Defend your Azure API Management instance against DDoS attacks
This article shows how to defend your Azure API Management instance against distributed denial of service (DDoS) attacks by enabling Azure DDoS Protection. Azure DDoS Protection provides enhanced DDoS mitigation features to defend against volumetric and protocol DDoS attacks.
This feature is available in the Premium and Developer tiers of API Management.
Enabling Azure DDoS Protection for API Management is supported only for instances deployed (injected) in a VNet in external mode or internal mode.
- External mode - All API Management endpoints are protected
- Internal mode - Only the management endpoint accessible on port 3443 is protected
- Instances that aren't VNet-injected
- Instances configured with a private endpoint
- An API Management instance
- The instance must be deployed in an Azure VNet in external mode or internal mode.
- The instance must be configured with an Azure public IP address resource, which is supported only on the API Management
If the instance is hosted on the
stv1platform, you must migrate to the
- An Azure DDoS Protection plan
The plan you select can be in the same, or different, subscription than the virtual network and the API Management instance. If the subscriptions differ, they must be associated to the same Azure Active Directory tenant.
You may use a plan created using either the Network DDoS protection SKU or IP DDoS Protection SKU (preview). See Azure DDoS Protection SKU Comparison.
Azure DDoS Protection plans incur additional charges. For more information, see Pricing.
Enable DDoS Protection
Depending on the DDoS Protection plan you use, enable DDoS protection on the virtual network used for your API Management instance, or the IP address resource configured for your virtual network.
Enable DDoS Protection on the virtual network used for your API Management instance
In the Azure portal, navigate to the VNet where your API Management is injected.
In the left menu, under Settings, select DDoS protection.
Select Enable, and then select your DDoS protection plan.
Enable DDoS protection on the API Management public IP address
If your plan uses the IP DDoS Protection SKU, see Enable DDoS IP Protection for a public IP address.
- Learn how to verify DDoS protection of your API Management instance by testing with simulation partners
- Learn how to view and configure Azure DDoS Protection telemetry
Submit and view feedback for