Manage Azure DDoS Protection Standard using the Azure portal

Learn how to enable and disable distributed denial of service (DDoS) protection, and use telemetry to mitigate a DDoS attack with Azure DDoS Protection Standard. DDoS Protection Standard protects Azure resources such as virtual machines, load balancers, and application gateways that have an Azure public IP address assigned to it. To learn more about DDoS Protection Standard and its capabilities, see DDoS Protection Standard overview.

Before completing any steps in this tutorial, log in to the Azure portal at https://portal.azure.com with an account assigned to the network contributor role or to a custom role that is assigned the appropriate actions listed in Permissions.

If you don't have an Azure subscription, create a free account before you begin.

Create a DDoS protection plan

A DDoS protection plan defines a set of virtual networks that have DDoS protection standard enabled, across subscriptions. You can configure one DDoS protection plan for your organization and link virtual networks from multiple subscriptions to the same plan. The DDoS Protection Plan itself is also associated with a subscription, that you select during the creation of the plan. The subscription the plan is associated to incurs the monthly recurring bill for the plan, as well as overage charges, in case the number of protected public IP addresses exceed 100. For more information on DDoS pricing, see pricing details.

Creation of more than one plan is not required for most organizations. A plan cannot be moved between subscriptions. If you want to change the subscription a plan is in, you have to delete the existing plan and create a new one.

  1. Select Create a resource in the upper left corner of the Azure portal.
  2. Search for DDoS. When DDos protection plan appears in the search results, select it.
  3. Select Create.
  4. Enter or select your own values, or enter, or select the following example values, and then select Create:

    Setting Value
    Name myDdosProtectionPlan
    Subscription Select your subscription.
    Resource group Select Create new and enter myResourceGroup
    Location East US

Enable DDoS for a new virtual network

  1. Select Create a resource in the upper left corner of the Azure portal.
  2. Select Networking, and then select Virtual network.
  3. Enter or select your own values, of enter or select the following example values, accept the remaining defaults, and then select Create:

    Setting Value
    Name myVirtualNetwork
    Subscription Select your subscription.
    Resource group Select Use existing, and then select myResourceGroup
    Location East US
    DDos protection Select Standard and then under DDoS protection, select myDdosProtectionPlan. The plan you select can be in the same, or different subscription than the virtual network, but both subscriptions must be associated to the same Azure Active Directory tenant.

You cannot move a virtual network to another resource group or subscription when DDoS Standard is enabled for the virtual network. If you need to move a virtual network with DDoS Standard enabled, disable DDoS Standard first, move the virtual network, and then enable DDoS standard. After the move, the auto-tuned policy thresholds for all the protected public IP addresses in the virtual network are reset.

Enable DDoS for an existing virtual network

  1. Create a DDoS protection plan by completing the steps in Create a DDoS protection plan, if you don't have an existing DDoS protection plan.
  2. Select Create a resource in the upper left corner of the Azure portal.
  3. Enter the name of the virtual network that you want to enable DDoS Protection Standard for in the Search resources, services, and docs box at the top of the portal. When the name of the virtual network appears in the search results, select it.
  4. Select DDoS protection, under SETTINGS.
  5. Select Standard. Under DDoS protection plan, select an existing DDoS protection plan, or the plan you created in step 1, and then select Save. The plan you select can be in the same, or different subscription than the virtual network, but both subscriptions must be associated to the same Azure Active Directory tenant.

Disable DDoS for a virtual network

  1. Enter the name of the virtual network you want to disable DDoS protection standard for in the Search resources, services, and docs box at the top of the portal. When the name of the virtual network appears in the search results, select it.
  2. Select DDoS protection, under SETTINGS.
  3. Select Basic under DDoS protection plan and then select Save.

Work with DDoS protection plans

  1. Select All services on the top, left of the portal.
  2. Enter DDoS in the Filter box. When DDoS protection plans appear in the results, select it.
  3. Select the protection plan you want to view from the list.
  4. All virtual networks associated to the plan are listed.
  5. If you want to delete a plan, you must first dissociate all virtual networks from it. To dissociate a plan from a virtual network, see Disable DDoS for a virtual network.

