MicrosoftDocs / azure-docs

Open source documentation of Microsoft Azure
https://docs.microsoft.com/azure
Creative Commons Attribution 4.0 International
10.27k stars 21.45k forks source link

Will my Gateway URL change? #51710

Closed codemaker closed 4 years ago

codemaker commented 4 years ago

Currently Virtual network setting is "OFF" for my APIM. I am planning to change it to external or internal. However, my customers already using "gateway" URL in the field. Does the URL of my APIM endpoint change? I am basically want to enable it to protect my APIM from DDoS attacks.


Document Details

Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

Karishma-Tiwari-MSFT commented 4 years ago

Thanks for the feedback! We are currently investigating and will update you shortly.

PramodValavala-MSFT commented 4 years ago

@codemaker The gateway URL will not change when turning on virtual networks but whether it is exposed to the public internet by default depends on the mode that you are changing it to.

In case of the external mode, no further action is required to expose the gateway endpoint.

In case of the internal mode, you will have to both setup the DNS Records and configure an Application Gateway to expose the endpoints to the internet.

PramodValavala-MSFT commented 4 years ago

@codemaker Just following up here... Hope my previous comment clears things up.

deepakkumpala commented 4 years ago

Thanks for the response. Once I enable external mode, do I need to manually set up monitoring on the VNET? Basically I would like to stop DDoS attack on APIM.

PramodValavala-MSFT commented 4 years ago

@codemaker Azure DDoS Basic is available for all azure services by default at no extra cost. When deployed into a VNET, you have the ability to enable Azure DDoS Standard Protection which provides you with addition mitigation capacilities.

You can read more about Best Practices of DDoS Protection in the official docs.

deepakkumpala commented 4 years ago

Standard protection cost $2000 plus per month.

"Azure DDoS Basic is available for all Azure services by default at no extra cost." - Do we have any Microsoft document for reference which says its free?

PramodValavala-MSFT commented 4 years ago

@codemaker The table in this doc does mention it.

Note this covers common network-level attacks by default. So, if you are using Azure, you are already covered by the free DDoS Protection.

deepakkumpala commented 4 years ago

Do we get DDoS attack dash board so that we can do daily monitoring? Basically we have APIM, Azure AD and Log Analytics which are publically exposed to the internet. do we really need to secure it or Microsoft will take care?

PramodValavala-MSFT commented 4 years ago

@codemaker Those metrics and logs are streamed to Azure Monitor when you have DDoS Standard as mentioned in the doc. The Basic Plan has not such metrics but will protect Azure Resources from common network-level attacks on its own.

You could still monitor you own services with metrics they each may provide for any anomalies that Azure DDoS may not consider an attack but are unusual for your application.

deepakkumpala commented 4 years ago

So the conclusion is adding external or internal mode will not help unless I apply a DDoS plan on VNET. Just leave APIM as it is will also be protected by basic Microsoft protection layer.

PramodValavala-MSFT commented 4 years ago

@codemaker Yes. That is correct for DDoS.

PramodValavala-MSFT commented 4 years ago

@codemaker Just following up here... Hope my previous comment clears things up.

deepakkumpala commented 4 years ago

Yes, we can close the thread/

PramodValavala-MSFT commented 4 years ago

@codemaker Glad we could help!

We will now proceed to close this thread. If there are further questions regarding this matter, please tag me in your reply. We will gladly continue the discussion and we will reopen the issue.