Defend your Azure API Management instance against DDoS attacks

APPLIES TO: Developer | Premium

This article shows how to defend your Azure API Management instance against distributed denial of service (DDoS) attacks by enabling Azure DDoS Protection. Azure DDoS Protection provides enhanced DDoS mitigation features to defend against volumetric and protocol DDoS attacks.​

Note

For web workloads, we highly recommend utilizing Azure DDoS protection and a web application firewall to safeguard against emerging DDoS attacks. Another option is to employ Azure Front Door along with a web application firewall. Azure Front Door offers platform-level protection against network-level DDoS attacks. For more information, see security baseline for Azure services.

Supported configurations

Enabling Azure DDoS Protection for API Management is supported only for instances deployed (injected) in a VNet in external mode or internal mode.

• External mode - All API Management endpoints are protected
• Internal mode - Only the management endpoint accessible on port 3443 is protected

Unsupported configurations

• Instances that aren't VNet-injected
• Instances configured with a private endpoint

Prerequisites

• An API Management instance
  • The instance must be deployed in an Azure VNet in external mode or internal mode.
  • The instance must be configured with an Azure public IP address resource, which is supported only on the API Management stv2 compute platform.

    Note

    If the instance is hosted on the stv1 platform, you must migrate to the stv2 platform.

• An Azure DDoS Protection plan

  • The plan you select can be in the same, or different, subscription than the virtual network and the API Management instance. If the subscriptions differ, they must be associated to the same Microsoft Entra tenant.

  • You may use a plan created using either the Network DDoS protection SKU or IP DDoS Protection SKU. See Azure DDoS Protection SKU Comparison.

    Note

    Azure DDoS Protection plans incur additional charges. For more information, see Pricing.

Enable DDoS Protection

Depending on the DDoS Protection plan you use, enable DDoS protection on the virtual network used for your API Management instance, or the IP address resource configured for your virtual network.

Enable DDoS Protection on the virtual network used for your API Management instance

1. In the Azure portal, navigate to the VNet where your API Management is injected.

2. In the left menu, under Settings, select DDoS protection.

3. Select Enable, and then select your DDoS protection plan.

4. Select Save.

   

Enable DDoS protection on the API Management public IP address

If your plan uses the IP DDoS Protection SKU, see Enable DDoS IP Protection for a public IP address.

Next steps

• Learn how to verify DDoS protection of your API Management instance by testing with simulation partners
• Learn how to view and configure Azure DDoS Protection telemetry