Last Update: Sep 04, 2024 | Published: May 03, 2018
This post will explain what DDoS protection is offered in Azure and how to deploy Standard tier protection in a virtual network.
Distributed Denial of Service attacks have the potential to shut down a business. Often, we associate the term with hacktivists attacking high-profile companies or international espionage. However, businesses of all sizes are attacked this way. I’ve seen how a start-up tech business was attacked using a rented botnet and probably received a bribe request from the attacker to stop the flood of traffic.
DDoS protection systems are usually complex and specialized. Azure makes networking easy and this is true of DDoS protection. This was made generally available recently. Every virtual network has the Basic tier of DDoS protection enabled for free. Everyone gets it! Every resource connected to the virtual network is protected with added protection if you also have a Web Application Firewall offering external protection. There is also a Standard tier, which is paid for:
The Standard tier adds the following functionality:
The Basic tier of protection is enabled for you without any extra cost; it’s there automatically when you create a virtual network. The process of enabling Standard tier protection is pretty simple. It can be done when creating a virtual network or afterward. In the following example, I will show how to enable it afterward. The processes are almost identical.
Open the virtual network resource and click DDoS Protection under Settings. Here you can see the current tier of protection for the resources in the virtual network.
You can start the switch to the higher level of protection by selecting Standard. The blade will update with a dropdown list box called DDoS Protection Plan. This resource type allows for management of the Standard tier of protection. If you have a DDoS Protection plan, you can select one or you can create one by clicking Create A DDoS Protection Plan. That’s what I will do here.
A new browser tab will open in your browser if you click Create A DDoS Protection Plan, opening the Azure Portal with a blade to create the new resource. Enter the following information in this blade:
Click Create and wait for the object to be readied by Azure.
At the time of writing, there appeared to be a logic bug in how this process worked. The blade to create the protection plan is created in a new browser tab and the blade to enable Standard tier DDoS protection doesn’t update to make the new plan selectable.
Back in the DDoS Protection blade, you’ll have to refresh the page to make the new protection plan selectable. Chose the Standard tier again, select the new protection plan, and then click Save. After a few moments, you will have the higher level of DDoS protection in your virtual network.