與 Azure DDoS 保護 Standard 合作Partnering with Azure DDoS Protection Standard

本文說明 Azure DDoS 保護標準所啟用的合作機會。This article describes partnering opportunities enabled by the Azure DDoS Protection Standard. 本文旨在協助產品經理和商務開發角色瞭解投資途徑,並提供合作價值主張的見解。This article is designed to help product managers and business development roles understand the investment paths and provide insight into the partnering value propositions.

背景Background

分散式阻斷服務 (DDoS) 攻擊是客戶將應用程式移至雲端的最高可用性和安全性顧慮之一。Distributed denial of service (DDoS) attacks are one of the top availability and security concerns voiced by customers moving their applications to the cloud. 因為 extortion 和 hacktivism 是 DDoS 攻擊背後的常見動機,所以它們的類型、規模和發生頻率一直都是一致的,因為它們相當簡單且更便宜。With extortion and hacktivism being the common motivations behind DDoS attacks, they have been consistently increasing in type, scale, and frequency of occurrence as they are relatively easy and cheap to launch.

Azure DDoS 保護針對最複雜的 DDoS 威脅提供對策,利用 Azure 網路的全球規模。Azure DDoS Protection provides countermeasures against the most sophisticated DDoS threats, leveraging the global scale of Azure networking. 此服務為部署在虛擬網路中的應用程式和資源,提供增強的 DDoS 風險降低功能。The service provides enhanced DDoS mitigation capabilities for applications and resources deployed in virtual networks.

技術合作夥伴可以使用 Azure DDoS 保護標準,以原生方式保護其客戶資源,以因應 DDoS 攻擊的可用性和可靠性問題。Technology partners can protect their customers' resources natively with Azure DDoS Protection Standard to address the availability and reliability concerns due to DDoS attacks.

Azure DDoS 保護 Standard 簡介Introduction to Azure DDoS Protection Standard

Azure DDoS 保護 Standard 針對第3層和第4層 DDoS 攻擊提供增強的 DDoS 風險降低功能。Azure DDoS Protection Standard provides enhanced DDoS mitigation capabilities against Layer 3 and Layer 4 DDoS attacks. 以下是 DDoS 保護標準服務的主要功能。The following are the key features of DDoS Protection Standard service.

調適性即時調整Adaptive real-time tuning

針對每個受保護的應用程式,Azure DDoS 保護 Standard 會根據應用程式的流量配置檔案模式自動調整 DDoS 風險降低原則閾值。For every protected application, Azure DDoS Protection Standard automatically tunes the DDoS mitigation policy thresholds based on the application’s traffic profile patterns. 服務會使用兩種見解來完成這項自訂:The service accomplishes this customization by using two insights:

  • 自動學習每位客戶 (每個 IP) 的第 3 層與第 4 層流量模式。Automatic learning of per-customer (per-IP) traffic patterns for Layer 3 and 4.
  • 考慮到 Azure 的規模會使之吸收大量的流量,進而降低誤判。Minimizing false positives, considering that the scale of Azure allows it to absorb a significant amount of traffic.

適應性即時微調

攻擊分析、遙測、監視及警示Attack analytics, telemetry, monitoring, and alerting

Azure DDoS 保護識別並減少 DDoS 攻擊,而不需要使用者介入。Azure DDoS Protection identifies and mitigates DDoS attacks without any user intervention.

  • 如果受保護的資源位於 Azure 資訊安全中心所涵蓋的訂用帳戶中,則當偵測到 DDoS 攻擊並針對受保護的應用程式緩解時,DDoS 保護標準會自動將警示傳送至「安全性中心」。If the protected resource is in the subscription covered under Azure Security Center, DDoS Protection Standard automatically sends an alert to Security Center whenever a DDoS attack is detected and mitigated against the protected application.
  • 或者,若要在受保護的公用 IP 有作用中的緩和措施時收到通知,您可以在 [DDoS 攻擊] 下設定計量的 警示Alternatively, to get notified when there’s an active mitigation for a protected public IP, you can configure an alert on the metric Under DDoS attack or not.
  • 此外,您還可以選擇建立其他 DDoS 計量的警示,並 設定攻擊遙測 ,以瞭解攻擊的規模、要卸載的流量、攻擊媒介、熱門參與者和其他詳細資料。You can additionally choose to create alerts for the other DDoS metrics and configure attack telemetry to understand the scale of the attack, traffic being dropped, attack vectors, top contributors, and other details.

DDoS 計量

DDoS 快速回應 (DRR) DDoS rapid response (DRR)

DDoS 保護標準客戶可在主動攻擊期間存取 快速回應小組DDoS Protection Standard customers have access to Rapid Response team during an active attack. DRR 可協助在攻擊期間進行攻擊調查,以及進行攻擊後的分析。DRR can help with attack investigation during an attack as well as post-attack analysis.

