You plan to deploy an API by using Azure API Management. You need to recommend a solution to protect the API from a distributed denial of service (DDoS) attack. What should you recommend?
Rate limit should be correct! A rate limiting solution measures the amount of time between each request from each IP address, and also measures the number of requests within a specified timeframe. If there are too many requests from a single IP within the given timeframe, the rate limiting solution will not fulfill the IP address's requests for a certain amount of time.
rate limit will not solve the ddos attack because the genuine requests will be lost if rate limit is implemented. it needs to be handled before request reached APIM which is NSG
https://docs.microsoft.com/en-us/azure/security/fundamentals/ddos-best-practices
Defense in depth
... Network security groups (NSGs) are another way to reduce the attack surface. You can use service tags and application security groups to minimize complexity for creating security rules and configuring network security, as a natural extension of an application’s structure.
I think A. NSGs is the correct answer. It prevents DDoS from the boundary. Enable rate limiting may reject the request but the attack traffic already hit the Azure inside.
As of today, the best answer would be “Enable Azure DDoS Protection Standard on the Vnet associated with your API Management deployment to protect from distributed denial of service (DDoS) attacks.” From https://docs.microsoft.com/en-us/azure/api-management/security-baseline.
But as this is not in the answers, I guess rate limit is the best choice. It has more options to control DDoS attacks in a world open scenario where legitimate requests can come from everywhere https://docs.microsoft.com/en-us/azure/api-management/api-management-sample-flexible-throttling
The DDOS protection is in the Vnet "DDOS Protection" with 2 options.
NSG doesn't protect against DDOS : https://docs.microsoft.com/en-us/azure/virtual-network/ddos-protection-overview
Answer is correct, on the azure documentation says about rate limit "you may want to limit a number of calls the API is called so it is not overused by developers"
agree with A answer
You can reduce the surface area by using whitelisting to close down the exposed IP address space and listening ports that are not needed on the load balancers (Azure Load Balancer and Azure Application Gateway). Network security groups (NSGs) are another way to reduce the attack surface.
I think that the correct answer is A. BTW, DDOS protection is available by default for any Vnet. as for: https://docs.microsoft.com/en-us/azure/virtual-network/manage-ddos-protection#enable-ddos-for-a-new-virtual-network
The A say NSG., NSG it isn't Vnet. The answer makes sense https://docs.microsoft.com/en-us/azure/api-management/api-management-sample-flexible-throttling
upvoted 2 times
...
...
This section is not available anymore. Please use the main Exam Page.AZ-301 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
tes
Highly Voted 5 years, 6 months agomanhattan
Highly Voted 4 years, 11 months agoglam
Most Recent 4 years, 4 months agosanketshah
4 years, 5 months agoRooh
4 years, 9 months agodev2dev
4 years, 12 months agoManmohan
5 years agochaudh
5 years agochaudh
5 years agojcarlos
5 years agoHappiman
5 years, 2 months agoeng_inside2007
5 years, 2 months agojack25
5 years, 2 months agorafapaz09
5 years, 4 months agomoglie
5 years, 5 months agoShaileshV
5 years, 7 months agopowertechnet
5 years, 7 months agoEkramy_Elnaggar
5 years, 5 months agoteresam
5 years, 8 months agoEkramy_Elnaggar
5 years, 5 months agotartar
4 years, 9 months agotundervirld
5 years ago