Merge pull request #220623 from dlepow/shgwpol

v-stsavell · web-flow · commit 1232b4d1174c · 2023-01-20T16:14:23.000-06:00
[APIM] Self-hosted gateway policy clarifications
diff --git a/articles/api-management/api-management-gateways-overview.md b/articles/api-management/api-management-gateways-overview.md
@@ -27,6 +27,11 @@ The API Management *gateway* (also called *data plane* or *runtime*) is the serv
 
 [!INCLUDE [api-management-gateway-role](../../includes/api-management-gateway-role.md)]
 
+
+> [!NOTE]
+> All requests to the API Management gateway, including those rejected by policy configurations, count toward configured rate limits, quotas, and billing limits if applied in the service tier. 
+
+
 ## Managed and self-hosted
 
 API Management offers both managed and self-hosted gateways:
@@ -52,6 +57,7 @@ The following table compares features available in the managed gateway versus th
 
 > [!NOTE]
 > * Some features of managed and self-hosted gateways are supported only in certain [service tiers](api-management-features.md) or with certain [deployment environments](self-hosted-gateway-overview.md#packaging) for self-hosted gateways.
+> * For the current supported features of the self-hosted gateway, ensure that you have upgraded to the latest major version of the self-hosted gateway [container image](self-hosted-gateway-overview.md#container-images).
 > * See also self-hosted gateway [limitations](self-hosted-gateway-overview.md#limitations).
 
 ### Infrastructure
@@ -92,17 +98,19 @@ The following table compares features available in the managed gateway versus th
 
 ### Policies
 
-Managed and self-hosted gateways support all available [policies](api-management-howto-policies.md) in policy definitions with the following exceptions.
+Managed and self-hosted gateways support all available [policies](api-management-policies.md) in policy definitions with the following exceptions.
 
-| Policy | Managed (Dedicated)  | Managed (Consumption) | Self-hosted  |
+| Policy | Managed (Dedicated)  | Managed (Consumption) | Self-hosted<sup>1</sup>  |
 | --- | ----- | ----- | ---------- |
-| [Dapr integration](api-management-dapr-policies.md) |  ❌ | ❌ | ✔️ |
+| [Dapr integration](api-management-policies.md#dapr-integration-policies) |  ❌ | ❌ | ✔️ |
 | [Get authorization context](get-authorization-context-policy.md) |  ✔️ |  ❌ | ❌ |
-| [Quota and rate limit](api-management-access-restriction-policies.md) |  ✔️ |  ✔️<sup>1</sup> | ✔️<sup>2</sup>
+| [Quota and rate limit](api-management-policies.md#access-restriction-policies) |  ✔️ |  ✔️<sup>2</sup> | ✔️<sup>3</sup>
 | [Set GraphQL resolver](set-graphql-resolver-policy.md) |  ✔️ |  ❌ | ❌ |
 
-<sup>1</sup> The rate limit by key and quota by key policies aren't available in the Consumption tier.<br/>
-<sup>2</sup> By default, rate limit counts in self-hosted gateways are per-gateway, per-node.
+<sup>1</sup> Configured policies that aren't supported by the self-hosted gateway are skipped during policy execution.<br/>
+<sup>2</sup> The rate limit by key and quota by key policies aren't available in the Consumption tier.<br/>
+<sup>3</sup> [!INCLUDE [api-management-self-hosted-gateway-rate-limit](../../includes/api-management-self-hosted-gateway-rate-limit.md)] [Learn more](how-to-self-hosted-gateway-on-kubernetes-in-production.md#request-throttling)
+
 
 ### Monitoring
 
diff --git a/articles/api-management/how-to-self-hosted-gateway-on-kubernetes-in-production.md b/articles/api-management/how-to-self-hosted-gateway-on-kubernetes-in-production.md
@@ -7,7 +7,7 @@ ms.service: api-management
 ms.workload: mobile
 ms.topic: article
 ms.author: tomkerkhove
-ms.date: 12/17/2021
+ms.date: 01/17/2023
 ---
 
 # Guidance for running self-hosted gateway on Kubernetes in production
@@ -173,6 +173,16 @@ By default, a self-hosted gateway is deployed with a **RollingUpdate** deploymen
 
 We recommend reducing container logs to warnings (`warn`) to improve for performance. Learn more in our [self-hosted gateway configuration reference](self-hosted-gateway-settings-reference.md).
 
