Skip to content

How to Configure Rate Limit Zones

This guide explains how to create and use Rate Limit Zones to implement granular, stateful rate limiting policies for your applications.

Before you begin: Review Rate Limiting Concepts to understand the basics of rate limiting in Peakhour.

Understanding Rate Limit Zones

A Rate Limit Zone is a named counter that you can configure to track request rates for specific traffic segments. Unlike simple rate limiting rules, zones allow you to build more complex logic, such as applying different limits based on user behavior (e.g., failed login attempts) or WAF events.

Each zone has its own configuration for:

  • Requests: The number of requests allowed.
  • Interval: The time period (in seconds) over which requests are counted.
  • Block Duration: How long (in seconds) to block a client once they exceed the limit.

Access and Create a Rate Limit Zone

  1. Navigate to your Domain Dashboard.
  2. In the main navigation, under "Rules & Scripting", click on Rate Limiting.
  3. The page is divided into two sections: Configured Zones and Rules.
  4. In the "Add New Zone" card, fill in the configuration details:
    • Name: A descriptive name for your zone (e.g., api_requests_per_user). This name must be unique.
    • Requests: The maximum number of requests to allow in the interval (e.g., 100).
    • Interval (seconds): The time window for the request count (e.g., 60 for 1 minute).
    • Block Duration (seconds): How long to block the client after they exceed the rate (e.g., 300 for 5 minutes).
  5. Click Add Zone. Your new zone will appear in the "Configured Zones" list.

Use a Zone in a Firewall Rule

Once a zone is created, you use it by creating rules in the Rules Engine. Zones are primarily used in the rate_limit_request, rate_limit_request_late, and rate_limit_response phases.

Example: Rate Limiting an API Endpoint

Let's create a rule that uses a zone named api_limit to limit requests to /api/.

  1. Navigate to Rules Engine > All Rules.
  2. Click Add New Rule and select the Rate Limit Request phase.
  3. Fill in the rule details:
    • Rule Name: Rate Limit API Traffic
    • Filter: Use the rule builder or enter the expression starts_with(http.request.uri.path, "/api/").
  4. Configure the Actions:
    • Click Add Action Group and select Rate Limit.
    • Select the Check zone action.
    • In the dropdown, select your api_limit zone.
    • Click Add Action to configure what happens when the limit is exceeded. Choose block and a status code like 429.
    • Next, you must define the Zone Key, which determines how clients are tracked. Click the Zone Key field, select IP address from the dropdown. This will track requests per IP.
    • You can also add the Add to zone action to ensure every request matching the filter is counted by the api_limit zone.

Your final action configuration will look something like this:

  • Add to zone: api_limit
  • Check zone: api_limit
  • Zone Key: IP address

  • Action: block, Status Code: 429

  • Save and Commit your changes.

Configuring the Zone Key

The Zone Key is a critical part of a rate limiting rule. It defines what uniquely identifies a "client" for the purpose of counting requests. You can key on a single attribute or combine multiple keys for more complex scenarios.

The following key types are available:

Key Type Description Example Configuration
ip The client's IP address. This is the most common key type. key: [{type: "ip"}]
country The client's two-letter country code, derived from GeoIP data. key: [{type: "country"}]
asn The client's Autonomous System Number (ASN). key: [{type: "asn"}]
header The value of a specified HTTP request header. This is useful for keying on API keys or session tokens. key: [{type: "header", header: "Authorization"}]
cookie The value of a specified cookie. key: [{type: "cookie", cookie: "session_id"}]
fingerprint_h2 The client's HTTP/2 fingerprint. key: [{type: "fingerprint_h2"}]
fingerprint_tls The client's TLS fingerprint. key: [{type: "fingerprint_tls"}]

Now, any request to a path starting with /api/ will be counted in the api_limit zone, keyed by the client's IP address. If an IP exceeds the configured threshold, it will be blocked.

Monitoring Zone Activity

You can monitor the effectiveness of your rate limit zones by viewing the Firewall Events.

  1. Navigate to Analytics & Logs > Events > Firewall Events.
  2. Filter the Event Type to Rate Limit.
  3. Events triggered by your zone-based rules will appear in the table, allowing you to see which clients are being rate-limited and why.

By using Rate Limit Zones, you can move beyond simple, stateless rate limiting and build sophisticated, context-aware policies to protect your applications from abuse. For more examples, see the Advanced Rate Limiting with Zones Tutorial.