Azure Preview for DDoS Protection

Paul Thurrott's Short Takes: April 17, 2015
In this post, I will discuss a new preview release in Azure that offers us a protection service against distributed denial of service (DDoS) attacks.

DDoS Attacks

One of the top concerns of companies with online services is becoming the target of a DDoS attack. Whether this is a ransom attack or a motivated one (sabotage, competition, politics, ideology), a DDoS attack can shut down the online presence of a business. It can also bring that business to its knees if that online service is the main way of generating revenue.
DDoS attacks are normally conducted by an army of bots, which are all managed by a central (probably compromised) server on the Internet. The bots are PCs and servers all around the world that have been taken over via a trojan downloader. Some bot networks (botnets) are maintained privately and some are available to rent – I presume with Bitcoins or with a credit card that you’ve stolen!
Don’t make the mistake of thinking that DDoS victims are just political parties, TV networks, or large corporations. Just like with the many cyrpto-locker clones out there, DDoS attacks can be used to force a ransom out of a victim. Who is more likely to have no defense and be forced to pay? Will it be a large enterprise with lots of security facilities and IT budget or a small-medium business with little/no security facilities and IT budget? I have only witnessed a DDoS attack once. It targeted a small start-up company that was selling its services via an online service. Just like with most IT crime, we only ever hear of the big fish getting caught but plenty of small ones are hooked on a regular basis.

Azure and DDoS Protection

Azure has had a DDoS protection service, which today is called Azure DDoS Protection Service Basic. This Basic SKU offers, at no cost and defending you by default, monitoring. It is for layers 3 and 4 (L3 and L4) protection around the world and optional layer-7 (L7) protection in the web application firewall. This is an optional feature of the web application gateway.

A restricted access preview has started for a new SKU of Azure DDoS Protection Service. The Standard SKU will extend this monitoring and protection to include policy tuning, logging/alerting, and greater overall protection.

Azure’s DDoS Protection Service offerings [Image Credit: Microsoft]
Azure’s DDoS Protection Service Offerings [Image Credit: Microsoft]


The key feature of Azure’s DDoS protection is the simplicity of deployment. The Basic SKU is built into the fabric of Azure’s network and is just there, all of the time. The Standard SKU has a one-click enablement. You can enable DDoS protection when creating a new virtual network and you can also turn it on with the same one-click with an existing virtual network.

Enabling DDoS protection when creating a new virtual network [Image Credit: Aidan Finn]
Enabling DDoS Protection when Creating a New Virtual Network [Image Credit: Aidan Finn]


My fear of advanced security solutions in the past is that they required a huge amount of knowledge and skill to deploy and configure them in a manner that both protects the business but doesn’t break the functionality that enables business.
Azure’s DDoS Protection uses Machine Learning-based adaptive tuning to understand your resources, the configurations, and the patterns of traffic. When unusual patterns occur, DDoS protection will enforce automatically defined protection limits and preserve the health of your resources.

Web Application Firewall

If you are operating web-based services, then you should consider deploying the web application gateway (WAG) with the optional web application firewall (WAF). The WAG offers numerous L7 performance enhancements for load balanced web apps and the WAF adds L7 security to the L4 security that you get from network security groups (NSGs).
The WAG will also add some DDoS protection against:

  • Request rate-limiting
  • HTTP Protocol Violations
  • HTTP Protocol Anomalies
  • SQL Injection
  • Cross-site scripting


The telemetry of Azure’s DDoS protection is surfaced by Azure Monitor. This is free (effectively, because the cost of retaining logs in blob storage is normally lower than the cost of a stamp for the bill!) metric monitoring and alerting system in the Azure Portal. You can export this data to Azure Log Analytics (OMS) and to other ITSM tools, such as Splunk, via Event Hubs.
I have not been a victim of a DDoS attack recently (phew!), so I have used a screenshot from Microsoft to illustrate how telemetry will look.

Using Azure Monitor to view DDoS protection telemetry [Image Credit: Microsoft]
Using Azure Monitor to View DDoS Protection Telemetry [Image Credit: Microsoft]

How Much Is it And How Do I Get Started?

Today, everyone with virtual networking is using the Basic SKU of Azure DDoS protection for free and that will not change.
The Standard SKU is in a limited access preview today, including the East U.S., West U.S., and West Central U.S. regions. The Azure networking teams typically fast-track global deployment of new features at or soon after general availability.
The opt-in Standard SKU will have a cost but we don’t know what that is yet. One worry with a DDoS protection system is that you get hit by a massive attack and you will get a huge bill in from Microsoft. Microsoft states:
When the DDoS Protection services goes GA, Cost Protection will provide resource credits for scale-out during a documented attack.500.


Who doesn’t like having more security? You might bemoan that it’s going to have a cost but that will likely be a micro-cost. You might not like that it auto-tunes. I bet it will do a better job than 99.9 percent of customers. I suspect that I will be recommending the Standard SKU for my customers (and my own deployment) as soon as it is available in the regions that we deploy in.

The only thing that is missing (but I could be wrong) is integration with Security Center. That will probably be silently added at a later time if Microsoft has not already done so.