can negatively affect other applications using your API.

Audit

To determine if your API Gateway APIs are configured to use rate limiting with quotas, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

03 Navigate to API Gateway console available at https://console.cloud.google.com/api-gateway/.

04 On the APIs listing page, click on the name (link) of the API Gateway API that you want to examine, available in the Name column.

05 Select the Configs tab and click on the name of the API configuration associated with the selected API.

06 Select the Config File tab and check the API configuration file (YAML format) for the following three sections:

x-google-management.metrics - defines custom metrics for monitoring and quota management of your API.
x-google-management.quota.limits - defines quota limits for your API, controlling usage and preventing abuse.
x-google-quota.metricCosts - shows the cost (in quota units) consumed by the request against specific metrics.

07 If the x-google-management.metrics, x-google-management.quota.limits, and x-google-quota.metricCosts sections are not present in the API configuration file or their definitions are empty, the selected API Gateway API is not configured to use rate limiting with quotas to prevent abuse.

08 Repeat steps no. 4 - 7 for each API Gateway API available in the selected GCP project.

09 Repeat steps no. 2 – 8 for each GCP project deployed within your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) with custom output filters to list the ID of each GCP project available in your Google Cloud account:

gcloud projects list
	--format="table(projectId)"

02 The command output should return the requested GCP project IDS:

PROJECT_ID
cc-web-project-123123
cc-dev-project-112233

03 Run api-gateway apis list command (Windows/macOS/Linux) with the ID of the GCP project that you want to examine as the identifier parameter and custom output filters to describe the ID of each API Gateway API created for the selected project:

gcloud api-gateway apis list
	--project cc-web-project-123123
	--format="table(NAME)"

04 The command output should return the fully qualified identifier for each API:

NAME: projects/cc-web-project-123123/locations/global/apis/tm-project5-api
NAME: projects/cc-web-project-123123/locations/global/apis/tm-map-app-api

05 Run api-gateway api-configs list command (Windows/macOS/Linux) with the ID of the API Gateway API that you want to examine as the identifier parameter and custom output filters to describe the ID of the API configuration associated with the selected API:

gcloud api-gateway api-configs list
	--api=projects/cc-web-project-123123/locations/global/apis/tm-project5-api
	--format="table(NAME)"

06 The command output should return the fully qualified identifier of the associated API config:

NAME: projects/cc-web-project-123123/locations/global/apis/tm-project5-api/configs/tm-project5-api-config

07 Run api-gateway api-configs describe command (Windows/macOS/Linux) with the ID of the API configuration that you want to examine as the identifier parameter and custom output filters to describe the API configuration's source file in YAML format:

gcloud api-gateway api-configs describe projects/cc-web-project-123123/locations/global/apis/tm-project5-api/configs/tm-project5-api-config
	--view=FULL
	--format="value(openapiDocuments[].document.contents)" | base64 --decode && echo

08 The command output should return the requested configuration file (YAML format):

swagger: '2.0'
info:
	title: CustomerAPI
	description: Project5 Customer API
	version: 1.0.0
host: "tm-project5-api.apigateway.cc-web-project-123123.cloud.goog"
schemes:
	- https
produces:
	- application/json
paths:
	/listCustomers:
	get:
		summary: Get the high-profile customers
		consumes:
		- application/json
		operationId: listCustomers
		x-google-backend:
		address:  https://project5service-123456789012.us-central1.run.app
		responses:
		'200':
			description: Successful response
			schema:
			type: string
		security:
		- api_key: []
securityDefinitions:
	api_key:
	type: "apiKey"
	name: "key"
	in: "query"

09 Check the API configuration file returned by the api-gateway apis describe command output at the previous step for the following three sections:

x-google-management.metrics - defines custom metrics for monitoring and quota management of your API.
x-google-management.quota.limits - defines quota limits for your API, controlling usage and preventing abuse.
x-google-quota.metricCosts - shows the cost (in quota units) consumed by the request against specific metrics.

10 If the x-google-management.metrics, x-google-management.quota.limits, and x-google-quota.metricCosts sections are not present in the API configuration file or their definitions are empty, the selected API Gateway API is not configured to use rate limiting with quotas to prevent abuse.

11 Repeat steps no. 5 - 10 for each API Gateway API created for the selected GCP project.

12 Repeat steps no. 3 – 11 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

To ensure that Google Cloud API Gateway service uses an authentication method to secure access to your API backend, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.

03 Navigate to API Gateway console available at https://console.cloud.google.com/api-gateway/.

04 On the APIs listing page, click on the name (link) of the API Gateway API that you want to configure, available in the Name column.

