Azure DDoS IP Protection is Now Available in Public Preview
Written in collaboration with
Introduction
IP Protection is a new SKU for Azure DDoS Protection that is designed with SMBs in mind and delivers enterprise-grade, and cost-effective DDoS protection. You can defend against L3/L4 DDoS attacks with always-on monitoring and adaptive tuning that ensure your application is always protected. With IP Protection, you now have the flexibility to enable protection on a single public IP. Azure DDoS Protection integrates seamlessly with other Azure services for real-time alerts, metrics, and insights to strengthen your security posture.
If you have only a few public IPs in your environment, then you can start with IP protection SKU which can be enabled directly on the Public IP resource, and you only pay for that protected resource. The cost is a fixed 199$/month for each public IP resource protected with no additional variable costs. Prices may vary by region. Billing for IP Protection will be effective starting on February 1, 2023. Please see full detailed pricing list here Azure DDoS Protection Pricing | Microsoft Azure
SKU comparison
The new IP protection SKU contains some feature differences compared to Network protection SKU, below you can see the main differences in features:
|
Feature |
DDoS IP Protection |
DDoS Network Protection |
|
Active traffic monitoring & always on detection |
Yes |
Yes |
|
L3/L4 Automatic attack mitigation |
Yes |
Yes |
|
Automatic attack mitigation |
Yes |
Yes |
|
Application based mitigation policies |
Yes |
Yes |
|
Metrics & alerts |
Yes |
Yes |
|
Mitigation reports |
Yes |
Yes |
|
Mitigation flow logs |
Yes |
Yes |
|
Mitigation policies tuned to customers application |
Yes |
Yes |
|
Integration with Firewall Manager |
Yes |
Yes |
|
Azure Sentinel data connector and workbook |
Yes |
Yes |
|
DDoS rapid response support |
Not available |
Yes |
|
Cost protection |
Not available |
Yes |
|
WAF discount |
Not available |
Yes |
|
Price |
$199/month Per protected IP |
$2,944/month per DDoS protection plan and overage charge of $30 for each extra public IP above 100 IPs |
Region Availability
|
Americas |
Europe |
Middle East |
Africa |
Asia Pacific |
|
West Central US |
France Central |
UAE Central |
South Africa North |
Australia Central |
|
North Central US |
Germany West Central |
Qatar Central |
|
Korea Central |
|
West US |
Switzerland North |
|
|
Japan East |
|
West US 3 |
France South |
|
|
West India |
|
|
Norway East |
|
|
Jio India Central |
|
|
Sweden Central |
|
|
Australia Central 2 |
|
|
Germany North |
|
|
|
More available regions are being updated here About Azure DDoS Protection SKU Comparison | Microsoft Learn
Enabling Azure DDoS IP Protection
Prerequisites
- Log in using Azure preview portal if you want to use Azure portal for DDoS IP Protection configuration
- Deploy the Public IP in one of the supported regions mentioned above
- Deploy the Public IP in standard SKU
Using Azure Portal
To enable IP protection SKU using Azure portal, first make sure you’re using the preview portal https://preview.portal.azure.com. After you sign in, you can either create a new public IP or use the existing one to deploy in one of the supported regions.
Navigate to your Public IP resource and on the Overview page, you will see “Protect IP address” on the bottom right corner
Once you click on “Protect”, you will be given 3 options:
- Network: Inherit DDoS protection from the virtual network. You should use this option if you’re using DDoS Network Protection plan to protect the Vnet where public IP is attached, and you want to add it to your plan.
- IP: Specific to this IP address. Selecting this option will enable the DDoS IP Protection specifically on this public IP. (We will be using this option to demonstrate the new SKU)
- Disable: The “disable” option gives you the ability to exclude public IPs from DDoS Network Protection plan. You can read more about this here https://techcommunity.microsoft.com/t5/azure-network-security-blog/exclude-public-ip-addresses-in-azure-ddos-network-protection/ba-p/3676143
The protection status will warn you if your public IP is not protected by DDoS protection. After choosing the IP protection and saving the settings, you can see below that the protection status is green.
Using PowerShell
Another way to enable IP protection is via PowerShell. To create a new Public IP with DDoS IP protection enabled on it, use the following command:
New-AzPublicIpAddress -Name myStandardPublicIP -ResourceGroupName MyResourceGroup -Sku Standard -Location "East US" -AllocationMethod Static -DdosProtectionMode Enabled
Note: Make sure to choose Standard SKU when you're creating the public IP
If you already have a Public IP and want to enable DDoS protection on it, use these commands:
$publicIp = Get-AzPublicIpAddress -Name myStandardPublicIP -ResourceGroupName MyResourceGroup
$publicIp.DdosSettings.ProtectionMode = 'Enabled'
Set-AzPublicIpAddress -PublicIpAddress $publicIp
To verify that your DDoS IP Protection is enabled on your public IP, run these commands:
$publicIp = Get-AzPublicIpAddress -Name myStandardPublicIP -ResourceGroupName MyResourceGroup
$protectionMode = $publicIp.DdosSettings.ProtectionMode
$protectionMode
Please refer to this link for more information about configuring Azure DDoS IP Protection using Azure PowerShell Quickstart: Create and configure Azure DDoS IP Protection using PowerShell | Microsoft Learn
Protecting resources using DDoS IP protection and Azure Firewall Basic
With DDoS IP protection SKU public preview announcement at Microsoft Ignite 2022 also came Azure Firewall Basic SKU announcement. This is a new SKU of Azure Firewall that provides the essential protection SMB customers need at an affordable price point, with cloud-native, highly available, stateful firewall as a service offering that enables customers to centrally govern and log all their traffic flows with essential capabilities at scale.
These two new SKUs provide SMB customers enterprise-grade network firewall and DDoS protection at a lower price point. By deploying Azure Firewall Basic and enabling DDoS IP protection on firewall’s public IP, customers can benefit from both services. Azure Firewall Basic provides L3-L7 filtering of East-West and North-South traffic with built-in threat intelligence to block malicious traffic; DDoS IP protection provides cloud scale DDoS protection to defend against large and sophisticated DDoS attacks. For more information and configuration instructions about Azure Firewall Basic, see Azure Firewall Basic SKU is now Available in Public Preview - Microsoft Community Hub
Summary
DDoS attacks are one of the biggest security concerns for the applications in the cloud and are increasing in complexity and frequency based on the evolving challenges in the cyber security landscape. All customers inclusive of the small and medium-sized are affected by the recent increase in DDoS attacks. We now have a DDoS per IP SKU that can support the SMBs/SMEs to curb the Layer 3 and Layer 4 DDoS attacks for their public IPs that includes Firewalls, Application Gateways and Load Balancers. This also ensures that all customers using Public IPs on azure are protected.
Additional Resources:
What’s new in Azure Network Security at Microsoft Ignite 2022 - Microsoft Community Hub
Public preview: IP Protection SKU for Azure DDoS Protection | Azure updates | Microsoft Azure
Published on:
Learn moreRelated posts
Azure Database for PostgreSQL Flexible Server - Elastic Clusters, faster disks, and AI updates
Increase scalability, optimize performance, and integrate advanced AI features with Azure Database for PostgreSQL Flexible Server. Scale up wi...
Disconnected operations for Azure Local
Introducing the new Linux-based Azure Cosmos DB Emulator (Preview)
We are excited to announce the preview release of the new Linux-based Azure Cosmos DB Emulator! This latest version is built to provide faster...
Azure Cosmos DB Shines at Microsoft Ignite 2024!
Microsoft Ignite 2024 took over the Windy City this week, bringing with it new technological innovation and exciting product announcements apl...