Forum Discussion
How to Protect ...azure-api.net Subdomain from DDoS Attacks when using API Management Basic
Dear Tech Community , I am using Azure API Management (APIM Basic) in external mode and without VNet integration, meaning my API instance is publicly accessible through the default ...azure-api.net subdomain. I'm also using a custom domain but the default domain still remains aktive.
I am concerned about potential DDoS attacks and want to secure this subdomain. I am considering using Azure Front Door to filter the traffic and leverage its Web Application Firewall (WAF) for enhanced protection.
Could you please clarify the following:
- Is it possible to fully protect the API subdomain (...azure-api.net) via Azure Front Door or other products, ensuring no traffic bypasses Front Door and directly reaches the original APIM domain?
- What additional configurations, such as IP filtering or header validation, are required to restrict access so that only traffic routed through Azure Front Door reaches the APIM domain?
- Given that API Management without VNet integration doesn’t support DDoS Protection Standard, what are the best practices for DDoS protection in this scenario?
- Could you recommend any additional steps or configurations to ensure that all DDoS and security measures are effectively implemented?
Thank you for your support.
Best regards Michael
To protect your azure-api.net subdomain from DDoS attacks using Azure API Management in external mode.
1.Route traffic through Azure Front Door with Web Application Firewall (WAF) for DDoS protection and security.
2. Configure APIM to allow traffic only from Azure Front Door IP ranges using IP filtering.
3. Add custom headers in Front Door and configure APIM to validate these, ensuring all traffic goes through Front Door.
4. Implement rate limiting and quotas in APIM to control traffic.
5. Monitor traffic using Azure Monitor for any anomalies.
This setup ensures traffic is filtered through Front Door, protecting against DDoS and unauthorized access.
3 Replies
May worth to refer this as well:
Integrate Azure Front Door with Azure API Management - Microsoft Community Hub
To protect your azure-api.net subdomain from DDoS attacks using Azure API Management in external mode.
1.Route traffic through Azure Front Door with Web Application Firewall (WAF) for DDoS protection and security.
2. Configure APIM to allow traffic only from Azure Front Door IP ranges using IP filtering.
3. Add custom headers in Front Door and configure APIM to validate these, ensuring all traffic goes through Front Door.
4. Implement rate limiting and quotas in APIM to control traffic.
5. Monitor traffic using Azure Monitor for any anomalies.
This setup ensures traffic is filtered through Front Door, protecting against DDoS and unauthorized access.- Thanks, that’s what I thought already. Just to be clear, this means the APIM gateway would still receive requests via ...azure-api.net, but with the policy, I completely block this traffic.
