Microsoft Azure Architect Design (AZ-301) Practice Exam

What should you recommend to protect an API deployed in Azure API Management from DDoS attacks?

• A. Create network security groups (NSGs)
• B. Enable quotas
• C. Enable rate limiting
• D. Strip the Powered-By header

The correct answer is: Enable rate limiting

The most effective way to protect an API deployed in Azure API Management from DDoS attacks is by enabling rate limiting. Rate limiting controls the number of requests that a client can make to an API within a specific time frame. By implementing this mechanism, you can mitigate the effects of DDoS attacks by ensuring that no single client can overwhelm the system with excessive requests, which helps maintain service availability for legitimate users. Rate limiting contributes to the overall security posture by creating thresholds for how much traffic can be processed. When incoming requests exceed the predetermined limits, subsequent requests can be rejected or throttled, efficiently managing load and preventing server overload. This proactive approach ensures that your API can handle fluctuations in usage without degrading performance or becoming unresponsive. While the other options have their own roles in security, they do not specifically address the direct mitigation of DDoS attacks in the context of API traffic management. For instance, network security groups (NSGs) primarily function at the network layer to restrict inbound and outbound traffic based on rules but do not inherently manage request rates. Similarly, enabling quotas applies limits on the total calls to an API over a given period, which can be useful but doesn't directly protect against DDoS volume—it's more focused on resource usage