title	Defend API Management Against DDoS Attacks
description	Learn how to protect your API Management instance in an external virtual network against volumetric and protocol DDoS attacks by using Azure DDoS Protection.
services	api-management
author	dlepow
ms.service	azure-api-management
ms.topic	how-to
ms.date	04/17/2025
ms.author	danlep
ms.custom	sfi-image-nochange

Defend your Azure API Management instance against DDoS attacks

[!INCLUDE premium-dev.md]

This article shows how to defend your Azure API Management instance against distributed denial of service (DDoS) attacks by enabling Azure DDoS Protection. Azure DDoS Protection provides enhanced DDoS mitigation features to defend against volumetric and protocol DDoS attacks.

[!INCLUDE ddos-waf-recommendation]

Supported configurations

Enabling Azure DDoS Protection for API Management is supported only for instances deployed (injected) in a VNet in external mode or internal mode.

External mode - All API Management endpoints are protected
Internal mode - Only the management endpoint accessible on port 3443 is protected

Unsupported configurations

Instances that aren't VNet-injected
Instances configured with a private endpoint

Prerequisites

An API Management instance
- The instance must be deployed in an Azure VNet in external mode or internal mode.
- The instance must be configured with an Azure public IP address resource.
An Azure DDoS Protection plan
- The plan you select can be in the same, or different, subscription than the virtual network and the API Management instance. If the subscriptions differ, they must be associated to the same Microsoft Entra tenant.
- You may use a plan created using either the Network DDoS protection SKU or IP DDoS Protection SKU. See Azure DDoS Protection SKU Comparison.
  
  [!NOTE] Azure DDoS Protection plans incur additional charges. For more information, see Pricing.

Enable DDoS Protection

Depending on the DDoS Protection plan you use, enable DDoS protection on the virtual network used for your API Management instance, or the IP address resource configured for your virtual network.

Enable DDoS Protection on the virtual network used for your API Management instance

In the Azure portal, navigate to the VNet where your API Management is injected.
In the left menu, under Settings, select DDoS protection.
Select Enable, and then select your DDoS protection plan.
Select Save.

:::image type="content" source="media/protect-with-ddos-protection/enable-ddos-protection.png" alt-text="Screenshot of enabling a DDoS Protection plan on a VNet in the Azure portal.":::

Enable DDoS protection on the API Management public IP address

If your plan uses the IP DDoS Protection SKU, see Enable DDoS IP Protection for a public IP address.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Defend your Azure API Management instance against DDoS attacks

Supported configurations

Unsupported configurations

Prerequisites

Enable DDoS Protection

Enable DDoS Protection on the virtual network used for your API Management instance

Enable DDoS protection on the API Management public IP address

Related content

FilesExpand file tree

protect-with-ddos-protection.md

Latest commit

History

protect-with-ddos-protection.md

File metadata and controls

Defend your Azure API Management instance against DDoS attacks

Supported configurations

Unsupported configurations

Prerequisites

Enable DDoS Protection

Enable DDoS Protection on the virtual network used for your API Management instance

Enable DDoS protection on the API Management public IP address

Related content