Closed codemaker closed 4 years ago
Thanks for the feedback! We are currently investigating and will update you shortly.
@codemaker The gateway URL will not change when turning on virtual networks but whether it is exposed to the public internet by default depends on the mode that you are changing it to.
In case of the external mode, no further action is required to expose the gateway endpoint.
In case of the internal mode, you will have to both setup the DNS Records and configure an Application Gateway to expose the endpoints to the internet.
@codemaker Just following up here... Hope my previous comment clears things up.
Thanks for the response. Once I enable external mode, do I need to manually set up monitoring on the VNET? Basically I would like to stop DDoS attack on APIM.
@codemaker Azure DDoS Basic is available for all azure services by default at no extra cost. When deployed into a VNET, you have the ability to enable Azure DDoS Standard Protection which provides you with addition mitigation capacilities.
You can read more about Best Practices of DDoS Protection in the official docs.
Standard protection cost $2000 plus per month.
"Azure DDoS Basic is available for all Azure services by default at no extra cost." - Do we have any Microsoft document for reference which says its free?
@codemaker The table in this doc does mention it.
Note this covers common network-level attacks by default. So, if you are using Azure, you are already covered by the free DDoS Protection.
Do we get DDoS attack dash board so that we can do daily monitoring? Basically we have APIM, Azure AD and Log Analytics which are publically exposed to the internet. do we really need to secure it or Microsoft will take care?
@codemaker Those metrics and logs are streamed to Azure Monitor when you have DDoS Standard as mentioned in the doc. The Basic Plan has not such metrics but will protect Azure Resources from common network-level attacks on its own.
You could still monitor you own services with metrics they each may provide for any anomalies that Azure DDoS may not consider an attack but are unusual for your application.
So the conclusion is adding external or internal mode will not help unless I apply a DDoS plan on VNET. Just leave APIM as it is will also be protected by basic Microsoft protection layer.
@codemaker Yes. That is correct for DDoS.
@codemaker Just following up here... Hope my previous comment clears things up.
Yes, we can close the thread/
@codemaker Glad we could help!
We will now proceed to close this thread. If there are further questions regarding this matter, please tag me in your reply. We will gladly continue the discussion and we will reopen the issue.
Currently Virtual network setting is "OFF" for my APIM. I am planning to change it to external or internal. However, my customers already using "gateway" URL in the field. Does the URL of my APIM endpoint change? I am basically want to enable it to protect my APIM from DDoS attacks.
Document Details
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.