+## Request throttling
+
+Request throttling in a self-hosted gateway can be enabled by using the API Management [rate-limit](rate-limit-policy.md) or [rate-limit-by-key](rate-limit-by-key-policy.md) policy. Configure rate limit counts to synchronize among gateway instances across cluster nodes by exposing the following ports in the Kubernetes deployment for instance discovery:
+
+* Port 4290 (UDP), for the rate limiting synchronization
+* Port 4291 (UDP), for sending heartbeats to other instances
+
+> [!NOTE]
+> [!INCLUDE [api-management-self-hosted-gateway-rate-limit](../../includes/api-management-self-hosted-gateway-rate-limit.md)]
+
 ## Security
 The self-hosted gateway is able to run as non-root in Kubernetes allowing customers to run the gateway securely.
 
@@ -195,6 +205,7 @@ securityContext:
 > [!WARNING]
 > When using local CA certificates, the self-hosted gateway must run with user ID (UID) `1001` in order to manage the CA certificates otherwise the gateway will not start up.
 
+
 ## Next steps
 
 * To learn more about the self-hosted gateway, see [Self-hosted gateway overview](self-hosted-gateway-overview.md).
diff --git a/articles/api-management/rate-limit-by-key-policy.md b/articles/api-management/rate-limit-by-key-policy.md
@@ -56,6 +56,11 @@ To understand the difference between rate limits and quotas, [see Rate limits an
 - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, product, API, operation
 - [**Gateways:**](api-management-gateways-overview.md) dedicated, self-hosted
 
+### Usage notes
+
+* [!INCLUDE [api-management-self-hosted-gateway-rate-limit](../../includes/api-management-self-hosted-gateway-rate-limit.md)] [Learn more](how-to-self-hosted-gateway-on-kubernetes-in-production.md#request-throttling)
+
+
 ## Example
 
 In the following example, the rate limit of 10 calls per 60 seconds is keyed by the caller IP address. After each policy execution, the remaining calls allowed in the time period are stored in the variable `remainingCallsPerIP`.
diff --git a/articles/api-management/rate-limit-policy.md b/articles/api-management/rate-limit-policy.md
@@ -6,7 +6,7 @@ author: dlepow
 
 ms.service: api-management
 ms.topic: reference
-ms.date: 12/08/2022
+ms.date: 01/11/2023
 ms.author: danlep
 ---
 
@@ -86,6 +86,8 @@ To understand the difference between rate limits and quotas, [see Rate limits an
 * This policy can be used only once per policy definition.
 * Except where noted, [policy expressions](api-management-policy-expressions.md) can't be used in attribute values for this policy.
 * This policy is only applied when an API is accessed using a subscription key.
+* [!INCLUDE [api-management-self-hosted-gateway-rate-limit](../../includes/api-management-self-hosted-gateway-rate-limit.md)] [Learn more](how-to-self-hosted-gateway-on-kubernetes-in-production.md#request-throttling)
+
 
 ## Example
 
diff --git a/includes/api-management-self-hosted-gateway-rate-limit.md b/includes/api-management-self-hosted-gateway-rate-limit.md
@@ -0,0 +1,8 @@
+---
+author: dlepow
+ms.service: api-management
+ms.topic: include
+ms.date: 01/17/2023
+ms.author: danlep
+---
+Rate limit counts in a self-hosted gateway can be configured to synchronize locally (among gateway instances across cluster nodes), for example, through Helm chart deployment for Kubernetes or using the Azure portal [deployment templates](../articles/api-management/how-to-deploy-self-hosted-gateway-kubernetes.md). However, rate limit counts don't synchronize with other gateway resources configured in the API Management instance, including the managed gateway in the cloud. 
