I want to apply rate-based throttling using Google Cloud Armor. In the configuration for rules, there is a match parameter but that is for matching the IP ranges. I could not find a way to filter and then apply rate-based throttling for specific URL endpoints.
Via Pulumi documentation, I was able to find that we can leverage enforceOnKey for the HTTP_PATH but it takes only the first 128 bytes of the request.
I wonder if there are some examples I can use to apply rate-based throttling for specific URLs. Such as 1k QPS for /login, 10k QPS for /insert.
From the logs, I think the httpRequest.requestUrl parameter, can be used to enforce this rule.
I am not sure I completely understand the workflow you want to setup.
You could draft a compound CEL rule like this:
Where you check for the path and the IP range and then set the action to rate limit.
You can't use a rule like inIpRange(origin.ip, '*') && request.path.lower().matches('/login|/insert') as the value needs to equate to TRUE in both halves of the CEL statement and there is no string match in the wildcard statement to tell if it is true.
I may be overthinking what you want to do- perhaps you can do an exact match of the path as a CEL rule and then set the rate limit (without the IP range). You would set up 2 different rules, one for each path + rate limit. The counts are maintained separately if you have 2 separate rules.