Enabling DDoS for Azure Virtual Networks

Security Hero
This post will explain what DDoS protection is offered in Azure and how to deploy Standard tier protection in a virtual network.


DDoS Protection

Distributed Denial of Service attacks have the potential to shut down a business. Often, we associate the term with hacktivists attacking high-profile companies or international espionage. However, businesses of all sizes are attacked this way. I’ve seen how a start-up tech business was attacked using a rented botnet and probably received a bribe request from the attacker to stop the flood of traffic.
DDoS protection systems are usually complex and specialized. Azure makes networking easy and this is true of DDoS protection. This was made generally available recently. Every virtual network has the Basic tier of DDoS protection enabled for free. Everyone gets it! Every resource connected to the virtual network is protected with added protection if you also have a Web Application Firewall offering external protection. There is also a Standard tier, which is paid for:

  • A substantial charge for protecting up to 100 resources per month
  • An overage charge for each resource beyond the first 100 resources
  • A processing charge for each GB of data processed

The Standard tier adds the following functionality:

  • Dynamic protection policies that are managed by machine learning algorithms. Your normal traffic patterns are understood by the system and exceptions become subject to potential filtering.
  • Protection against the cost of scale-out. If Standard tier DDoS protection fails to mitigate an attack completely and your online services scale-out in reaction to the increased load, Microsoft will protect you against that increased cost.
  • Monitoring data for DDoS attacks is visible in Azure Monitor.

Enabling DDoS Protection

The Basic tier of protection is enabled for you without any extra cost; it’s there automatically when you create a virtual network. The process of enabling Standard tier protection is pretty simple. It can be done when creating a virtual network or afterward. In the following example, I will show how to enable it afterward. The processes are almost identical.
Open the virtual network resource and click DDoS Protection under Settings. Here you can see the current tier of protection for the resources in the virtual network.

Viewing the DDoS protection level of an Azure virtual network [Image Credit: Aidan Finn]
Viewing the DDoS Protection Level of an Azure Virtual Network [Image Credit: Aidan Finn]
You can start the switch to the higher level of protection by selecting Standard. The blade will update with a dropdown list box called DDoS Protection Plan. This resource type allows for management of the Standard tier of protection. If you have a DDoS Protection plan, you can select one or you can create one by clicking Create A DDoS Protection Plan. That’s what I will do here.
A new browser tab will open in your browser if you click Create A DDoS Protection Plan, opening the Azure Portal with a blade to create the new resource. Enter the following information in this blade:

  • Name: A name for the new resource.
  • Subscription: Select the current subscription in your tenant.
  • Resource Group: Select or create a resource group to store the new DDoS protection plan resource.
  • Location: Select the appropriate Azure region.

Click Create and wait for the object to be readied by Azure.

Creating a new DDoS Protection Plan in Azure [Image Credit: Aidan Finn]
Creating a New DDoS Protection Plan in Azure [Image Credit: Aidan Finn]
At the time of writing, there appeared to be a logic bug in how this process worked. The blade to create the protection plan is created in a new browser tab and the blade to enable Standard tier DDoS protection doesn’t update to make the new plan selectable.
Back in the DDoS Protection blade, you’ll have to refresh the page to make the new protection plan selectable. Chose the Standard tier again, select the new protection plan, and then click Save. After a few moments, you will have the higher level of DDoS protection in your virtual network.