Rate Limiting and IP Rules
Bahriya lets you control who can access your HTTP containers and how much traffic they can send. You can configure rate limiting, IP allow lists, and IP deny lists per container.
These features are only available on HTTP containers. Worker containers do not accept inbound traffic and therefore do not support these settings.
Rate limiting
Rate limiting restricts how many requests a single client IP can make to your container within a time window. This helps protect your application from abuse, brute-force attacks, and accidental traffic spikes.
Configuration
| Setting | Description |
|---|
| Enabled | Toggle rate limiting on or off |
| Requests per minute | Maximum requests a single IP can make per minute |
| Requests per hour | Maximum requests a single IP can make per hour |
You can set one or both limits. When a client exceeds the limit, they receive an HTTP 429 (Too Many Requests) response until the window resets.
Example
To allow a maximum of 60 requests per minute and 1,000 requests per hour:
- Requests per minute:
60
- Requests per hour:
1000
Rate limits are enforced per client IP address, not globally across all clients.
IP allow list (whitelist)
An IP allow list restricts access to your container to a specific set of IP addresses or ranges. When enabled, only the listed IPs can reach your container — all other traffic is rejected.
When to use
- Your container serves an internal API that should only be accessible from known IPs.
- You want to restrict access during development or staging.
- You need to comply with a security policy that requires IP-based access control.
Configuration
| Setting | Description |
|---|
| Enabled | Toggle the allow list on or off |
| IPs | A list of IP addresses or CIDR ranges |
Example entries: 203.0.113.10, 10.0.0.0/8, 2001:db8::/32.
IP deny list (blacklist)
An IP deny list blocks specific IP addresses or ranges from accessing your container. All other traffic is allowed.
When to use
- You want to block known bad actors or abusive IPs.
- You need a quick response to an ongoing attack from specific sources.
Configuration
| Setting | Description |
|---|
| Enabled | Toggle the deny list on or off |
| IPs | A list of IP addresses or CIDR ranges to block |
Combining rules
You can enable rate limiting and an IP list at the same time. The IP rules are evaluated first — if a request is blocked by the allow or deny list, it never reaches the rate limiter.
You should not enable both an allow list and a deny list on the same container. If you need to restrict access to a known set of IPs, use the allow list. If you need to block a few bad actors while allowing everyone else, use the deny list.
For credential-based access control on top of these rules, see Basic Authentication.
Changes take effect on the next deployment
When you update rate limiting or IP rules, the changes are applied as part of your container's next deployment cycle. This typically takes under a minute.
