How can I protect against bots or users that rotate IP Address and attack my unauthenticated APIs behind API Management?

Question

I am building a website that needs to call my Function App API behind API Management and it needs to be unauthenticated because the user should not be required to log in. However, I have some concerns about the security aspect of the solution and also in relation to how much the solution will incur me in costs.
I am using the Consumption tier of the API Management since it is the most cost-effective solution for me right now.

Specifically, I am worried that a malicious user or bot executes a DDOS attack from multiple source IP addresses against my API, which would render the service unusable and also incur a lot of costs.

I have been looking into using the rate-limit-by-key inbound policy but this is only available in non Consumption tiers of API Management and the alternative rate-limit works but one user or bot could then render the site unusable for legitimate users since all requests to API Management would be blocked if the rate limit was exceeded.

How can I protect against this and what other attacks should I set up defenses against in this scenario?
Also, can I set up additional measures to ensure that no one can access my function app APIs directly in addition to the function key that needs to be provided?

Answer 1

@Casper Rubæk All Azure Services are protected with Azure DDoS Protection Basic by default for free. For Azure DDoS Protection Standard, you will need to deploy APIM into a VNET which is currently only supported on the Premium Tier.

You can however protect your consumption tier instance by other means like validating tokens or requiring client certificates.

As for the function apps, since the consumption tier doesn't come with a dedicated IP Address, you will have to setup a range of IP addresses that belong to azure data centers as described in the doc linked.