Merge pull request #214528 from dlepow/ddos

LJSpiller · web-flow · commit eb615d91e59e · 2022-10-25T13:37:57.000-04:00
[APIM] Configure Azure DDoS Protection
diff --git a/articles/api-management/TOC.yml b/articles/api-management/TOC.yml
@@ -279,6 +279,8 @@
               href: api-management-howto-ca-certificates.md
             - name: Manage protocols and ciphers
               href: api-management-howto-manage-protocols-ciphers.md
+            - name: Defend against DDoS attacks
+              href: protect-with-ddos-protection.md
             - name: Mitigate OWASP API threats
               href: mitigate-owasp-api-threats.md
               displayName: OWASP top 10, vulnerability, vulnerabilities
diff --git a/articles/api-management/media/protect-with-ddos-protection/enable-ddos-protection.png b/articles/api-management/media/protect-with-ddos-protection/enable-ddos-protection.png
diff --git a/articles/api-management/mitigate-owasp-api-threats.md b/articles/api-management/mitigate-owasp-api-threats.md
@@ -121,7 +121,7 @@ More information about this threat: [API4:2019 Lack of resources and rate limiti
 
     * Limit the number of parallel backend connections with the [limit concurrency](api-management-advanced-policies.md#LimitConcurrency) policy. 
 
-* While API Management can protect backend services from DDoS attacks, it may be vulnerable to those attacks itself. Deploy a bot protection service in front of API Management (for example, [Azure Application Gateway](api-management-howto-integrate-internal-vnet-appgateway.md), [Azure Front Door](../frontdoor/front-door-overview.md), or [Azure DDoS Protection Service](../ddos-protection/ddos-protection-overview.md)) to better protect against DDoS attacks. When using a WAF with Azure Application Gateway or Azure Front Door, consider using [Microsoft_BotManagerRuleSet_1.0](../web-application-firewall/afds/afds-overview.md#bot-protection-rule-set). 
+* While API Management can protect backend services from DDoS attacks, it may be vulnerable to those attacks itself. Deploy a bot protection service in front of API Management (for example, [Azure Application Gateway](api-management-howto-integrate-internal-vnet-appgateway.md), [Azure Front Door](front-door-api-management.md), or [Azure DDoS Protection](protect-with-ddos-protection.md)) to better protect against DDoS attacks. When using a WAF with Azure Application Gateway or Azure Front Door, consider using [Microsoft_BotManagerRuleSet_1.0](../web-application-firewall/afds/afds-overview.md#bot-protection-rule-set). 
 
 ## Broken function level authorization
 
@@ -237,7 +237,7 @@ More information about this threat: [API8:2019 Injection](https://github.com/OWA
 
 ### Recommendations
 
-* [Modern Web Application Firewall (WAF) policies](https://github.com/SpiderLabs/ModSecurity) cover many common injection vulnerabilities. While API Management doesn’t have a built-in WAF component, deploying a WAF upstream (in front) of the API Management instance is strongly recommended. For example, use [Azure Application Gateway](/azure/architecture/reference-architectures/apis/protect-apis) or [Azure Front Door](../frontdoor/front-door-overview.md). 
+* [Modern Web Application Firewall (WAF) policies](https://github.com/SpiderLabs/ModSecurity) cover many common injection vulnerabilities. While API Management doesn’t have a built-in WAF component, deploying a WAF upstream (in front) of the API Management instance is strongly recommended. For example, use [Azure Application Gateway](/azure/architecture/reference-architectures/apis/protect-apis) or [Azure Front Door](front-door-api-management.md). 
 
