Defend your Azure API Management instance against DDoS attacks
APPLIES TO: Developer | Premium
This article shows how to defend your Azure API Management instance against distributed denial of service (DDoS) attacks by enabling Azure DDoS Protection. Azure DDoS Protection provides enhanced DDoS mitigation features to defend against volumetric and protocol DDoS attacks.
Note
For web workloads, we highly recommend utilizing Azure DDoS protection and a web application firewall to safeguard against emerging DDoS attacks. Another option is to employ Azure Front Door along with a web application firewall. Azure Front Door offers platform-level protection against network-level DDoS attacks. For more information, see security baseline for Azure services.
Supported configurations
Enabling Azure DDoS Protection for API Management is supported only for instances deployed (injected) in a VNet in external mode or internal mode.
- External mode - All API Management endpoints are protected
- Internal mode - Only the management endpoint accessible on port 3443 is protected
Unsupported configurations
- Instances that aren't VNet-injected
- Instances configured with a private endpoint
Prerequisites
- An API Management instance
- The instance must be deployed in an Azure VNet in external mode or internal mode.
- The instance must be configured with an Azure public IP address resource, which is supported only on the API Management
stv2compute platform.Note
If the instance is hosted on the
stv1platform, you must migrate to thestv2platform.
- An Azure DDoS Protection plan
The plan you select can be in the same, or different, subscription than the virtual network and the API Management instance. If the subscriptions differ, they must be associated to the same Microsoft Entra tenant.
You may use a plan created using either the Network DDoS protection SKU or IP DDoS Protection SKU. See Azure DDoS Protection SKU Comparison.
Note
Azure DDoS Protection plans incur additional charges. For more information, see Pricing.
Enable DDoS Protection
Depending on the DDoS Protection plan you use, enable DDoS protection on the virtual network used for your API Management instance, or the IP address resource configured for your virtual network.
Enable DDoS Protection on the virtual network used for your API Management instance
In the Azure portal, navigate to the VNet where your API Management is injected.
In the left menu, under Settings, select DDoS protection.
Select Enable, and then select your DDoS protection plan.
Select Save.
Enable DDoS protection on the API Management public IP address
If your plan uses the IP DDoS Protection SKU, see Enable DDoS IP Protection for a public IP address.
Next steps
- Learn how to verify DDoS protection of your API Management instance by testing with simulation partners
- Learn how to view and configure Azure DDoS Protection telemetry
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for