QuickStart: Create and configure Azure DDoS Network Protection using Azure CLI
Get started with Azure DDoS Network Protection by using Azure CLI.
A DDoS protection plan defines a set of virtual networks that have DDoS Network Protection enabled, across subscriptions. You can configure one DDoS protection plan for your organization and link virtual networks from multiple subscriptions to the same plan.
In this QuickStart, you'll create a DDoS protection plan and link it to a virtual network.
Prerequisites
- An Azure account with an active subscription. Create an account for free.
- Azure CLI installed locally or Azure Cloud Shell
Azure Cloud Shell
Azure hosts Azure Cloud Shell, an interactive shell environment that you can use through your browser. You can use either Bash or PowerShell with Cloud Shell to work with Azure services. You can use the Cloud Shell preinstalled commands to run the code in this article, without having to install anything on your local environment.
To start Azure Cloud Shell:
| Option | Example/Link |
|---|---|
| Select Try It in the upper-right corner of a code or command block. Selecting Try It doesn't automatically copy the code or command to Cloud Shell. |  |
| Go to https://shell.azure.com, or select the Launch Cloud Shell button to open Cloud Shell in your browser. |  |
| Select the Cloud Shell button on the menu bar at the upper right in the Azure portal. |  |
To use Azure Cloud Shell:
Start Cloud Shell.
Select the Copy button on a code block (or command block) to copy the code or command.
Paste the code or command into the Cloud Shell session by selecting Ctrl+Shift+V on Windows and Linux, or by selecting Cmd+Shift+V on macOS.
Select Enter to run the code or command.
If you choose to install and use the CLI locally, this quickstart requires Azure CLI version 2.0.56 or later. To find the version, run az --version. If you need to install or upgrade, see Install the Azure CLI.
Create a DDoS Protection plan
In Azure, you allocate related resources to a resource group. You can either use an existing resource group or create a new one.
To create a resource group, use az group create. In this example, we'll name our resource group MyResourceGroup and use the East US location:
az group create \
--name MyResourceGroup \
--location eastus
Now create a DDoS protection plan named MyDdosProtectionPlan:
az network ddos-protection create \
--resource-group MyResourceGroup \
--name MyDdosProtectionPlan
Enable DDoS protection for a virtual network
Enable DDoS protection for a new virtual network
You can enable DDoS protection when creating a virtual network. In this example, we'll name our virtual network MyVnet:
az network vnet create \
--resource-group MyResourceGroup \
--name MyVnet \
--location eastus \
--ddos-protection-plan MyDdosProtectionPlan \
--ddos-protection true
Note
You cannot move a virtual network to another resource group or subscription when DDoS Protection is enabled for the virtual network. If you need to move a virtual network with DDoS Protection enabled, disable DDoS Protection first, move the virtual network, and then enable DDoS Protection. After the move, the auto-tuned policy thresholds for all the protected public IP addresses in the virtual network are reset.
Enable DDoS protection for an existing virtual network
When creating a DDoS protection plan, you can associate one or more virtual networks to the plan. To add more than one virtual network, simply list the names or IDs, space-separated. In this example, we'll add MyVnet:
az group create \
--name MyResourceGroup \
--location eastus
az network ddos-protection create \
--resource-group MyResourceGroup \
--name MyDdosProtectionPlan
--vnets MyVnet
Alternatively, you can enable DDoS protection for a given virtual network:
az network vnet update \
--resource-group MyResourceGroup \
--name MyVnet \
--ddos-protection-plan MyDdosProtectionPlan \
--ddos-protection true
Disable DDoS protection for a virtual network
Update a given virtual network to disable DDoS protection:
az network vnet update \
--resource-group MyResourceGroup \
--name MyVnet \
--ddos-protection-plan MyDdosProtectionPlan \
--ddos-protection false
Validate and test
First, check the details of your DDoS protection plan:
az network ddos-protection show \
--resource-group MyResourceGroup \
--name MyDdosProtectionPlan
Verify that the command returns the correct details of your DDoS protection plan.
Clean up resources
You can keep your resources for the next tutorial. If no longer needed, delete the MyResourceGroup resource group. When you delete the resource group, you also delete the DDoS protection plan and all its related resources.
To delete the resource group use az group delete:
az group delete \
--name MyResourceGroup
Note
If you want to delete a DDoS protection plan, you must first dissociate all virtual networks from it.
Next steps
To learn how to view and configure telemetry for your DDoS protection plan, continue to the tutorials.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for