Rate Limiting

firewall_rules:
  api-limit:
    rate_limit: { requests: 100, window_secs: 60, per: ip }
    match: { path: /api }
    monitor: true
  global-limit:
    rate_limit: { requests: 1000, window_secs: 60, per: route }
    all_services: true

per is ip by default and may be route. match is optional; without it, the budget covers the whole route.

monitor: true reports matches without enforcing. all_services: true attaches the rule to every service automatically.