     > [!IMPORTANT]
     > Ensure that a bad actor can't bypass the gateway hosting the WAF and connect directly to the API Management gateway or backend API itself. Possible mitigations include: [network ACLs](../virtual-network/network-security-groups-overview.md), using API Management policy to [restrict inbound traffic by client IP](api-management-access-restriction-policies.md#RestrictCallerIPs), removing public access where not required, and [client certificate authentication](api-management-howto-mutual-certificates-for-clients.md) (also known as mutual TLS or mTLS). 
diff --git a/articles/api-management/protect-with-ddos-protection.md b/articles/api-management/protect-with-ddos-protection.md
@@ -0,0 +1,61 @@
+---
+title: Defend API Management against DDoS attacks 
+description: Learn how to protect your API Management instance in an external virtual network against volumetric and protocol DDoS attacks by using Azure DDoS Protection Standard.
+services: api-management
+author: dlepow
+
+ms.service: api-management
+ms.topic: how-to
+ms.date: 10/24/2022
+ms.author: danlep
+---
+# Defend your Azure API Management instance against DDoS attacks
+
+This article shows how to defend your Azure API Management instance against distributed denial of service (DDoS) attacks by enabling [Azure DDoS Protection](../ddos-protection/ddos-protection-overview.md). Azure DDoS Protection provides enhanced DDoS mitigation features to defend against volumetric and protocol DDoS attacks.​
+
+[!INCLUDE [premium-dev.md](../../includes/api-management-availability-premium-dev.md)]
+
+## Supported configurations
+
+Enabling Azure DDoS Protection for API Management is currently available only for instances deployed (injected) in a VNet in [external mode](api-management-using-with-vnet.md).
+
+Currently, Azure DDoS Protection can't be enabled for the following API Management configurations:
+
+* Instances that aren't VNet-injected
+* Instances deployed in a VNet in [internal mode](api-management-using-with-internal-vnet.md)
+* Instances configured with a [private endpoint](private-endpoint.md)
+
+## Prerequisites
+
+* An API Management instance
+    * The instance must be deployed in an Azure VNet in [external mode](api-management-using-with-vnet.md) 
+    * The instance to be configured with an Azure public IP address resource, which is supported only on the API Management `stv2` [compute platform](compute-infrastructure.md). 
+    * If the instance is hosted on the `stv1` platform, you must [migrate](compute-infrastructure.md#how-do-i-migrate-to-the-stv2-platform) to the `stv2` platform.
+* An Azure DDoS Protection [plan](../ddos-protection/manage-ddos-protection.md)
+    * The plan you select can be in the same, or different, subscription than the virtual network and the API Management instance. If the subscriptions differ, they must be associated to the same Azure Active Directory tenant.
+    * You may use a plan created using either the Network DDoS protection SKU or IP DDoS Protection SKU (preview). See [Azure DDoS Protection SKU Comparison](../ddos-protection/ddos-protection-sku-comparison.md).
+
+        > [!NOTE]
+        > Azure DDoS Protection plans incur additional charges. For more information, see [Pricing](https://azure.microsoft.com/pricing/details/ddos-protection/).
+     
+## Enable DDoS Protection
+
+Depending on the DDoS Protection plan you use, enable DDoS protection on the virtual network used for your API Management instance, or the IP address resource configured for your virtual network.
+
+### Enable DDoS Protection on the virtual network used for your API Management instance
+
+1. In the [Azure portal](https://portal.azure.com), navigate to the VNet where your API Management is injected.
+1. In the left menu, under **Settings**, select **DDoS protection**.
+1. Select **Enable**, and then select your **DDoS protection plan**.
+1. Select **Save**.
+
+    :::image type="content" source="media/protect-with-ddos-protection/enable-ddos-protection.png" alt-text="Screenshot of enabling a DDoS Protection plan on a VNet in the Azure portal.":::
+
+### Enable DDoS protection on the API Management public IP address
+
+If your plan uses the IP DDoS Protection SKU, see [Enable DDoS IP Protection for a public IP address](../ddos-protection/manage-ddos-protection-powershell-ip.md#disable-ddos-ip-protection-for-an-existing-public-ip-address).
+
+## Next steps
+
+* Learn how to verify DDoS protection of your API Management instance by [testing with simulation partners](../ddos-protection/test-through-simulations.md)
+* Learn how to [view and configure Azure DDoS Protection telemetry](../ddos-protection/telemetry.md)
diff --git a/articles/api-management/virtual-network-concepts.md b/articles/api-management/virtual-network-concepts.md
@@ -181,23 +181,17 @@ For more information, see [Integrate API Management in an internal virtual netwo
 
 Learn more about:
 
-* [Connecting a virtual network to backend using VPN Gateway](../vpn-gateway/design.md#s2smulti)
-* [Connecting a virtual network from different deployment models](../vpn-gateway/vpn-gateway-connect-different-deployment-models-powershell.md)
-* [Virtual network frequently asked questions](../virtual-network/virtual-networks-faq.md)
-
 Virtual network configuration with API Management:
 * [Connect to an external virtual network using Azure API Management](./api-management-using-with-vnet.md).
 * [Connect to an internal virtual network using Azure API Management](./api-management-using-with-internal-vnet.md).
 * [Connect privately to API Management using a private endpoint](private-endpoint.md)
-
+* [Defend your Azure API Management instance against DDoS attacks](protect-with-ddos-protection.md)
 
 Related articles:
 
 * [Connecting a Virtual Network to backend using Vpn Gateway](../vpn-gateway/design.md#s2smulti)
 * [Connecting a Virtual Network from different deployment models](../vpn-gateway/vpn-gateway-connect-different-deployment-models-powershell.md)
-* [How to use the API Inspector to trace calls in Azure API Management](api-management-howto-api-inspector.md)
 * [Virtual Network Frequently asked Questions](../virtual-network/virtual-networks-faq.md)
-* [Service tags](../virtual-network/network-security-groups-overview.md#service-tags)
 
 
 
