13 Aug Protect your workloads with Azure DDoS Protection Standard
Azure DDoS Protection Standard provides enhanced DDoS mitigation features to defend against DDoS attacks. It is automatically tuned to protect all public IP addresses in virtual networks. Protection is simple to enable on any new or existing virtual network and does not require any application or resource changes. Our recently released Azure built-in policies allow for better management of network security compliance by providing great ease of onboarding across all your virtual network resources and configuration of logs.
The world continues to be heavily dependent on digital services. We see a growing reliance on cloud-computing services, across sectors from financial services to healthcare. Cyberthreats are pervasive and ever-evolving, and it is always crucial for businesses to develop a robust DDoS response strategy and be proactive in protecting their public workloads.
With the recent rise of web application DDoS attacks, it is best to use DDoS Protection Standard alongside Application Gateway web application firewall (WAF), or a third-party web application firewall deployed in a virtual network with a public IP, for comprehensive protection. This also works if you are using Azure Front Door alongside Application Gateway, or if your backend resources are in your on-premises environment.
If you have a web application that receives traffic from the Internet and is deployed regionally, you can host your application behind Application Gateway, then protect it with a WAF against Layer 7 web attacks and enable DDoS Protection Standard on the virtual network which contains the Application Gateway and WAF. The backend origins of your application will be in your on-premises environment, which is connected over the virtual private network (VPN). DDoS Protection Standard will defend your application by mitigating bad traffic and routing the supposed clean traffic to your application.
Azure DDoS Protection Standard offers the following key benefits:
- Backed by the Microsoft global network: We bring massive DDoS mitigation capacity to every Azure region, scrubbing traffic at the Azure network edge before it can impact the availability of your services. If we identify that the attack volume is significant, we leverage the global scale of Azure to defend the attack from where it is originating.
- Cost protection: DDoS attacks often trigger the automatic scale-out of the service running in Azure. This could lead to a significant increase in network bandwidth, the scaling-up of the virtual machine count, or both. In the event of an attack, you can receive Azure credits for any scale-out of resources, so you do not have to worry about setting your application to auto-scale or paying the excess cost for egress data transfer.
- DDoS Rapid Response: During an active attack or after an attack, you can engage the DDoS Protection Rapid Response team for help with attack investigation and specialized support. The DDoS Protection Rapid Response team follows the Azure Rapid Response support model.
- Rich attack analytics: With DDoS attack analytics, you can view metrics, configure alerts, and get detailed mitigation reports and flow logs that give you detailed visibility into attack traffic and actions we are taking to mitigate a DDoS attack. You can also connect your logs to Azure Sentinel, and view and analyze your data in workbooks. With Azure Security Center, we offer alerts whenever your public IP is under a DDoS attack, or if the attack has been mitigated by us, and we also offer recommendations to enable DDoS Standard for your unprotected virtual networks.
Learn more about Azure DDoS Protection Standard