API网关限流与配额策略对比实践

概述目标：以统一指标与策略，在不同网关实现速率限制与配额，防止滥用与保证公平分配。范畴：每秒请求限流、突发容量、每日配额计数、基于凭证/客户端维度的限流键。核心与实战Kong（decK声明式）：_format_version: "3.0" services: - name: api url: http://api:8080 routes: - name: api-v1 service: api paths: ["/v1"] plugins: - name: rate-limiting config: second: 100 policy: local limit_by: consumer fault_tolerant: true - name: request-transformer config: add: headers: - "X-Rate-Key:consumer" Envoy（本地限流过滤器）：http_filters: - name: envoy.filters.http.local_ratelimit typed_config: "@type": type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit stat_prefix: http_local_rate_limiter token_bucket: max_tokens: 100 tokens_per_fill: 100 fill_interval: 1s filter_enabled: runtime_key: local_rate_limit_enabled default_value: true APISIX（limit-count与limit-req）：{ "uri": "/v1/*", "plugins": { "limit-count": { "count": 1000, "time_window": 60, "key": "consumer_name", "policy": "local" }, "limit-req": { "rate": 100, "burst": 50, "key": "consumer_name" } } } 示例Kong应用配置：deck sync -s kong.yaml Envoy加载配置：envoy -c envoy.yaml --drain-time-s 2 APISIX路由创建：curl -X PUT http://apisix:9080/apisix/admin/routes/1 -H 'X-API-KEY: xxxxx' -d @route.json 验证与监控观测命中率与拒绝比例：Kong：Admin API 或 Prometheus `kong_http_status`。Envoy：`listener.downstream_rq_1xx/2xx/4xx`与`token_bucket`相关指标。APISIX：`limit-count`与`limit-req`插件指标。键维度与公平性：校验限流键是否按`consumer`或`client_id`生效，避免所有流量共享单键造成不公平。常见误区只做全局限流而缺乏维度键，导致热点客户端吞噬配额；应按消费者或凭证维度限流。本地内存策略在多节点集群下不一致；需考虑Redis/一致性哈希或集中式限流服务。忽视突发容量与响应头暴露，客户端无法自适应；应暴露`X-RateLimit-*`头并提供重试策略。结语不同网关都能实现稳定的限流与配额，关键在统一指标、维度键与监控验证，以保障业务公平与高可用。