Acquia Edge Standard uses rate limiting to safeguard your domains against malicious or abusive activity by restricting the volume of requests permitted from an individual client. After a client exceeds the configured threshold, Acquia Edge Standard enforces the rate limit by blocking further requests from that client.
Note
Rate limiting is enforced to block all incoming traffic that surpasses the configured threshold. No alternative enforcement actions exist, such as throttling or custom responses.
IP penalty box
To ensure optimal performance and security for all users, Edge Standard enforces a request threshold.
The threshold: Acquia monitors the maximum number of Platform Application Programming Interface (PAPI) requests per second from a single IP address.
The impact: If your IP address exceeds this limit, you receive a 403 Access Denied error.
The penalty box: After the limit is triggered, the system places the offending IP address in a 10-minute penalty box where it blocks requests.
Extensions: If the IP continues to try requests that exceed the limit while in the penalty box, the system resets or extends the 10-minute timer.
Corporate users: Note that multiple users that operate behind a single corporate firewall appear as a single IP address. This means the collective activity of your team can trigger the penalty box for everyone in the office.
Manage rate limiting
To manage rate limiting:
In the Edge console, go to Security.
Select Rule configuration.
Select the Rate limiting tab.
The Rate limiting page lists your existing rules and displays:
Rule name
Assigned domains (including a “+N” indicator when additional domains are assigned)
Traffic profile
Date created
Actions (Edit rule, Delete rule)
To find rules, search by domain or by rule name.
How rate limiting rules work
Rate limiting rules apply per domain based on your configuration:
Domain specific rules apply only to the domains that you select during rule creation.
A global rule applies to all existing configured domains and to any new domains added in the future.
If a global rule is active, any domain-specific rule acts as an exception (override) for the domains assigned to that rule. For those domains, the domain-specific rule’s profile replaces the global rule’s profile.
Traffic profiles
To create or update a rule, you must select a traffic profile. A traffic profile sets the maximum allowed request rate per second for each client IP.
The available profiles include:
Profile
Requests per second
Strict
10
Tough
25
Moderate
35
Friendly
70
Lenient
200
As you move from Lenient to Strict, the protection level increases. The risk of false positives also increases, which means legitimate users are more likely to be rate limited during high-traffic periods.
Note
For most domains, start with the Moderate or Friendly profile. Adjust after you monitor the impact on your users and traffic.
Create a rate limit rule
To create a new rate limit rule:
In the Edge console, go to Security > Rule configuration > Rate limiting.
Select Create rule.
In Set rule details:
Name: Enter a descriptive rule name.
Domains: Select one or more domains to protect. Alternatively, select Make global to apply this rule to all current and future domains in your tenant.
Important: You can configure a rate limiting rule as either domain-specific or global:
If you select one or more domains, you cannot also make the rule global.
If you select Make global, you cannot assign individual domains to that rule.
In Set traffic profile, select the profile that best matches your needs.
Select Create rule.
After you save the rule, the console displays a deployment status message indicating the configuration is deploying to the network.
Global rule behavior and exceptions
Create a global rule when domain-specific rules already exist
If you create a global rate limiting rule and domain-specific rules already exist, the console prompts you to choose how to handle the existing rules:
Keep as exceptions: Your existing domain-specific rules remain active. The new global rule applies to all domains that do not already have a specific rule. Domain-specific rules function as exceptions that override the global profile for the domains they cover.
Delete existing rules: All existing domain-specific rules are deleted. The new global rule becomes the only active rate limiting rule and applies consistently across all domains.
Warning
Selecting Delete existing rules permanently removes those domain-specific rules. This action can significantly change the protection level across your domains. Review the impact carefully before you proceed.
Create a domain-specific rule when a global rule is active
If a global rule is already active and you create a new domain-specific rule:
The global rule continues to apply to all domains by default.
The new domain-specific rule becomes an exception for the domains you assign to it. This overrides the global profile for those domains.
In the domain selector, domains already covered by an existing rule are highlighted to help you make informed decisions about overrides.
Edit a rate limit rule
To update an existing rule:
In the Edge console, go to Security > Rule configuration > Rate limiting.
In the row for the rule you want to change, select Actions > Edit rule.
Update the Domains (or the global setting) or the Traffic profile.
Select Update rule.
Depending on the change, the console displays a confirmation summary that describes the changes before you confirm.
Delete a rate limit rule
To delete a rule:
In the Edge console, go to Security > Rule configuration > Rate limiting.
In the row for the rule you want to remove, select Actions > Delete rule.
Confirm that you want to delete the rule.
Warning
Deleting a rule removes rate limiting protection from the domains that relied on that rule. If you still require protection, ensure that another rule, such as a global rule, covers those domains.
