Azure DDoS Protection & Firewall

TL;DR

This guide shows you how to protect your Azure resources from Distributed Denial of Service (DDoS) attacks using Azure’s built-in DDoS protection and Azure Firewall. We’ll cover enabling DDoS protection, configuring firewall rules, and monitoring for threats.

1. Understand the Basics

Before we start, let’s quickly define what we are dealing with:

• DDoS Protection: Azure provides two tiers of DDoS protection – Basic (free, always on) and Standard (paid, enhanced features).
• Azure Firewall: A managed, cloud-based network security service that protects your resources. It’s a stateful firewall as a service with built-in threat intelligence.

Basic DDoS protection offers fundamental mitigation against common attacks. Standard provides more sophisticated protection and is recommended for production environments.

2. Enable Azure DDoS Protection (Standard)

1. Navigate to the Azure Portal: Log in to your Azure account at https://portal.azure.com
2. Search for ‘DDoS protection’: In the search bar, type “DDoS protection” and select it.
3. Create a DDoS Protection Plan: Click “Create”.
4. Configure the plan:
   • Subscription: Select your Azure subscription.
   • Resource group: Choose an existing resource group or create a new one.
   • Name: Give your plan a descriptive name (e.g., ‘MyDDoSPlan’).
   • Protection scope: Select the virtual networks you want to protect. This is crucial!
5. Associate Virtual Networks: Add the virtual networks containing your resources that need protection.
6. Review and Create: Validate your settings and click “Create”. It takes a few minutes for the plan to deploy.

3. Configure Azure Firewall

1. Search for ‘Firewalls’: In the Azure portal search bar, type “Firewalls” and select it.
2. Create a Firewall: Click “Create”.
3. Basics Tab:
   • Subscription: Select your subscription.
   • Resource group: Choose the same resource group as your DDoS Protection Plan (recommended).
   • Name: Give your firewall a name (e.g., ‘MyAzureFirewall’).
   • Region: Select a region close to your resources.
4. Networking Tab:
   • Virtual network: Select the virtual network you protected with DDoS Protection.
   • Public IP address: Create a new public IP or use an existing one.
   • Subnet: Azure Firewall will create a subnet automatically.
5. Management Tab: Configure diagnostics settings to send logs to Log Analytics Workspace for monitoring (highly recommended).
6. Rules Tab: This is where you define your firewall rules.
   • Application rule collections: Define rules based on fully qualified domain names (FQDNs) and protocols. For example, allow access to Microsoft Defender for Cloud services.
   • Network rule collections: Define rules based on source IP addresses, destination IP addresses/CIDR ranges, ports, and protocols. For example, allow SSH access from your office IP address.
7. Review and Create: Validate settings and click “Create”. Firewall deployment can take 15-20 minutes.

4. Configure DNS

Update your DNS records to point to the public IP address of your Azure Firewall. This ensures all traffic flows through the firewall.

5. Monitoring and Logging

1. DDoS Protection Metrics: In the DDoS protection resource, monitor metrics like ‘Total attacks’, ‘Attacks mitigated by Standard plan’ to assess attack volume and effectiveness of mitigation.
2. Azure Firewall Logs: Enable diagnostics settings for Azure Firewall to send logs to a Log Analytics workspace.
   • Query Example (Kusto Query Language): To see allowed traffic:

     AzureDiagnostics
     | where Category == "NetworkRuleEvaluation"
     | where operation_name == "ALLOW"
     | project TimeGenerated, srcIPAddr, destIPAddr, protocol, port

3. Alerts: Configure alerts in Azure Monitor based on DDoS attack metrics or firewall log events to receive notifications when threats are detected.