SLA 保證和成本保護SLA guarantee and cost protection

DDoS 保護標準服務涵蓋99.99% 的 SLA,而「成本保護」會在記載的攻擊期間提供資源信用額度以進行 scale out。DDoS Protection Standard service is covered by a 99.99% SLA, and cost protection provides resource credits for scale out during a documented attack. 如需詳細資訊,請參閱 Azure DDoS 保護的 SLAFor more information, see SLA for Azure DDoS Protection.

以下是您可以藉由整合 Azure DDoS 保護標準來衍生的主要優點:The following are key benefits you can derive by integrating with the Azure DDoS Protection Standard:

  • 合作夥伴提供的服務 (負載平衡器、web 應用程式防火牆、防火牆等,) 到其客戶的客戶會自動受到 (白名單中 Azure DDoS 保護標準所標示) 的保護。Partners' offered services (load balancer, web application firewall, firewall, etc.) to their customers are automatically protected (white labeled) by Azure DDoS Protection Standard in the back end.
  • 合作夥伴可以存取 Azure DDoS 保護的標準攻擊分析和遙測,讓他們可以與自己的產品整合,以提供一致的客戶體驗。Partners have access to Azure DDoS Protection Standard attack analytics and telemetry that they can integrate with their own products, offering a unified customer experience.
  • 即使在沒有 Azure 快速回應的情況下,合作夥伴也可以存取 DDoS 快速回應支援,以瞭解 DDoS 的相關問題。Partners have access to DDoS rapid response support even in the absence of Azure rapid response, for DDoS related issues.
  • 合作夥伴受保護的應用程式在發生 DDoS 攻擊時,會受到 DDoS SLA 保證和成本保護的支援。Partners' protected applications are backed by a DDoS SLA guarantee and cost protection in the event of DDoS attacks.

技術整合總覽Technical integration overview

Azure DDoS 保護標準合作機會可透過 Azure 入口網站、Api 和 CLI/PS 來取得。Azure DDoS Protection Standard partnering opportunities are made available via Azure portal, APIs, and CLI/PS.

與 DDoS 保護標準整合Integrate with DDoS Protection Standard

合作夥伴必須執行下列步驟,才能設定與 Azure DDoS 保護 Standard 的整合:The following steps are required for partners to configure integration with Azure DDoS Protection Standard:

  1. 在您想要的 (夥伴) 訂用帳戶中建立 DDoS 保護方案。Create a DDoS Protection Plan in your desired (partner) subscription. 如需逐步指示,請參閱 建立 DDoS 標準保護計劃For step-by-step instructions, see Create a DDoS Standard Protection plan.

    注意

    只需要為指定的租使用者建立1個 DDoS 保護方案。Only 1 DDoS Protection Plan needs to be created for a given tenant.

  2. 在您的 (夥伴) 訂用帳戶中部署具有公用端點的服務,例如負載平衡器、防火牆及 web 應用程式防火牆。Deploy a service with public endpoint in your (partner) subscriptions, such as load balancer, firewalls, and web application firewall.
  3. 使用第一個步驟中建立的 DDoS 保護計劃,在具有公用端點的服務的虛擬網路上啟用 Azure DDoS 保護標準。Enable Azure DDoS Protection Standard on the virtual network of the service that has public endpoints using DDoS Protection Plan created in the first step. 如需 stpe 逐步指示,請參閱 啟用 DDoS 標準保護計劃For stpe-by-step instructions, see Enable DDoS Standard Protection plan

    重要

    在虛擬網路上啟用 Azure DDoS 保護 Standard 之後,該虛擬網路內的所有公用 Ip 都會自動受到保護。After Azure DDoS Protection Standard is enabled on a virtual network, all public IPs within that virtual network are automatically protected. 這些公用 Ip 的來源可以是 Azure (用戶端訂用帳戶) 或 Azure 外部。The origin of these public IPs can be either within Azure (client subscription) or outside of Azure.

  4. (選擇性)將 Azure DDoS 保護標準遙測和攻擊分析整合至應用程式特定的客戶面向儀表板。Optionally, integrate Azure DDoS Protection Standard telemetry and attack analytics in your application-specific customer-facing dashboard. 如需使用遙測的詳細資訊,請參閱 查看和設定 DDoS 保護遙測For more information about using telemetry, see View and configure DDoS protection telemetry.

上架指南和技術檔Onboarding guides and technical documentation

取得協助Get help

  • 如果您有關于使用 Azure DDoS 保護 Standard 的應用程式、服務或產品整合的問題,請與 Azure 安全性社區聯繫。If you have questions about application, service, or product integrations with Azure DDoS Protection Standard, reach out to the Azure security community.
  • 遵循 Stack Overflow的討論。Follow discussions on Stack Overflow.

進入市場Get to market

下一步Next steps

查看現有的合作夥伴整合:View existing partner integrations: