How to Protect ...azure-api.net Subdomain from DDoS Attacks when using API Management Basic in External Mode without VNet Integration and Front Door

Michael Schneider 0 Reputation points
2024-09-26T07:50:40.2933333+00:00

Dear Tema, I am using Azure API Management (APIM Basic) in external mode and without VNet integration, meaning my API instance is publicly accessible through the default ...azure-api.net subdomain. I'm also using a custom domain but the default domain still remains aktive.

I am concerned about potential DDoS attacks and want to secure this subdomain. I am considering using Azure Front Door to filter the traffic and leverage its Web Application Firewall (WAF) for enhanced protection.

Could you please clarify the following:

  1. Is it possible to fully protect the API subdomain (...azure-api.net) via Azure Front Door, ensuring no traffic bypasses Front Door and directly reaches the original APIM domain?
  2. What additional configurations, such as IP filtering or header validation, are required to restrict access so that only traffic routed through Azure Front Door reaches the APIM domain?
  3. Given that API Management without VNet integration doesn’t support DDoS Protection Standard, what are the best practices for DDoS protection in this scenario?
  4. Could you recommend any additional steps or configurations to ensure that all DDoS and security measures are effectively implemented?

Thank you for your support.

Best regards Michael

Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
2,130 questions
0 comments No comments
{count} votes

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.