Microsoft Azure Architect Design (AZ-304) Practice Test

What is the recommended solution to protect an API from a distributed denial of service (DDoS) attack when using Azure API Management?

• A. Create network security groups (NSGs)
• B. Enable quotas
• C. Enable rate limiting
• D. Strip the Powered-By header

The correct answer is: Enable rate limiting

Enabling rate limiting is a highly effective way to protect an API from distributed denial of service (DDoS) attacks in Azure API Management. Rate limiting allows you to control the number of requests that a client can make to the API over a specified period. By restricting how many requests a user or client can send, you can significantly reduce the impact of a DDoS attack, as it prevents a single malicious actor from overwhelming the service with an excessive number of requests. In the context of Azure API Management, rate limiting helps maintain the availability and performance of the API by controlling traffic and ensuring that legitimate users can still access the service, despite the malicious flood of requests. By setting appropriate limits, you can balance server load and resource consumption, which contributes to the overall resilience of your API against abusive traffic patterns. The other methods, while having their own uses in security and resource management, do not directly address the challenge of mitigating DDoS attacks in the way that rate limiting does. For instance, quotas can help manage resource usage but are typically used for controlling the total amount of usage over a longer time frame rather than stopping an immediate flood of requests. Network security groups (NSGs) are designed for controlling traffic at the network level but wouldn't