question

EnterpriseArchitect avatar image
0 Votes"
EnterpriseArchitect asked EnterpriseArchitect commented

Azure DDoS Standard depoyment and configuration best practice?

How does the Azure DDoS Standard protection works?

because it is quite expensive and how many do I require to secure:


  1. Public Facing Web Apps

  2. Web Application deployed behind the Azure AppGwV2-WAF

  3. Public facing Storage Account

  4. Any services with Public IP address.

I also have ExpressRoute circuit to connect the Azure VNET to my OnPremise network, does this also gets protected by the DDoS Standard?

azure-virtual-networkazure-expressrouteazure-ddos-protection
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

GitaraniSharmaMSFT-4262 avatar image
1 Vote"
GitaraniSharmaMSFT-4262 answered EnterpriseArchitect commented

Hello @EnterpriseArchitect ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

DDoS Protection Standard is designed for services that are deployed in a virtual network. For other services, the default DDoS Protection Basic service applies. To learn more about supported architectures, see DDoS Protection reference architectures.

DDoS protection plans have a fixed monthly charge of $2,944 per month which covers up to 100 public IP addresses. Protection for additional resources will cost an additional $30 per resource per month.

Under a tenant, a single DDoS protection plan can be used across multiple subscriptions, so there is no need to create more than one DDoS protection plan.
When Application Gateway with WAF is deployed in a DDoS protected VNet, there are no additional charges for WAF - you pay for the Application Gateway at the lower non-WAF rate. This applies to both Application Gateway v1 and v2 SKUs.

Refer : https://docs.microsoft.com/en-us/azure/ddos-protection/ddos-faq#how-does-pricing-work-
https://azure.microsoft.com/en-gb/pricing/details/ddos-protection/

  • Public Facing Web Apps are protected by DDOS Standard.

  • When deployed with a web application firewall (WAF), DDoS Protection Standard protects both at the network layer (Layer 3 and 4, offered by Azure DDoS Protection Standard) and at the application layer (Layer 7, offered by a WAF).

  • Public facing Storage Accounts are not deployed in a Vnet, so it is not covered under DDOS Standard but the default DDoS Protection Basic service applies.

  • Any services with Public IP address : In the context of Azure DDoS Protection, a resource is a public IP attached to an IaaS VM, Load Balancer (Classic & Standard Load Balancers), Application Gateway (including WAF) cluster, Service Fabric or an IaaS based Network Virtual Appliance (NVA). Additional protected resources may be added in the future.

  • ExpressRoute circuit : Not covered under DDOS Standard but the ExpressRoute gateway deployed in your Vnet is covered by DDOS Standard.

DDoS Protection Standard monitors actual traffic utilization and constantly compares it against the thresholds defined in the DDoS Policy. When the traffic threshold is exceeded, DDoS mitigation is initiated automatically. When traffic returns below the thresholds, the mitigation is stopped.

It is automatically tuned to help protect your specific Azure resources in a virtual network. Automatic learning of per-customer (per- Public IP) traffic patterns for Layer 3 and 4. DDoS Protection Standard applies three autotuned mitigation policies (TCP SYN, TCP, and UDP) for each public IP of the protected resource, in the virtual network that has DDoS enabled.
Refer Azure DDoS Protection Standard features for more information:
https://docs.microsoft.com/en-us/azure/ddos-protection/ddos-protection-standard-features

Fundamental best practices guidance to build DDoS-resilient services on Azure :
https://docs.microsoft.com/en-us/azure/ddos-protection/fundamental-best-practices

Learn how your services will respond to an attack by testing through simulations.
https://docs.microsoft.com/en-us/azure/ddos-protection/test-through-simulations

Kindly let us know if the above helps or you need further assistance on this issue.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.



· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @GitaraniSharmaMSFT-4262 so in this case, does any other services with the Public IP address and internet-facing, will be prone to DDoS as it is not covered by Azure DDoS basic?

0 Votes 0 ·

Hello @EnterpriseArchitect ,

As I mentioned earlier, DDoS Protection Standard is designed for services that are deployed in a virtual network.
For other services (such as PaaS services not deployed in Vnets - Storage, DNS etc), the default DDoS Protection Basic service applies and are protected from any DDOS attacks.

Hence, the services not covered under DDOS Standard are covered & protected by DDOS Basic.

Thanks,
Gita

1 Vote 1 ·
EnterpriseArchitect avatar image EnterpriseArchitect GitaraniSharmaMSFT-4262 ·

Wow, that's great, thankyou @GitaraniSharmaMSFT-4262

1 Vote 1 ·