Configure alerts for DDoS protection metrics

You can select any of the available DDoS protection metrics to alert you when there’s an active mitigation during an attack, using the Azure Monitor alert configuration. When the conditions are met, the address specified receives an alert email:

  1. Select All services on the top, left of the portal.
  2. Enter Monitor in the Filter box. When Monitor appears in the results, select it.
  3. Select Metrics under SHARED SERVICES.
  4. Enter, or select your own values, or enter the following example values, accept the remaining defaults, and then select OK:

    Setting Value
    Name myDdosAlert
    Subscription Select the subscription that contains the public IP address you want to receive alerts for.
    Resource group Select the resource group that contains the public IP address you want to receive alerts for.
    Resource Select the public IP address that contains the public IP address you want to receive alerts for. DDoS monitors public IP addresses assigned to resources within a virtual network. If you don't have any resources with public IP addresses in the virtual network, you must first create a resource with a public IP address. You can monitor the public IP address of all resources deployed through Resource Manager (not classic) listed in Virtual network for Azure services, except for Azure App Service Environments and Azure VPN Gateway. To continue with this tutorial, you can quickly create a Windows or Linux virtual machine.
    Metric Under DDoS attack or not
    Threshold 1 - 1 means you are under attack. 0 means you are not under attack.
    Period Select whatever value you choose.
    Notify via Email Check the checkbox
    Additional administrator Enter your email address if you're not an email owner, contributor, or reader for the subscription.

    Within a few minutes of attack detection, you receive an email from Azure Monitor metrics that looks similar to the following picture:

    Attack alert

To simulate a DDoS attack to validate your alert, see Validate DDoS detection.

You can also learn more about configuring webhooks and logic apps for creating alerts.

Use DDoS protection telemetry

Telemetry for an attack is provided through Azure Monitor in real time. The telemetry is available only for the duration that a public IP address is under mitigation. You don't see telemetry before or after an attack is mitigated.

  1. Select All services on the top, left of the portal.
  2. Enter Monitor in the Filter box. When Monitor appears in the results, select it.
  3. Select Metrics, under SHARED SERVICES.
  4. Select the Subscription and Resource group that contain the public IP address that you want telemetry for.
  5. Select Public IP Address for Resource type, then select the specific public IP address you want telemetry for.
  6. A series of Available Metrics appear on the left side of the screen. These metrics, when selected, are graphed in the Azure Monitor Metrics Chart on the overview screen.

The metric names present different packet types, and bytes vs. packets, with a basic construct of tag names on each metric as follows:

  • Dropped tag name (for example, Inbound Packets Dropped DDoS): The number of packets dropped/scrubbed by the DDoS protection system.
  • Forwarded tag name (for example Inbound Packets Forwarded DDoS): The number of packets forwarded by the DDoS system to the destination VIP – traffic that was not filtered.
  • No tag name (for example Inbound Packets DDoS): The total number of packets that came into the scrubbing system – representing the sum of the packets dropped and forwarded.

To simulate a DDoS attack to validate telemetry, see Validate DDoS detection.

View DDoS mitigation policies

DDoS Protection Standard applies three auto-tuned mitigation policies (TCP SYN, TCP & UDP) for each public IP address of the protected resource, in the virtual network that has DDoS enabled. You can view the policy thresholds by selecting the Inbound TCP packets to trigger DDoS mitigation and Inbound UDP packets to trigger DDoS mitigation metrics, as shown in the following picture:

View mitigation policies

Policy thresholds are auto-configured via Azure machine learning-based network traffic profiling. Only when the policy threshold is breached does DDoS mitigation occur for the IP address under attack.

Configure DDoS attack analytics

Azure DDoS Protection standard provides detailed attack insights and visualization with DDoS Attack Analytics. Customers protecting their virtual networks against DDoS attacks have detailed visibility into attack traffic and actions taken to mitigate the attack via attack mitigation reports & mitigation flow logs.

