I can't see in the portal where to enable this for my azure app service? I can see at the vnet level the option is there... but that will give me "Azure DDoS Network Protection" which is thousands of dollars per month.
I just want to enable for the IP address of the Azure App Service (the rest api)
Azure App Service does not offer this capability natively. You need to use another service (App Gateway, Load Balancer with public IP, Front door) that supports DDOS and put it in front of your App Service.