Azure DDoS IP Protection is Now Available in Public Preview

Written in collaboration with  

Introduction

IP Protection is a new SKU for Azure DDoS Protection that is designed with SMBs in mind and delivers enterprise-grade, and cost-effective DDoS protection. You can defend against L3/L4 DDoS attacks with always-on monitoring and adaptive tuning that ensure your application is always protected. With IP Protection, you now have the flexibility to enable protection on a single public IP. Azure DDoS Protection integrates seamlessly with other Azure services for real-time alerts, metrics, and insights to strengthen your security posture.

If you have only a few public IPs in your environment, then you can start with IP protection SKU which can be enabled directly on the Public IP resource, and you only pay for that protected resource. The cost is a fixed 199$/month for each public IP resource protected with no additional variable costs. Prices may vary by region. Billing for IP Protection will be effective starting on February 1, 2023. Please see full detailed pricing list here Azure DDoS Protection Pricing | Microsoft Azure

SKU comparison

The new IP protection SKU contains some feature differences compared to Network protection SKU, below you can see the main differences in features:

Region Availability

More available regions are being updated here About Azure DDoS Protection SKU Comparison | Microsoft Learn

Enabling Azure DDoS IP Protection

Prerequisites

1. Log in using Azure preview portal if you want to use Azure portal for DDoS IP Protection configuration
2. Deploy the Public IP in one of the supported regions mentioned above
3. Deploy the Public IP in standard SKU

Using Azure Portal

To enable IP protection SKU using Azure portal, first make sure you’re using the preview portal https://preview.portal.azure.com. After you sign in, you can either create a new public IP or use the existing one to deploy in one of the supported regions.

Navigate to your Public IP resource and on the Overview page, you will see “Protect IP address” on the bottom right corner

Once you click on “Protect”, you will be given 3 options:

1. Network: Inherit DDoS protection from the virtual network. You should use this option if you’re using DDoS Network Protection plan to protect the Vnet where public IP is attached, and you want to add it to your plan.
2. IP: Specific to this IP address. Selecting this option will enable the DDoS IP Protection specifically on this public IP. (We will be using this option to demonstrate the new SKU)
3. Disable: The “disable” option gives you the ability to exclude public IPs from DDoS Network Protection plan. You can read more about this here https://techcommunity.microsoft.com/t5/azure-network-security-blog/exclude-public-ip-addresses-in-azure-ddos-network-protection/ba-p/3676143

The protection status will warn you if your public IP is not protected by DDoS protection. After choosing the IP protection and saving the settings, you can see below that the protection status is green.

Using PowerShell

Another way to enable IP protection is via PowerShell. To create a new Public IP with DDoS IP protection enabled on it, use the following command:

New-AzPublicIpAddress -Name myStandardPublicIP -ResourceGroupName MyResourceGroup -Sku Standard -Location "East US" -AllocationMethod Static -DdosProtectionMode Enabled  

Note: Make sure to choose Standard SKU when you're creating the public IP

If you already have a Public IP and want to enable DDoS protection on it, use these commands:

$publicIp = Get-AzPublicIpAddress -Name myStandardPublicIP -ResourceGroupName MyResourceGroup

$publicIp.DdosSettings.ProtectionMode = 'Enabled'

Set-AzPublicIpAddress -PublicIpAddress $publicIp

To verify that your DDoS IP Protection is enabled on your public IP, run these commands:

$publicIp = Get-AzPublicIpAddress -Name myStandardPublicIP -ResourceGroupName MyResourceGroup

$protectionMode = $publicIp.DdosSettings.ProtectionMode

$protectionMode

Please refer to this link for more information about configuring Azure DDoS IP Protection using Azure PowerShell Quickstart: Create and configure Azure DDoS IP Protection using PowerShell | Microsoft Learn

Protecting resources using DDoS IP protection and Azure Firewall Basic

With DDoS IP protection SKU public preview announcement at Microsoft Ignite 2022 also came Azure Firewall Basic SKU announcement. This is a new SKU of Azure Firewall that provides the essential protection SMB customers need at an affordable price point, with cloud-native, highly available, stateful firewall as a service offering that enables customers to centrally govern and log all their traffic flows with essential capabilities at scale.

These two new SKUs provide SMB customers enterprise-grade network firewall and DDoS protection at a lower price point. By deploying Azure Firewall Basic and enabling DDoS IP protection on firewall’s public IP, customers can benefit from both services. Azure Firewall Basic provides L3-L7 filtering of East-West and North-South traffic with built-in threat intelligence to block malicious traffic; DDoS IP protection provides cloud scale DDoS protection to defend against large and sophisticated DDoS attacks. For more information and configuration instructions about Azure Firewall Basic, see Azure Firewall Basic SKU is now Available in Public Preview - Microsoft Community Hub

Summary

DDoS attacks are one of the biggest security concerns for the applications in the cloud and are increasing in complexity and frequency based on the evolving challenges in the cyber security landscape. All customers inclusive of the small and medium-sized are affected by the recent increase in DDoS attacks. We now have a DDoS per IP SKU that can support the SMBs/SMEs to curb the Layer 3 and Layer 4 DDoS attacks for their public IPs that includes Firewalls, Application Gateways and Load Balancers. This also ensures that all customers using Public IPs on azure are protected.

Additional Resources:

What’s new in Azure Network Security at Microsoft Ignite 2022 - Microsoft Community Hub

Public preview: IP Protection SKU for Azure DDoS Protection | Azure updates | Microsoft Azure

Azure DDoS Protection Overview | Microsoft Learn

Deploy & configure Azure Firewall Basic (preview) and policy using the Azure portal | Microsoft Learn