Defend your Azure API Management instance against DDoS attacks
This article shows how to defend your Azure API Management instance against distributed denial of service (DDoS) attacks by enabling Azure DDoS Protection. Azure DDoS Protection provides enhanced DDoS mitigation features to defend against volumetric and protocol DDoS attacks.
For web workloads, we highly recommend utilizing Azure DDoS protection and a web application firewall to safeguard against emerging DDoS attacks. Another option is to employ Azure Front Door along with a web application firewall. Azure Front Door offers platform-level protection against network-level DDoS attacks. For more information, see security baseline for Azure services.
This feature is available in the Premium and Developer tiers of API Management.
For feature availability in the v2 tiers (preview), see the v2 tiers overview.
- External mode - All API Management endpoints are protected
- Internal mode - Only the management endpoint accessible on port 3443 is protected
- Instances that aren't VNet-injected
- Instances configured with a private endpoint
- An API Management instance
- The instance must be deployed in an Azure VNet in external mode or internal mode.
- The instance must be configured with an Azure public IP address resource, which is supported only on the API Management
If the instance is hosted on the
stv1platform, you must migrate to the
- An Azure DDoS Protection plan
The plan you select can be in the same, or different, subscription than the virtual network and the API Management instance. If the subscriptions differ, they must be associated to the same Microsoft Entra tenant.
You may use a plan created using either the Network DDoS protection SKU or IP DDoS Protection SKU. See Azure DDoS Protection SKU Comparison.
Azure DDoS Protection plans incur additional charges. For more information, see Pricing.
Enable DDoS Protection
Depending on the DDoS Protection plan you use, enable DDoS protection on the virtual network used for your API Management instance, or the IP address resource configured for your virtual network.
Enable DDoS Protection on the virtual network used for your API Management instance
In the Azure portal, navigate to the VNet where your API Management is injected.
In the left menu, under Settings, select DDoS protection.
Select Enable, and then select your DDoS protection plan.
Enable DDoS protection on the API Management public IP address
If your plan uses the IP DDoS Protection SKU, see Enable DDoS IP Protection for a public IP address.
- Learn how to verify DDoS protection of your API Management instance by testing with simulation partners
- Learn how to view and configure Azure DDoS Protection telemetry