05 Select the Configs tab and click on the name of the API configuration associated with the selected API.

06 Select the Config File tab and save the existing OpenAPI definition (OpenAPI spec) to a YAML file.

07 Modify the YAML file to configure rate limiting with quotas for your API. Add the x-google-management.metrics, x-google-management.quota.limits, and x-google-quota.metricCosts sections to your configuration file, as shown in the example below. With x-google-management.metrics, you can define the metrics required for monitoring and quota management of your API. With x-google-management.quota.limits, you can configure the quota limits for your API. And with x-google-quota.metricCosts, you can configure the cost (in quota units) consumed by the request against the specified metrics:

swagger: '2.0'
info:
	title: CustomerAPI
	description: Project5 Customer API
	version: 1.0.0
host: "tm-project5-api.apigateway.cc-web-project-123123.cloud.goog"
schemes:
	- https
produces:
	- application/json
x-google-management:
	metrics:
	- name: "list-customers-request"
		displayName: "List customer quota"
		valueType: INT64
		metricKind: DELTA
	quota:
	limits:
		- name: "list-customer-limit"
		metric: "list-customers-request"
		unit: "1/min/{project}"
		values:
			STANDARD: 10
paths:
	/listCustomers:
	get:
		summary: Get the high-profile customers
		consumes:
		- application/json
		operationId: listCustomers
		x-google-backend:
		address:  https://project5service-461695253704.us-central1.run.app
		responses:
		'200':
			description: Successful response
			schema:
			type: string
		security:
		- api_key: []
		x-google-quota:
		metricCosts:
			"list-customers-request": 1
securityDefinitions:
	api_key:
	type: "apiKey"
	name: "key"
	in: "query"

08 Because your API configuration has been changed, you must replace the existing API gateway with a new one based on the modified OpenAPI definition file. Navigate back to your API page and choose CREATE GATEWAY from the top-right menu to create a new API gateway.

09 On the Create gateway setup page, perform the following actions:

For API, select your API.
For API Config, choose to create a new API configuration, upload the OpenAPI spec file modified at step no. 7, provide a display name for the new API config, and select the service account that will be used by the new API gateway.
For Gateway details, provide a name for the new API gateway and select the appropriate location.
Choose Create gateway to create your new API gateway.

10 Update your application to use the new API gateway.

11 (Optional) You can delete now the non-compliant API gateway. Open your API, select the GATEWAYS tab, choose the non-compliant gateway, click on the 3-dot button to open the options menu, and select Delete.

12 Repeat steps no. 4 - 11 for each API Gateway API that you want to configure, available in the selected GCP project.

13 Repeat steps no. 2 – 12 for each GCP project deployed within your Google Cloud account.

Using GCP CLI

01 Run api-gateway api-configs describe command (Windows/macOS/Linux) to get the OpenAPI definition file (OpenAPI spec) associated with your API configuration, as specified in the Audit section. To configure rate limiting with quotas for your API, add the x-google-management.metrics, x-google-management.quota.limits, and x-google-quota.metricCosts sections to your configuration file, as shown in the example below. With x-google-management.metrics, you can define the metrics required for monitoring and quota management of your API. With x-google-management.quota.limits, you can configure the quota limits for your API. And with x-google-quota.metricCosts, you can configure the cost (in quota units) consumed by the request against the specified metrics:

swagger: '2.0'
info:
	title: CustomerAPI
	description: Project5 Customer API
	version: 1.0.0
host: "tm-project5-api.apigateway.cc-web-project-123123.cloud.goog"
schemes:
	- https
produces:
	- application/json
x-google-management:
	metrics:
	- name: "list-customers-request"
		displayName: "List customer quota"
		valueType: INT64
		metricKind: DELTA
	quota:
	limits:
		- name: "list-customer-limit"
		metric: "list-customers-request"
		unit: "1/min/{project}"
		values:
			STANDARD: 10
paths:
	/listCustomers:
	get:
		summary: Get the high-profile customers
		consumes:
		- application/json
		operationId: listCustomers
		x-google-backend:
		address:  https://project5service-461695253704.us-central1.run.app
		responses:
		'200':
			description: Successful response
			schema:
			type: string
		security:
		- api_key: []
		x-google-quota:
		metricCosts:
			"list-customers-request": 1
securityDefinitions:
	api_key:
	type: "apiKey"
	name: "key"
	in: "query"

02 Run api-gateway api-configs create command (Windows/macOS/Linux) to create a new API configuration resource for your API, using the OpenAPI definition file modified at the previous step (i.e., openapi-spec-file.yaml):

gcloud api-gateway api-configs create tm-project5-new-api-config
	--api=projects/cc-web-project-123123/locations/global/apis/tm-project5-api
	--openapi-spec=openapi-spec-file.yaml

03 The command output should return the operation status:

Waiting for API Config [tm-project5-new-api-config] to be created for API [tm-project5-api]... done.

04 Run api-gateway gateways update command (Windows/macOS/Linux) to update your API Gateway API with the new API configuration:

gcloud api-gateway gateways update tm-project5-api-gateway
	--api=projects/cc-web-project-123123/locations/global/apis/tm-project5-api
	--api-config=tm-project5-new-api-config
	--location=us-central1

05 The command output should return the operation status:

Waiting for API Gateway [tm-project5-api-gateway] to be updated... done.

06 Update your application to use the new API gateway.

07 Repeat steps no. 1 - 6 for each API Gateway API that you want to configure, available in the selected GCP project.

08 Repeat steps no. 1 – 7 for each GCP project deployed within your Google Cloud account.

References

Google Cloud Platform (GCP) Documentation
About quotas
About quotas (Open API)
Configuring quotas

GCP Command Line Interface (CLI) Documentation
gcloud projects list
gcloud api-gateway apis list
gcloud api-gateway api-configs list
gcloud api-gateway api-configs describe
gcloud api-gateway api-configs create
gcloud api-gateway gateways update

Publication date Jan 16, 2025

Audit

Using GCP Console

Using GCP CLI

Remediation / Resolution

Using GCP Console

Using GCP CLI

References

Related APIGateway rules