You have an open facing Azure API Gateway that can be consumed by anyone and you want to protect yourself from the API being spammed by the same IP or the same individual behind multiple IP's.
There are policies one can configure within API Management to:
- Limit call rate by subscription
- Limit call rate by key
- Set usage quota by subscription
- Set usage quota by key
- Restrict caller IP's
Setting limits by subscription (specific consumers) or key (specific apps) wouldn't work because your API is open to the public. Even if you had a key required from auth, this doesn't stop a user from spamming the gateway with an unauthorized key. The last option of restricting caller IP's one-by-one doesn't prevent the issue from happening in the first place.
How do you protect against the same user (IP) repeatedly crushing your rate or quota limits? Additionally, how would you protect against that same user doing this across multiple IP's?
My guess is that this is likely covered in Azure's DDoS Protection Basic but I felt that I couldn't get a concrete answer out of those docs.