Configure DDoS attack mitigation reports

Attack mitigation reports uses the Netflow protocol data which is aggregated to provide detailed information about the attack on your resource. Anytime a public IP resource is under attack, the report generation will start as soon as the mitigation starts. There will be an incremental report generated every 5 mins and a post-mitigation report for the whole mitigation period. This is to ensure that in an event the DDoS attack continues for a longer duration of time, you will be able to view the most current snapshot of mitigation report every 5 minutes and a complete summary once the attack mitigation is over.

  1. Select All services on the top, left of the portal.
  2. Enter Monitor in the Filter box. When Monitor appears in the results, select it.
  3. Under SETTINGS, select Diagnostic Settings.
  4. Select the Subscription and Resource group that contain the public IP address you want to log.
  5. Select Public IP Address for Resource type, then select the specific public IP address you want to log metrics for.
  6. Select Turn on diagnostics to collect the DDoSMitigationReports log and then select as many of the following options as you require:

    • Archive to a storage account: Data is written to an Azure Storage account. To learn more about this option, see Archive diagnostic logs.
    • Stream to an event hub: Allows a log receiver to pick up logs using an Azure Event Hub. Event hubs enable integration with Splunk or other SIEM systems. To learn more about this option, see Stream diagnostic logs to an event hub.
    • Send to Log Analytics: Writes logs to the Azure OMS Log Analytics service. To learn more about this option, see Collect logs for use in Log Analytics.

Both the incremental & post-attack mitigation reports include the following fields

  • Attack vectors
  • Traffic statistics
  • Reason for dropped packets
  • Protocols involved
  • Top 10 source countries or regions
  • Top 10 source ASNs

Configure DDoS attack mitigation flow logs

Attack Mitigation Flow Logs allow you to review the dropped traffic, forwarded traffic and other interesting datapoints during an active DDoS attack in near-real time. You can ingest the constant stream of this data into your SIEM systems via event hub for near-real time monitoring, take potential actions and address the need of your defense operations.

  1. Select All services on the top, left of the portal.
  2. Enter Monitor in the Filter box. When Monitor appears in the results, select it.
  3. Under SETTINGS, select Diagnostic Settings.
  4. Select the Subscription and Resource group that contain the public IP address you want to log.
  5. Select Public IP Address for Resource type, then select the specific public IP address you want to log metrics for.
  6. Select Turn on diagnostics to collect the DDoSMitigationFlowLogs log and then select as many of the following options as you require:

    • Archive to a storage account: Data is written to an Azure Storage account. To learn more about this option, see Archive diagnostic logs.
    • Stream to an event hub: Allows a log receiver to pick up logs using an Azure Event Hub. Event hubs enable integration with Splunk or other SIEM systems. To learn more about this option, see Stream diagnostic logs to an event hub.
    • Send to Log Analytics: Writes logs to the Azure OMS Log Analytics service. To learn more about this option, see Collect logs for use in Log Analytics.
  7. To view the flow logs data in Azure analytics dashboard, you can import the sample dashboard from https://github.com/Anupamvi/Azure-DDoS-Protection/raw/master/flowlogsbyip.zip

Flow logs will have the following fields:

  • Source IP
  • Destination IP
  • Source Port
  • Destination port
  • Protocol type
  • Action taken during mitigation

Validate DDoS detection

Microsoft has partnered with BreakingPoint Cloud to build an interface where you can generate traffic against DDoS Protection-enabled public IP addresses for simulations. The BreakPoint Cloud simulation allows you to:

  • Validate how Microsoft Azure DDoS Protection protects your Azure resources from DDoS attacks
  • Optimize your incident response process while under DDoS attack
  • Document DDoS compliance
  • Train your network security teams

Permissions

To work with DDoS protection plans, your account must be assigned to the network contributor role or to a custom role that is assigned the appropriate actions listed in the following table:

Action Name
Microsoft.Network/ddosProtectionPlans/read Read a DDoS protection plan
Microsoft.Network/ddosProtectionPlans/write Create or update a DDoS protection plan
Microsoft.Network/ddosProtectionPlans/delete Delete a DDoS protection plan
Microsoft.Network/ddosProtectionPlans/join/action Join a DDoS protection plan

To enable DDoS protection for a virtual network, your account must also be assigned the appropriate actions for virtual networks.

Next steps