I am building a website that needs to call my Function App API behind API Management and it needs to be unauthenticated because the user should not be required to log in. However, I have some concerns about the security aspect of the solution and also in relation to how much the solution will incur me in costs.
I am using the Consumption tier of the API Management since it is the most cost-effective solution for me right now.
Specifically, I am worried that a malicious user or bot executes a DDOS attack from multiple source IP addresses against my API, which would render the service unusable and also incur a lot of costs.
I have been looking into using the rate-limit-by-key inbound policy but this is only available in non Consumption tiers of API Management and the alternative rate-limit works but one user or bot could then render the site unusable for legitimate users since all requests to API Management would be blocked if the rate limit was exceeded.
How can I protect against this and what other attacks should I set up defenses against in this scenario?
Also, can I set up additional measures to ensure that no one can access my function app APIs directly in addition to the function key that needs to be provided?
@Casper Rubæk The service monitors and mitigates common network-layer attacks using various methods to determine the threshold. This is the same service that protects the Azure Platform itself.
Can you go into a bit more in-depth about the security measures it protects with?
I need to know if I can depend on the service to block malicious abusive traffic to my website.