question

CasperRubaek avatar image
0 Votes"
CasperRubaek asked CasperRubaek commented

How can I protect against bots or users that rotate IP Address and attack my unauthenticated APIs behind API Management?

I am building a website that needs to call my Function App API behind API Management and it needs to be unauthenticated because the user should not be required to log in. However, I have some concerns about the security aspect of the solution and also in relation to how much the solution will incur me in costs.
I am using the Consumption tier of the API Management since it is the most cost-effective solution for me right now.

Specifically, I am worried that a malicious user or bot executes a DDOS attack from multiple source IP addresses against my API, which would render the service unusable and also incur a lot of costs.

I have been looking into using the rate-limit-by-key inbound policy but this is only available in non Consumption tiers of API Management and the alternative rate-limit works but one user or bot could then render the site unusable for legitimate users since all requests to API Management would be blocked if the rate limit was exceeded.

How can I protect against this and what other attacks should I set up defenses against in this scenario?
Also, can I set up additional measures to ensure that no one can access my function app APIs directly in addition to the function key that needs to be provided?

azure-functionsazure-api-management
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

PramodValavala-MSFT avatar image
0 Votes"
PramodValavala-MSFT answered CasperRubaek commented

@CasperRubaek All Azure Services are protected with Azure DDoS Protection Basic by default for free. For Azure DDoS Protection Standard, you will need to deploy APIM into a VNET which is currently only supported on the Premium Tier.

You can however protect your consumption tier instance by other means like validating tokens or requiring client certificates.

As for the function apps, since the consumption tier doesn't come with a dedicated IP Address, you will have to setup a range of IP addresses that belong to azure data centers as described in the doc linked.


· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks.

I was aware of DDOS protection. Is the threshold fixed or is it determined with machine learning or against a baseline?

Unfortunately, it is not possible to validate tokens and require client certificates because the app should not require users to sign in. They should be able to access the site without any modification and send API requests to an unauthenticated endpoint.

Thanks for the link to the range of azure datacenter IP addresses.

0 Votes 0 ·

@CasperRubaek The service monitors and mitigates common network-layer attacks using various methods to determine the threshold. This is the same service that protects the Azure Platform itself.

0 Votes 0 ·

Can you go into a bit more in-depth about the security measures it protects with?
I need to know if I can depend on the service to block malicious abusive traffic to my website.

0 Votes 0 ·