Azure DDoS Protection
Azure DDoS Protection provides enhanced security for Azure resources against sophisticated Distributed Denial of Service (DDoS) attacks, ensuring application availability and reliability.
| Category | Network Security |
|---|---|
| Last page update | 19 days ago |
| Pricing Details | Pricing is based on the DDoS Protection Plan and the resources protected. Specific costs can be found on the Azure pricing page. |
| Target Audience | Organizations using Azure services that require protection against DDoS attacks. |
Azure DDoS Protection is designed to protect Azure resources from sophisticated Distributed Denial of Service (DDoS) attacks, which can severely impact application availability and reliability. Here’s a technical overview of its architecture and operational considerations:
Azure DDoS Protection leverages the global scale of Azure's networking infrastructure to provide enhanced DDoS mitigation capabilities. The service automatically tunes DDoS mitigation policies based on the traffic profile patterns of each protected application, using machine learning to learn per-customer (per-public IP) traffic patterns for Layer 3 and Layer 4 attacks. This adaptive real-time tuning minimizes false positives and ensures effective mitigation of complex multi-vector DDoS attacks.
To enable Azure DDoS Protection, you need to create a DDoS Protection Plan and link it to the virtual networks that contain the resources you want to protect. This plan can span multiple subscriptions under a single Microsoft Entra tenant. Once enabled, all public IPs within the protected virtual network are automatically safeguarded against DDoS attacks. The service integrates with other Azure security features, such as Azure Firewall Manager and web application firewalls (WAFs), to provide comprehensive protection across different layers of the network.
Azure DDoS Protection provides rich telemetry via Azure Monitor, allowing for detailed logging, monitoring, and alerting. Metrics are retained for 30 days, and alerts can be configured for any of the Azure Monitor metrics used by DDoS Protection. The service is covered by a 99.99% SLA and includes cost protection, ensuring that you are not charged for attack traffic and receive service credits for resource costs incurred during a documented attack. However, it is important to note that only resources in Azure Resource Manager-based virtual networks are supported, and PaaS services (multitenant) are not currently protected.
The service applies auto-tuned mitigation policies for TCP SYN, TCP, and UDP traffic for each protected public IP. You can monitor these policies and the status of DDoS attacks through metrics such as "Inbound packets to trigger DDoS mitigation" and "Under DDoS attack or not," which changes to 1 when DDoS mitigation is active. This real-time visibility helps in quick response and incident management during active attacks.