Configure an Azure DDoS Protection Plan using Azure Firewall Manager

Azure Firewall Manager is a platform to manage and protect your network resources at scale. You can associate your virtual networks with a DDoS protection plan within Azure Firewall Manager.

Tip

DDoS Protection currently does not support virtual WANs. However, you can workaround this limitation by force tunneling Internet traffic to an Azure Firewall in a virtual network that has a DDoS Protection Plan associated with it.

Under a single tenant, DDoS protection plans can be applied to virtual networks across multiple subscriptions. For more information about DDoS protection plans, see Azure DDoS Protection overview.

To see how this works, you'll create a firewall policy and then a virtual network secured with an Azure Firewall. Then you'll create a DDoS Protection Plan and then associate it with the virtual network.

Create a firewall policy

Use Firewall Manager to create a firewall policy.

  1. From the Azure portal, open Firewall Manager.
  2. Select Azure Firewall Policies.
  3. Select Create Azure Firewall Policy.
  4. For Resource group, select DDoS-Test-rg.
  5. Under Policy details, Name, type fw-pol-01.
  6. For Region, select West US 2.
  7. Select Review + create.
  8. Select Create.

Create a secured virtual network

Use Firewall Manager to create a secured virtual network.

  1. Open Firewall Manager.
  2. Select Virtual Networks.
  3. Select Create new Secured Virtual Network.
  4. For Resource group, select DDoS-Test-rg.
  5. For Region, select West US 2.
  6. For Hub Virtual Network Name, type Hub-vnet-01.
  7. For Address range, type 10.0.0.0/16.
  8. Select Next : Azure Firewall.
  9. For Public IP address, select Add new and type fw-pip for the name and select OK.
  10. For Firewall subnet address space, type 10.0.0.0/24.
  11. Select the fw-pol-01 for the Firewall Policy.
  12. Select Next : Review + create.
  13. Select Create.

Create a DDoS Protection Plan

Create a DDoS Protection Plan using Firewall Manager. You can use the DDoS Protection Plans page to create and manage your Azure DDoS Protection Plans.

Screenshot of the Firewall Manager DDoS Protection Plans page

  1. Open Firewall Manager.
  2. Select DDoS Protection Plans.
  3. Select Create.
  4. For Resource group, select Create new.
  5. Type DDos-Test-rg for the resource group name.
  6. Under Instance details, Name, type DDoS-plan-01.
  7. For Region, select (US) West US 2.
  8. Select Review + create.
  9. Select Create.

Associate a DDoS Protection Plan

Now you can associate the DDoS Protection Plan with the secured virtual network.

  1. Open Firewall Manager.
  2. Select Virtual Networks.
  3. Select the check box for Hub-vnet-01.
  4. Select Manage Security, Add DDoS Protection Plan.
  5. For DDoS protection plan, select Enable.
  6. For DDoS protection plan, select DDoS-plan-01.
  7. Select Add.
  8. After the deployment completes, select Refresh.

You should now see that the virtual network has an associated DDoS Protection Plan.

Screenshot showing virtual network with DDoS Protection Plan

Next steps