Portal extension for Azure Firewall with DDoS protection

Introduction

In the ever-evolving landscape of network security, Azure Firewall has emerged as a key player. As a managed, cloud-based network security service, it provides essential protection for your Azure Virtual Network resources. Cyber threats are increasingly sophisticated and frequent, the importance of robust security measures like Distributed Denial of Service (DDoS) protection cannot be overstated. DDoS attacks can cripple services, making them unavailable to users, which can have significant business implications. One of the motivations for integrating DDoS protection into the Azure Firewall creation flow is to simplify the process for users. Many users who deploy Azure Firewall also enable DDoS protection to protect their network resources. However, for those who may not be aware of the importance of DDoS protection or prefer a more straightforward setup process, the new creation flow makes it easier to enable this feature. By integrating DDoS protection into the Firewall creation process, users can activate this essential security measure with just a few clicks, enhancing the overall security of their network environment.

The New Azure Firewall Flow Creation (Integrating DDoS Protection)

The new Azure Firewall flow creation process represents a significant advancement in network security management. This process is designed to be user-friendly, providing a more streamlined experience for setting up and managing firewalls. These improvements not only enhance the user experience but also contribute to a more secure network environment.

The new creation process is notable for its integration of DDoS protection, allowing users to activate this feature seamlessly during setup. This integration streamlines the process of enabling DDoS protection on Azure Firewall public IPs, making it easily accessible to users of all skill levels with just a few clicks. When customers activate DDoS Protection, they can enroll in DDoS IP Protection or DDoS Network Protection SKUs. These SKUs provide value-added features and capabilities, beyond the basic platform-level DDoS protection that safeguards Azure's infrastructure and services. DDoS attacks targeting your applications and resources are mitigated with a profile that is automatically adjusted to your expected traffic volume, along with attack alert notifications, logging and monitoring, cost protection, and DDoS Rapid Response (included with DDoS Network Protection). This ensures that, even in the event of a DDoS attack, services remain available and secure, which is vital in today's digital environment where service availability can have a direct impact on business operations.

Note: This new flow creation is now available for preview. To access it, use the URL preview.portal.azure.com.

Exploring the New Service Creation Flow

Let's delve into the new service creation flow and learn how to navigate it. Start by accessing the Firewall service in your Azure portal and initiate the creation of a new Firewall.

This initial step mirrors the process used in the past to create your Firewall. You'll need to select the resource, name, region, and availability zones that suit your needs. When it comes to Firewall SKU, you're presented with three options: Standard, Premium, and Basic. To gain a better understanding of which Firewall SKU aligns with your requirements, refer to Choose the right Azure Firewall SKU to meet your needs | Microsoft Learn

Note: DDoS protection is compatible with all 3 Firewall SKUs (Standard, Premium and Basic)

Proceed to complete the remaining options, including Firewall policy, VNET, and public IP. It’s crucial to remember that the public IP selected here will be protected by Azure DDoS IP protection if you opt for it later. Once you’ve configured the Firewall options, proceed by clicking on “Next: DDoS protection” at the bottom of the page.

Under the DDoS protection tab, you'll find three protection types to choose from:

1. Virtual Network Inherit: This option allows you to create a new DDoS protection plan or utilize an existing one within the same tenant to safeguard the Virtual Network where your Azure Firewall is deployed. This implies that all VNET-based public IPs within this VNET will be shielded by Azure DDoS network protection.
2. IP: This type of DDoS protection is specific to the public IP you selected in the previous step. Azure DDoS IP protection will be enabled solely for this IP.
3. None: Selecting this will exclude your Azure Firewall's associated public IP from any DDoS protection.

After deciding on the DDoS protection type that suits your needs, proceed to the validation stage. Once validation is successful, you can go ahead and create your new Azure Firewall resource.

Configuring DDoS protection from Azure Firewall

The latest portal update also introduces a new feature that enables users to directly configure DDoS protection for Azure Firewall public IPs within the Firewall configuration. In the Settings section, you will find the “Public IP Configuration” option. Alongside each public IP, a DDoS protection status is displayed, indicating whether the IP is protected by DDoS protection and the SKU it is protected by. By clicking on the status, you can directly configure Azure DDoS protection for your public IP.

Conclusion

The new Azure Firewall flow creation process represents a significant step forward in network security. By simplifying the enablement of DDoS protection and ensuring availability and security, it provides users with a robust, user-friendly solution for network security. As we move forward, these advancements will continue to play a crucial role in protecting digital services and data.

References

Azure Firewall Standard features | Microsoft Learn

Deploy & configure Azure Firewall using the Azure portal | Microsoft Learn

Azure DDoS Protection Overview | Microsoft Learn

Choose the right Azure Firewall SKU to meet your needs | Microsoft Learn