Azure DDoS Standard Protection Now Supports APIM in VNET Integration

Azure DDoS Standard Protection Now Supports APIM in VNET Integration



Azure DDoS Protection Standard provides enhanced DDoS mitigation features to defend against volumetric and protocol DDoS attacks, such as Adaptive real time tuning, always-on traffic monitoring, Azure DDoS Rapid Response support, cost protection telemetry, monitoring, and alerting.


DDoS protection standard currently supports Public IPs in ARM based VNets such as Load Balancers, Bastion, Azure Firewall and Application Gateway. Now you can also protect your public IPs attached to VNet integrated Azure API Management (APIM) instances with Azure DDoS Protection Standard.




When you deploy your APIM instance in Azure virtual networks (VNets) and attach a public IP to it, you get external inbound connectivity to the gateway and API Management endpoints, giving your API Management instance secure access to other peered Azure resources and connectivity to your on-premises networks using different VPN technologies and Express route. This type of setup will open external access to private and on-premises backends, which makes your API Gateway vulnerable to DDoS attacks.


In a scenario where you have infrastructure/workloads such as gaming and sensitive web applications, even a small downtime will sustain huge financial costs and reputational damage to your organization. Attackers will try to overload the backend using bots and block legitimate traffic or bring down the system. With Azure DDoS Protection Standard, you can mitigate volumetric and protocol DDoS attacks which are targeting your APIs on Azure.


In a VNet integrated scenario you can control access by using Network Security Groups however NSGs do not provide DDoS protection for your APIM. You can also integrate with Application Gateway WAF for layer 7 protection against attacks such as SQL injection, cross-site scripting, protocol violations and so on (Something to point out here is that DDoS protection Standard was already available in a setup where you have Application Gateway intercepting the traffic before reaching the APIM instance however for this blog we will be focusing on the new DDoS protection support where you directly protect your APIM instance when it’s integrated with a VNet). If you want to learn more about Application Gateway integration with APIM see Use API Management in a virtual network with Azure Application Gateway - Azure API Management | Microsoft Learn







This blog will show you how to:

  • Create APIM instance in Virtual Network setup
  • Create DDoS Standard plan and configure the Public IP logging
  • Identify when you’re under a DDoS attack and investigate the mitigation logs


Create APIM Instance with VNet Integration


Install APIM.gif



For this blog’s purpose we will create an APIM instance with minimum configuration as shown above. Make sure to choose Virtual network as connectivity type under Virtual network tab to enable inbound connection from the internet through the VNet and get the option to enable DDoS Protection Standard. We will use the API Management instance in external mode however you can choose either Internal or External mode depending on if you require connectivity to your API Management endpoints from the internet or only within the VNet, for the second option choose Internal mode. Full configuration steps can be found here Connect to a virtual network using Azure API Management | Microsoft Learn


APIM VNet integration Requirements:

  • The minimum size of the subnet in which API Management instance can be deployed is /29
  • Public IP must have a Fully qualified domain name of the A DNS record associated with it




Note: Public IP attached to APIM instance is used for runtime API traffic or for managing configuration on port 3443, for more information check IP addresses of Azure API Management service | Microsoft Docs


Create DDoS Protection plan


Creating Azure DDoS protection plan is straightforward. Choose your subscription and make sure that the Public IP used is under the same Tenant. DDoS Protection Standard plan spans over all subscriptions you have under the same AAD tenant.




After deploying DDoS plan, go to protected resources and add the VNet where you have the API Management instance deployed.


Enable logging on your Public IP




In your Public IP configuration, create a diagnostic setting with all categories selected and your log analytics workspace destination.



At this stage you should have created the APIM instance in your VNET and Azure DDoS Standard protection for the public IP. For our test we will be using our DDoS simulation partner. More information about our DDoS attack simulation partners is available here Azure DDoS Protection simulation testing | Microsoft Docs


Before starting the simulation attack let’s check the metrics and current threshold for our public IP. Under your public IP resource click on metrics, add a new metric, and choose “Inbound SYN packets to trigger DDoS mitigation”.




This metric will show us the current TCP SYN packets threshold for triggering DDoS mitigation. In our case we can see that it’s 10k/s.




The other metric which we want to look at is “Under DDoS attack or not”. This metric has only 2 values 0 and 1:

0 = your public IP is not under DDoS attack, 1 = Your public IP is under DDoS attack and DDoS attack mitigation has started.




Once we start the DDoS simulation attack you will see the metric changing to 1 as shown above, DDoS attack started at 10:19PM. To get more information about this attack and its mitigation we will have a look at our logging. Go to your log Analytics workspace where you have the Public IP logs sent to and under logs run the following query:



| where Category == "DDoSProtectionNotifications"


We should see one entry with the message [MITIGATION STARTED] as shown in the screenshot below.




Let’s run another query with Category as "DDoSMitigationFlowLogs"



| where Category == "DDoSMitigationFlowLogs"


DDoS mitigation flow logs will provide us with all the logs of packets being allowed or dropped, in the example below we can see that in the message it states “Protocol violation invalid TCP syn” which means that the packet was dropped because it was identified as malicious packet.






Enabling internet connectivity to your API services creates a huge risk of getting attacked by DDoS as any endpoint that is publicly reachable from the internet is vulnerable to these attacks, With the recent Azure DDoS protection support for VNet integrated API Management instances in Azure, you are now able to mitigate volumetric and protocol DDoS attacks on a global scale with minimum configuration and overhead. After reading this blog you should be able to create an APIM instance with VNet integration, configure Azure DDoS protection standard and investigate DDoS mitigations that occurred in your environment.


Additional resources

Azure API Management with an Azure virtual network | Microsoft Docs

Azure DDoS Protection Standard documentation | Microsoft Docs

Connect to a virtual network using Azure API Management | Microsoft Docs

Published on:

Learn more
Azure Network Security Blog articles
Azure Network Security Blog articles

Azure Network Security Blog articles

Share post:

Related posts

Increasing Security for SQL Server Enabled by Azure Arc

Back in November 2023, the least privileges deployment model was introduced as a public preview. After thorough testing, we are excited to ann...

1 hour ago

Govern your Azure Firewall configuration with Azure Policies

Introduction:  In the rapidly evolving digital landscape, securing cloud environments is more critical than ever. Azure Firewall emerges ...

6 hours ago

Azure Verified Modules - Monthly Update [June]

AVM Module Summary The AVM team are excited that our community have been busy building AVM Modules. As of June 17th, the AVM Footprint curren...

12 hours ago

General Availability Announcement: Azure VM Regional to Zonal Move

Today, we announce the general availability of the capability to convert regional VMs to a zonal configuration within the same region. Th...

1 day ago

Azure WAF Public Preview: JavaScript Challenge

Microsoft has recently released JavaScript challenge in public preview for Azure WAF on Application Gateway and Azure Front Door.   Appro...

1 day ago

Public Preview Announcement: Azure Policy Built-in Versioning

Welcome to a new era of policy management, where policy definitions are more agile, adaptable, and accessible than ever before! We are thrille...

3 days ago
Stay up to date with latest Microsoft Dynamics 365 and Power Platform news!
* Yes, I agree to the privacy policy