I am building a website that needs to call my Function App API behind API Management and it needs to be unauthenticated because the user should not be required to log in. However, I have some concerns about the security aspect of the solution and also in relation to how much the solution will incur me in costs.
I am using the Consumption tier of the API Management since it is the most cost-effective solution for me right now.
Specifically, I am worried that a malicious user or bot executes a DDOS attack from multiple source IP addresses against my API, which would render the service unusable and also incur a lot of costs.
I have been looking into using the rate-limit-by-key inbound policy but this is only available in non Consumption tiers of API Management and the alternative rate-limit works but one user or bot could then render the site unusable for legitimate users since all requests to API Management would be blocked if the rate limit was exceeded.
How can I protect against this and what other attacks should I set up defenses against in this scenario?
Also, can I set up additional measures to ensure that no one can access my function app APIs directly in addition to the function key that needs to be provided?