3 min read
Azure DDoS Protection: Defend Against Attacks
Azure DDoS Protection defends against distributed denial-of-service attacks. Always-on monitoring, automatic mitigation, and attack analytics.
Protection Tiers
| Feature | Basic (Free) | Standard |
|---|---|---|
| Protection | L3/L4 | L3/L4 |
| Automatic mitigation | ✓ | ✓ |
| Attack metrics | ✗ | ✓ |
| Attack alerts | ✗ | ✓ |
| Post-attack reports | ✗ | ✓ |
| Cost guarantee | ✗ | ✓ |
| Rapid Response | ✗ | ✓ |
Enable DDoS Protection Standard
# Create DDoS protection plan
az network ddos-protection create \
--name my-ddos-plan \
--resource-group myRG \
--location eastus
# Associate with VNet
az network vnet update \
--name myVNet \
--resource-group myRG \
--ddos-protection-plan /subscriptions/.../ddosProtectionPlans/my-ddos-plan \
--ddos-protection trueProtection Scope
DDoS Protection Standard protects:
- Public IP addresses
- Load balancers
- Application gateways
- Azure Firewall
- VPN gateways
Attack Types Mitigated
| Attack Type | Description |
|---|---|
| Volumetric | Flood bandwidth (UDP, ICMP) |
| Protocol | Exploit L3/L4 weaknesses (SYN flood) |
| Application | Target L7 (HTTP floods) |
Monitoring and Alerts
# Create alert rule
az monitor metrics alert create \
--name "ddos-attack-alert" \
--resource-group myRG \
--scopes /subscriptions/.../publicIPAddresses/my-pip \
--condition "avg UnderDDoSAttack > 0" \
--window-size 5m \
--evaluation-frequency 1m \
--action /subscriptions/.../actionGroups/security-team \
--description "DDoS attack detected"DDoS Metrics
// Query DDoS metrics
AzureMetrics
| where ResourceProvider == "MICROSOFT.NETWORK"
| where MetricName in ("IfUnderDDoSAttack", "PacketsDroppedDDoS", "PacketsForwardedDDoS")
| project TimeGenerated, Resource, MetricName, Average
| render timechartDiagnostic Logs
# Enable diagnostic settings
az monitor diagnostic-settings create \
--name ddos-diagnostics \
--resource /subscriptions/.../publicIPAddresses/my-pip \
--logs '[{
"category": "DDoSProtectionNotifications",
"enabled": true
},{
"category": "DDoSMitigationFlowLogs",
"enabled": true
},{
"category": "DDoSMitigationReports",
"enabled": true
}]' \
--workspace /subscriptions/.../workspaces/security-logsAnalyze Attack
// DDoS notification logs
AzureDiagnostics
| where Category == "DDoSProtectionNotifications"
| project TimeGenerated, Message, ActionType, AttackVector
// Mitigation flow logs
AzureDiagnostics
| where Category == "DDoSMitigationFlowLogs"
| summarize PacketsDropped = sum(PacketsDropped_d),
PacketsForwarded = sum(PacketsForwarded_d)
by bin(TimeGenerated, 5m)
| render timechartDDoS Rapid Response
For Standard tier customers under attack:
- Open support ticket (Severity A)
- DDoS Rapid Response team engages
- Custom mitigation rules applied
- Attack analysis provided
Cost Protection
During DDoS attacks, you may incur:
- Bandwidth overage
- Scale-out costs
DDoS Protection Standard provides cost credits for attack-related scaling.
Best Practices
- Enable Standard on production VNets
- Configure alerts for attacks
- Enable diagnostic logging
- Review attack reports
- Use Application Gateway WAF for L7
Azure DDoS Protection: resilience against the largest attacks.