Coming Soon: GET:IT Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET Coming Soon: GET:IT Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET
Microsoft Azure

Enabling DDoS for Azure Virtual Networks

This post will explain what DDoS protection is offered in Azure and how to deploy Standard tier protection in a virtual network.



Sponsored Content

Say Goodbye to Traditional PC Lifecycle Management

Traditional IT tools, including Microsoft SCCM, Ghost Solution Suite, and KACE, often require considerable custom configurations by T3 technicians (an expensive and often elusive IT resource) to enable management of a hybrid onsite + remote workforce. In many cases, even with the best resources, organizations are finding that these on-premise tools simply cannot support remote endpoints consistently and reliably due to infrastructure limitations.

DDoS Protection

Distributed Denial of Service attacks have the potential to shut down a business. Often, we associate the term with hacktivists attacking high-profile companies or international espionage. However, businesses of all sizes are attacked this way. I’ve seen how a start-up tech business was attacked using a rented botnet and probably received a bribe request from the attacker to stop the flood of traffic.

DDoS protection systems are usually complex and specialized. Azure makes networking easy and this is true of DDoS protection. This was made generally available recently. Every virtual network has the Basic tier of DDoS protection enabled for free. Everyone gets it! Every resource connected to the virtual network is protected with added protection if you also have a Web Application Firewall offering external protection. There is also a Standard tier, which is paid for:

  • A substantial charge for protecting up to 100 resources per month
  • An overage charge for each resource beyond the first 100 resources
  • A processing charge for each GB of data processed

The Standard tier adds the following functionality:

  • Dynamic protection policies that are managed by machine learning algorithms. Your normal traffic patterns are understood by the system and exceptions become subject to potential filtering.
  • Protection against the cost of scale-out. If Standard tier DDoS protection fails to mitigate an attack completely and your online services scale-out in reaction to the increased load, Microsoft will protect you against that increased cost.
  • Monitoring data for DDoS attacks is visible in Azure Monitor.

Enabling DDoS Protection

The Basic tier of protection is enabled for you without any extra cost; it’s there automatically when you create a virtual network. The process of enabling Standard tier protection is pretty simple. It can be done when creating a virtual network or afterward. In the following example, I will show how to enable it afterward. The processes are almost identical.

Open the virtual network resource and click DDoS Protection under Settings. Here you can see the current tier of protection for the resources in the virtual network.

Viewing the DDoS protection level of an Azure virtual network [Image Credit: Aidan Finn]
Viewing the DDoS Protection Level of an Azure Virtual Network [Image Credit: Aidan Finn]

You can start the switch to the higher level of protection by selecting Standard. The blade will update with a dropdown list box called DDoS Protection Plan. This resource type allows for management of the Standard tier of protection. If you have a DDoS Protection plan, you can select one or you can create one by clicking Create A DDoS Protection Plan. That’s what I will do here.

A new browser tab will open in your browser if you click Create A DDoS Protection Plan, opening the Azure Portal with a blade to create the new resource. Enter the following information in this blade:

  • Name: A name for the new resource.
  • Subscription: Select the current subscription in your tenant.
  • Resource Group: Select or create a resource group to store the new DDoS protection plan resource.
  • Location: Select the appropriate Azure region.

Click Create and wait for the object to be readied by Azure.

Creating a new DDoS Protection Plan in Azure [Image Credit: Aidan Finn]
Creating a New DDoS Protection Plan in Azure [Image Credit: Aidan Finn]

At the time of writing, there appeared to be a logic bug in how this process worked. The blade to create the protection plan is created in a new browser tab and the blade to enable Standard tier DDoS protection doesn’t update to make the new plan selectable.

Back in the DDoS Protection blade, you’ll have to refresh the page to make the new protection plan selectable. Chose the Standard tier again, select the new protection plan, and then click Save. After a few moments, you will have the higher level of DDoS protection in your virtual network.

Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

Aidan Finn, Microsoft Most Valuable Professional (MVP), has been working in IT since 1996. He has worked as a consultant and administrator for the likes of Innofactor Norway, Amdahl DMR, Fujitsu, Barclays and Hypo Real Estate Bank International where he dealt with large and complex IT infrastructures and MicroWarehouse Ltd. where he worked with Microsoft partners in the small/medium business space.
Live Webinar: Active Directory Security: What Needs Immediate Priority!Live on Tuesday, October 12th at 1 PM ET

Attacks on Active Directory are at an all-time high. Companies that are not taking heed are being punished, both monetarily and with loss of production.

In this webinar, you will learn:

  • How to prioritize vulnerability management
  • What attackers are leveraging to breach organizations
  • Where Active Directory security needs immediate attention
  • Overall strategy to secure your environment and keep it secured

Sponsored by: