Envoy 全局限流与 Redis 集成（Global Rate Limit 与验证）

概述全局限流由Envoy在请求进入时调用外部限流服务，根据维度与配额统一决策。结合Redis存储与令牌桶策略，支持跨实例一致限流与审计。关键实践与参数过滤器: `envoy.filters.http.ratelimit`服务端: gRPC限流服务, 基于Redis存储配额维度: 按IP、客户端Key、路径或用户ID策略: 令牌桶速率与突发, 不同路由分级限流审计: 记录命中与拒绝事件示例/配置/实现static_resources: listeners: - name: ingress address: { socket_address: { address: 0.0.0.0, port_value: 8080 } } filter_chains: - filters: - name: envoy.filters.network.http_connection_manager typed_config: "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager route_config: virtual_hosts: - name: app domains: ["*"] routes: - match: { prefix: "/api" } route: { cluster: api } http_filters: - name: envoy.filters.http.ratelimit typed_config: "@type": type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimit domain: api rate_limit_service: grpc_service: envoy_grpc: { cluster_name: ratelimit } transport_api_version: V3 - name: envoy.filters.http.router clusters: - name: api type: LOGICAL_DNS load_assignment: { cluster_name: api, endpoints: [ { lb_endpoints: [ { endpoint: { address: { socket_address: { address: api.svc, port_value: 80 } } } } ] } ] } - name: ratelimit type: LOGICAL_DNS load_assignment: { cluster_name: ratelimit, endpoints: [ { lb_endpoints: [ { endpoint: { address: { socket_address: { address: ratelimit.svc, port_value: 8081 } } } } ] } ] } # 限流服务配置(示意) descriptors: - key: remote_address rate_limit: unit: second requests_per_unit: 10 - key: path value: /api rate_limit: unit: second requests_per_unit: 100 验证全局一致: 多实例下限流命中比例一致维度策略: 不同维度命中对应配额与拒绝后端稳定: 在高并发下后端错误率下降审计: 限流服务与Envoy日志记录命中与拒绝计数注意事项限流服务需高可用与低延迟维度与策略需避免误杀正常流量与本地限流协同分层治理设置告警监测限流异常