cross-links

Author: dlepow

articles/api-management/TOC.yml

@@ -151,8 +151,6 @@
                   href: private-endpoint.md
                 - name: Retrieve IP addresses
                   href: api-management-howto-ip-addresses.md
-                - name: Defend against DDoS attacks
-                  href: protect-with-ddos-protection.md
             - name: Configuration management
               items:
               - name: Landing zone accelerator
@@ -281,6 +279,8 @@
               href: api-management-howto-ca-certificates.md
             - name: Manage protocols and ciphers
               href: api-management-howto-manage-protocols-ciphers.md
+            - name: Defend against DDoS attacks
+              href: protect-with-ddos-protection.md
             - name: Mitigate OWASP API threats
               href: mitigate-owasp-api-threats.md
               displayName: OWASP top 10, vulnerability, vulnerabilities

articles/api-management/mitigate-owasp-api-threats.md

@@ -121,7 +121,7 @@ More information about this threat: [API4:2019 Lack of resources and rate limiti
 
     * Limit the number of parallel backend connections with the [limit concurrency](api-management-advanced-policies.md#LimitConcurrency) policy. 
 
-* While API Management can protect backend services from DDoS attacks, it may be vulnerable to those attacks itself. Deploy a bot protection service in front of API Management (for example, [Azure Application Gateway](api-management-howto-integrate-internal-vnet-appgateway.md), [Azure Front Door](../frontdoor/front-door-overview.md), or [Azure DDoS Protection Service](../ddos-protection/ddos-protection-overview.md)) to better protect against DDoS attacks. When using a WAF with Azure Application Gateway or Azure Front Door, consider using [Microsoft_BotManagerRuleSet_1.0](../web-application-firewall/afds/afds-overview.md#bot-protection-rule-set). 
+* While API Management can protect backend services from DDoS attacks, it may be vulnerable to those attacks itself. Deploy a bot protection service in front of API Management (for example, [Azure Application Gateway](api-management-howto-integrate-internal-vnet-appgateway.md), [Azure Front Door](front-door-api-management.md), or [Azure DDoS Protection](protect-with-ddos-protection.md)) to better protect against DDoS attacks. When using a WAF with Azure Application Gateway or Azure Front Door, consider using [Microsoft_BotManagerRuleSet_1.0](../web-application-firewall/afds/afds-overview.md#bot-protection-rule-set). 
 
 ## Broken function level authorization
 
@@ -237,7 +237,7 @@ More information about this threat: [API8:2019 Injection](https://github.com/OWA
 
 ### Recommendations
 
-* [Modern Web Application Firewall (WAF) policies](https://github.com/SpiderLabs/ModSecurity) cover many common injection vulnerabilities. While API Management doesn’t have a built-in WAF component, deploying a WAF upstream (in front) of the API Management instance is strongly recommended. For example, use [Azure Application Gateway](/azure/architecture/reference-architectures/apis/protect-apis) or [Azure Front Door](../frontdoor/front-door-overview.md). 
+* [Modern Web Application Firewall (WAF) policies](https://github.com/SpiderLabs/ModSecurity) cover many common injection vulnerabilities. While API Management doesn’t have a built-in WAF component, deploying a WAF upstream (in front) of the API Management instance is strongly recommended. For example, use [Azure Application Gateway](/azure/architecture/reference-architectures/apis/protect-apis) or [Azure Front Door](front-door-api-management.md). 
 
     > [!IMPORTANT]
     > Ensure that a bad actor can't bypass the gateway hosting the WAF and connect directly to the API Management gateway or backend API itself. Possible mitigations include: [network ACLs](../virtual-network/network-security-groups-overview.md), using API Management policy to [restrict inbound traffic by client IP](api-management-access-restriction-policies.md#RestrictCallerIPs), removing public access where not required, and [client certificate authentication](api-management-howto-mutual-certificates-for-clients.md) (also known as mutual TLS or mTLS). 

articles/api-management/protect-with-ddos-protection.md

@@ -17,7 +17,7 @@ This article shows how to defend your Azure API Management instance against dist
 
 ## Supported configurations
 
-Enabling Azure DDoS Protection for API Management is available only for instances deployed (injected) in a VNet in [external mode](api-management-using-with-vnet.md).
+Enabling Azure DDoS Protection for API Management is currently available only for instances deployed (injected) in a VNet in [external mode](api-management-using-with-vnet.md).
 
 Currently, Azure DDoS Protection can't be enabled for the following API Management configurations:
 
@@ -40,20 +40,20 @@ Currently, Azure DDoS Protection can't be enabled for the following API Manageme
      
 ## Enable DDoS Protection
 
-Depending on the DDoS Protection plan you use, you enable DDoS protection either on the virtual network used for your API Management instance, or the IP address resource configured for your virtual network.
+Depending on the DDoS Protection plan you use, enable DDoS protection on the virtual network used for your API Management instance, or the IP address resource configured for your virtual network.
 
 ### Enable DDoS Protection on the virtual network used for your API Management instance
 
 1. In the [Azure portal](https://portal.azure.com), navigate to the VNet where your API Management is injected.
 1. In the left menu, under **Settings**, select **DDoS protection**.
-1. Select **Enable**, and then select your Azure DDoS Protection plan.
+1. Select **Enable**, and then select your **DDoS protection plan**.
 1. Select **Save**.
 
     :::image type="content" source="media/protect-with-ddos-protection/enable-ddos-protection.png" alt-text="Screenshot of enabling a DDoS Protection plan on a VNet in the Azure portal.":::
 
 ### Enable DDoS protection on the API Management public IP address
 
-To enable DDoS protection on the IP address, see [Enable DDoS IP Protection for a public IP address](../ddos-protection/manage-ddos-protection-powershell-ip.md#disable-ddos-ip-protection-for-an-existing-public-ip-address).
+If your plan uses the IP DDoS Protection SKU, see [Enable DDoS IP Protection for a public IP address](../ddos-protection/manage-ddos-protection-powershell-ip.md#disable-ddos-ip-protection-for-an-existing-public-ip-address).
 
 ## Next steps
 

articles/api-management/virtual-network-concepts.md

@@ -181,23 +181,17 @@ For more information, see [Integrate API Management in an internal virtual netwo
 
 Learn more about:
 
-* [Connecting a virtual network to backend using VPN Gateway](../vpn-gateway/design.md#s2smulti)
-* [Connecting a virtual network from different deployment models](../vpn-gateway/vpn-gateway-connect-different-deployment-models-powershell.md)
-* [Virtual network frequently asked questions](../virtual-network/virtual-networks-faq.md)
-
 Virtual network configuration with API Management:
 * [Connect to an external virtual network using Azure API Management](./api-management-using-with-vnet.md).
 * [Connect to an internal virtual network using Azure API Management](./api-management-using-with-internal-vnet.md).
 * [Connect privately to API Management using a private endpoint](private-endpoint.md)
-
+* [Defend your Azure API Management instance against DDoS attacks](protect-with-ddos-protection.md)
 
 Related articles:
 
 * [Connecting a Virtual Network to backend using Vpn Gateway](../vpn-gateway/design.md#s2smulti)
 * [Connecting a Virtual Network from different deployment models](../vpn-gateway/vpn-gateway-connect-different-deployment-models-powershell.md)
-* [How to use the API Inspector to trace calls in Azure API Management](api-management-howto-api-inspector.md)
 * [Virtual Network Frequently asked Questions](../virtual-network/virtual-networks-faq.md)
-* [Service tags](../virtual-network/network-security-groups-overview.md#service-tags)