Azure DDoS IP Protection is Now Available in Public Preview

This post has been republished via RSS; it originally appeared at: Microsoft Tech Community - Latest Blogs - .

Written in collaboration with @eve_kilel 

 

Introduction

IP Protection is a new SKU for Azure DDoS Protection that is designed with SMBs in mind and delivers enterprise-grade, and cost-effective DDoS protection. You can defend against L3/L4 DDoS attacks with always-on monitoring and adaptive tuning that ensure your application is always protected. With IP Protection, you now have the flexibility to enable protection on a single public IP. Azure DDoS Protection integrates seamlessly with other Azure services for real-time alerts, metrics, and insights to strengthen your security posture.

 

If you have only a few public IPs in your environment, then you can start with IP protection SKU which can be enabled directly on the Public IP resource, and you only pay for that protected resource. The cost is a fixed 199$/month for each public IP resource protected with no additional variable costs. Prices may vary by region. Billing for IP Protection will be effective starting on February 1, 2023. Please see full detailed pricing list here Azure DDoS Protection Pricing | Microsoft Azure

 

SKU comparison

The new IP protection SKU contains some feature differences compared to Network protection SKU, below you can see the main differences in features:

 

Feature

DDoS IP Protection

DDoS Network Protection

Active traffic monitoring & always on detection

Yes

Yes

L3/L4 Automatic attack mitigation

Yes

Yes

Automatic attack mitigation

Yes

Yes

Application based mitigation policies

Yes

Yes

Metrics & alerts

Yes

Yes

Mitigation reports

Yes

Yes

Mitigation flow logs

Yes

Yes

Mitigation policies tuned to customers application

Yes

Yes

Integration with Firewall Manager

Yes

Yes

Azure Sentinel data connector and workbook

Yes

Yes

DDoS rapid response support

Not available

Yes

Cost protection

Not available

Yes

WAF discount

Not available

Yes

Price

$199/month Per protected IP

$2,944/month per DDoS protection plan and overage charge of $30 for each extra public IP above 100 IPs

 

Region Availability

 

Americas

Europe

Middle East

Africa

Asia Pacific

West Central US

France Central

UAE Central

South Africa North

Australia Central

North Central US

Germany West Central

Qatar Central

 

Korea Central

West US

Switzerland North

 

 

Japan East

West US 3

France South

 

 

West India

 

Norway East

 

 

Jio India Central

 

Sweden Central

 

 

Australia Central 2

 

Germany North

 

 

 

 

More available regions are being updated here About Azure DDoS Protection SKU Comparison | Microsoft Learn

 

Enabling Azure DDoS IP Protection

 

Prerequisites

  1. Log in using Azure preview portal if you want to use Azure portal for DDoS IP Protection configuration
  2. Deploy the Public IP in one of the supported regions mentioned above
  3. Deploy the Public IP in standard SKU

 

Using Azure Portal

To enable IP protection SKU using Azure portal, first make sure you’re using the preview portal https://preview.portal.azure.com. After you sign in, you can either create a new public IP or use the existing one to deploy in one of the supported regions.

 

Navigate to your Public IP resource and on the Overview page, you will see “Protect IP address” on the bottom right corner

 

SaleemBseeu_0-1669029725777.png

 

 

Once you click on “Protect”, you will be given 3 options:

  1. Network: Inherit DDoS protection from the virtual network. You should use this option if you’re using DDoS Network Protection plan to protect the Vnet where public IP is attached, and you want to add it to your plan.
  2. IP: Specific to this IP address. Selecting this option will enable the DDoS IP Protection specifically on this public IP. (We will be using this option to demonstrate the new SKU)
  3. Disable: The “disable” option gives you the ability to exclude public IPs from DDoS Network Protection plan. You can read more about this here https://techcommunity.microsoft.com/t5/azure-network-security-blog/exclude-public-ip-addresses-in-azure-ddos-network-protection/ba-p/3676143

 

The protection status will warn you if your public IP is not protected by DDoS protection. After choosing the IP protection and saving the settings, you can see below that the protection status is green.

 

SaleemBseeu_1-1669026985833.png

 

 

Using PowerShell

Another way to enable IP protection is via PowerShell. To create a new Public IP with DDoS IP protection enabled on it, use the following command:

 

New-AzPublicIpAddress -Name myStandardPublicIP -ResourceGroupName MyResourceGroup -Sku Standard -Location "East US" -AllocationMethod Static -DdosProtectionMode Enabled  

 

Note: Make sure to choose Standard SKU when you're creating the public IP

 

If you already have a Public IP and want to enable DDoS protection on it, use these commands:

 

$publicIp = Get-AzPublicIpAddress -Name myStandardPublicIP -ResourceGroupName MyResourceGroup

$publicIp.DdosSettings.ProtectionMode = 'Enabled'

Set-AzPublicIpAddress -PublicIpAddress $publicIp

 

To verify that your DDoS IP Protection is enabled on your public IP, run these commands:

 

$publicIp = Get-AzPublicIpAddress -Name myStandardPublicIP -ResourceGroupName MyResourceGroup

$protectionMode = $publicIp.DdosSettings.ProtectionMode

$protectionMode

 

Please refer to this link for more information about configuring Azure DDoS IP Protection using Azure PowerShell Quickstart: Create and configure Azure DDoS IP Protection using PowerShell | Microsoft Learn

 

Protecting resources using DDoS IP protection and Azure Firewall Basic

With DDoS IP protection SKU public preview announcement at Microsoft Ignite 2022 also came Azure Firewall Basic SKU announcement. This is a new SKU of Azure Firewall that provides the essential protection SMB customers need at an affordable price point, with cloud-native, highly available, stateful firewall as a service offering that enables customers to centrally govern and log all their traffic flows with essential capabilities at scale.

 

These two new SKUs provide SMB customers enterprise-grade network firewall and DDoS protection at a lower price point. By deploying Azure Firewall Basic and enabling DDoS IP protection on firewall’s public IP, customers can benefit from both services. Azure Firewall Basic provides L3-L7 filtering of East-West and North-South traffic with built-in threat intelligence to block malicious traffic; DDoS IP protection provides cloud scale DDoS protection to defend against large and sophisticated DDoS attacks. For more information and configuration instructions about Azure Firewall Basic, see Azure Firewall Basic SKU is now Available in Public Preview - Microsoft Community Hub

 

Summary

DDoS attacks are one of the biggest security concerns for the applications in the cloud and are increasing in complexity and frequency based on the evolving challenges in the cyber security landscape. All customers inclusive of the small and medium-sized are affected by the recent increase in DDoS attacks. We now have a DDoS per IP SKU that can support the SMBs/SMEs to curb the Layer 3 and Layer 4 DDoS attacks for their public IPs that includes Firewalls, Application Gateways and Load Balancers. This also ensures that all customers using Public IPs on azure are protected.

 

Additional Resources:

What’s new in Azure Network Security at Microsoft Ignite 2022 - Microsoft Community Hub

Public preview: IP Protection SKU for Azure DDoS Protection | Azure updates | Microsoft Azure

Azure DDoS Protection Overview | Microsoft Learn

Deploy & configure Azure Firewall Basic (preview) and policy using the Azure portal | Microsoft Learn

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.