Rate limiting
Acquia Edge Standard uses rate limiting to safeguard your domains against malicious or abusive activity by restricting the volume of requests permitted from an individual client. After a client exceeds the configured threshold, Acquia Edge Standard enforces the rate limit by blocking further requests from that client.
Note
Rate limiting is enforced to block all incoming traffic that surpasses the configured threshold. No alternative enforcement actions exist, such as throttling or custom responses.
IP penalty box
To ensure optimal performance and security for all users, Edge Standard enforces a request threshold.
The threshold: Acquia monitors the maximum number of Platform Application Programming Interface (PAPI) requests per second from a single IP address.
The impact: If your IP address exceeds this limit, you receive a 403 Access Denied error.
The penalty box: After the limit is triggered, the system places the offending IP address in a 10-minute penalty box where it blocks requests.
Extensions: If the IP continues to try requests that exceed the limit while in the penalty box, the system resets or extends the 10-minute timer.
Corporate users: Note that multiple users that operate behind a single corporate firewall appear as a single IP address. This means the collective activity of your team can trigger the penalty box for everyone in the office.
Manage rate limiting
To manage rate limiting:
In the Edge console, go to Security.
Select Rule configuration.
Select the Rate limiting tab.
The Rate limiting page lists your existing rules and displays:
Rule name
Assigned domains (including a “+N” indicator when additional domains are assigned)
Traffic profile
Date created
Actions (Edit rule, Delete rule)
To find rules, search by domain or by rule name.
How rate limiting rules work
Rate limiting rules apply per domain based on your configuration:
Domain specific rules apply only to the domains that you select during rule creation.
A global rule applies to all existing configured domains and to any new domains added in the future.
If a global rule is active, any domain-specific rule acts as an exception (override) for the domains assigned to that rule. For those domains, the domain-specific rule’s profile replaces the global rule’s profile.
Traffic profiles
To create or update a rule, you must select a traffic profile. A traffic profile sets the maximum allowed request rate per second for each client IP.
The available profiles include:
Profile
Requests per second
Strict
10
Tough
25
Moderate
35
Friendly
70
Lenient
200
As you move from Lenient to Strict, the protection level increases. The risk of false positives also increases, which means legitimate users are more likely to be rate limited during high-traffic periods.
Note
For most domains, start with the Moderate or Friendly profile. Adjust after you monitor the impact on your users and traffic.
Create a rate limit rule
To create a new rate limit rule:
In the Edge console, go to Security > Rule configuration > Rate limiting.
Select Create rule.
In Set rule details:
Name: Enter a descriptive rule name.
Domains: Select one or more domains to protect. Alternatively, select Make global to apply this rule to all current and future domains in your tenant.
Important: You can configure a rate limiting rule as either domain-specific or global:
If you select one or more domains, you cannot also make the rule global.
If you select Make global, you cannot assign individual domains to that rule.
In Set traffic profile, select the profile that best matches your needs.
Select Create rule.
After you save the rule, the console displays a deployment status message indicating the configuration is deploying to the network.
Global rule behavior and exceptions
Create a global rule when domain-specific rules already exist
If you create a global rate limiting rule and domain-specific rules already exist, the console prompts you to choose how to handle the existing rules:
Keep as exceptions: Your existing domain-specific rules remain active. The new global rule applies to all domains that do not already have a specific rule. Domain-specific rules function as exceptions that override the global profile for the domains they cover.
Delete existing rules: All existing domain-specific rules are deleted. The new global rule becomes the only active rate limiting rule and applies consistently across all domains.
Warning
Selecting Delete existing rules permanently removes those domain-specific rules. This action can significantly change the protection level across your domains. Review the impact carefully before you proceed.
Create a domain-specific rule when a global rule is active
If a global rule is already active and you create a new domain-specific rule:
The global rule continues to apply to all domains by default.
The new domain-specific rule becomes an exception for the domains you assign to it. This overrides the global profile for those domains.
In the domain selector, domains already covered by an existing rule are highlighted to help you make informed decisions about overrides.
Edit a rate limit rule
To update an existing rule:
In the Edge console, go to Security > Rule configuration > Rate limiting.
In the row for the rule you want to change, select Actions > Edit rule.
Update the Domains (or the global setting) or the Traffic profile.
Select Update rule.
Depending on the change, the console displays a confirmation summary that describes the changes before you confirm.
Delete a rate limit rule
To delete a rule:
In the Edge console, go to Security > Rule configuration > Rate limiting.
In the row for the rule you want to remove, select Actions > Delete rule.
Confirm that you want to delete the rule.
Warning
Deleting a rule removes rate limiting protection from the domains that relied on that rule. If you still require protection, ensure that another rule, such as a global rule, covers those domains.
Did not find what you were looking for?
If this content did not answer your questions, try searching or contacting our support team for further assistance.
Did not find what you were looking for?
If this content did not answer your questions, try searching or contacting our support team for further assistance.
Edge Standard