Consul Connect · Rate Limits
Consul Connect Rate Limits
Consul Connect's HTTP API is exposed by self-hosted Consul agents (default port 8500/8501). Rate limiting is operator-configured rather than imposed by HashiCorp — Consul ships built-in client- and server-side RPC rate-limiting (`limits.http_max_conns_per_client`, `limits.rpc_rate`, `limits.rpc_max_burst`, Enterprise-only `limits.request_limits`) and per-key ACL token enforcement. Cluster operators set the actual limits to protect the agent and the Raft leader.
4 Limits
Throttle: 429
ConsulHashiCorpService MeshRate Limiting
Limits
Operator-Configured HTTP Connection Limit agent/client-ip
configured via limits.http_max_conns_per_client
Default Consul agent setting; tune to bound per-client HTTP concurrency against the agent.
Operator-Configured RPC Rate agent
configured via limits.rpc_rate and limits.rpc_max_burst
Token-bucket rate limit on RPCs leaving the agent; off by default.
Enterprise Read/Write Request Limits agent
configured via limits.request_limits.{read_rate, write_rate} (Consul Enterprise)
Enterprise-only request-rate limiting on the HTTP API and gRPC server; supports `mode = enforcing / permissive / disabled`.
ACL Token Quota ACL token
enforced via X-Consul-Token policies
Authorization (not throughput) is enforced through ACL policies; effective limits are operator-defined.
Policies
Operator-Owned Limits
HashiCorp does not impose rate limits on the self-hosted Consul HTTP API; cluster operators configure agent and Raft-leader-side rate limits via the `limits` block in the Consul agent config.
Backoff Strategy
Clients should respect 429 / 503 responses with exponential backoff and jitter; Consul returns `Retry-After` when a request is rate-limited.
Request Limits Modes
Consul Enterprise's request_limits supports enforcing, permissive, and disabled modes to allow operators to observe before enforcing.
Federation Considerations
Cross-datacenter / WAN federation traffic adds RPC load; tune `limits.rpc_*` accordingly on edge agents and the leader.