Events
17 Mar, 9 pm - 21 Mar, 10 am
Join the meetup series to build scalable AI solutions based on real-world use cases with fellow developers and experts.
Register nowDefend your Azure API Management instance against DDoS attacks
APPLIES TO: Developer | Premium
This article shows how to defend your Azure API Management instance against distributed denial of service (DDoS) attacks by enabling Azure DDoS Protection. Azure DDoS Protection provides enhanced DDoS mitigation features to defend against volumetric and protocol DDoS attacks.
Note
For web workloads, we highly recommend utilizing Azure DDoS protection and a web application firewall to safeguard against emerging DDoS attacks. Another option is to employ Azure Front Door along with a web application firewall. Azure Front Door offers platform-level protection against network-level DDoS attacks. For more information, see security baseline for Azure services.
Enabling Azure DDoS Protection for API Management is supported only for instances deployed (injected) in a VNet in external mode or internal mode.
- External mode - All API Management endpoints are protected
- Internal mode - Only the management endpoint accessible on port 3443 is protected
- Instances that aren't VNet-injected
- Instances configured with a private endpoint
- An API Management instance
- The instance must be deployed in an Azure VNet in external mode or internal mode.
- The instance must be configured with an Azure public IP address resource, which is supported only on the API Management
stv2compute platform.Note
If the instance is hosted on the
stv1platform, you must migrate to thestv2platform.
- An Azure DDoS Protection plan
The plan you select can be in the same, or different, subscription than the virtual network and the API Management instance. If the subscriptions differ, they must be associated to the same Microsoft Entra tenant.
You may use a plan created using either the Network DDoS protection SKU or IP DDoS Protection SKU. See Azure DDoS Protection SKU Comparison.
Note
Azure DDoS Protection plans incur additional charges. For more information, see Pricing.
Depending on the DDoS Protection plan you use, enable DDoS protection on the virtual network used for your API Management instance, or the IP address resource configured for your virtual network.
In the Azure portal, navigate to the VNet where your API Management is injected.
In the left menu, under Settings, select DDoS protection.
Select Enable, and then select your DDoS protection plan.
Select Save.
If your plan uses the IP DDoS Protection SKU, see Enable DDoS IP Protection for a public IP address.
- Learn how to verify DDoS protection of your API Management instance by testing with simulation partners
- Learn how to view and configure Azure DDoS Protection telemetry
Additional resources
Training
Module
Introduction to Azure DDoS Protection - Training
Learn how to guard your Azure services from a denial of service attack using Azure DDoS Protection.
Certification
Microsoft Certified: Azure Database Administrator Associate - Certifications
Administer an SQL Server database infrastructure for cloud, on-premises and hybrid relational databases using the Microsoft PaaS relational database offerings.
Documentation
-
Use API Management in a virtual network with Azure Application Gateway - Azure API Management
Set up and configure Azure API Management in an internal virtual network with Azure Application Gateway (Web Application Firewall) as a front end.
-
Azure API Management with an Azure virtual network
Learn about scenarios and requirements to secure inbound or outbound traffic for your API Management instance using an Azure virtual network.
-
Set up inbound private endpoint for Azure API Management
Learn how to restrict inbound access to an Azure API Management instance by using an Azure private endpoint and Azure Private Link.