Local rate limit (proto)

This extension has the qualified name envoy.filters.network.local_ratelimit


This extension is intended to be robust against untrusted downstream traffic. It assumes that the upstream is trusted.


This extension extends and can be used with the following extension category:

This extension must be configured with one of the following type URLs:

Local rate limit configuration overview.


[extensions.filters.network.local_ratelimit.v3.LocalRateLimit proto]

  "stat_prefix": ...,
  "token_bucket": {...},
  "runtime_enabled": {...},
  "share_key": ...

(string, REQUIRED) The prefix to use when emitting statistics.


(type.v3.TokenBucket, REQUIRED) The token bucket configuration to use for rate limiting connections that are processed by the filter’s filter chain. Each incoming connection processed by the filter consumes a single token. If the token is available, the connection will be allowed. If no tokens are available, the connection will be immediately closed.


In the current implementation each filter and filter chain has an independent rate limit, unless a shared rate limit is configured via share_key.


In the current implementation the token bucket’s fill_interval must be >= 50ms to avoid too aggressive refills.


(config.core.v3.RuntimeFeatureFlag) Runtime flag that controls whether the filter is enabled or not. If not specified, defaults to enabled.


(string) Specifies that the token bucket used for rate limiting should be shared with other local_rate_limit filters with a matching token_bucket and share_key configuration. All fields of token_bucket must match exactly for the token bucket to be shared. If this field is empty, this filter will not share a token bucket with any other filter.