DDoS protection is a feature in Azure Virtual Networks, when you have an Azure Virtual Network, you have at least basic tier DDoS protection.
Understand Basic DDoS protection
- It’s FREE
- It’s design to protect Azure platform instead of a single tenant
- No user interface / configuration
- No single user/tenant alert
- No advance features
- Actually, DDoS Protection Basic helps protect all Azure services, including PaaS services like Azure DNS.
The basic tier is deployed to protect Azure infrastructure, all the resources in Azure are protected if it expose to public network. You will not get an alert when you are on attack, you can not configure the threshold.
Both basic and standard DDoS protection is on Layer 3 and 4, which means Azure doesn’t inspect the payload.
Basic DDoS protection in Azure consists of both software and hardware components. The Basic protection is shared with O365, so it’s a build-in services in Azure.
You might NOT be protected if you are using a very small size of resource, the traffic/workload might exceed your resource limitation, but it’s still small for the whole Azure infrastructure.
Standard DDoS protection
- It’s based on Virtual Network, resources out of vNET are not protected.
- Pay around 2000€/month at least. see here
- This feature uses Machine learning-based network traffic profiling, which takes time. (maybe two weeks).
- If the feature is disabled, Machine Learning still need warm-up time to work.
- You should install WAF to protect Lay-7 traffic.
- In order to protect PaaS, you might want to use the following design.
In order to check if you are under DDoS attack, please check your metrics to confirm that.
Microsoft has partnered with BreakingPoint Cloud to build an interface where you can generate traffic against DDoS Protection-enabled public IP addresses for simulations