Understanding Azure DDoS Protection: A Closer Look

Introduction

Azure DDoS Protection is a service that constantly innovates itself to protect customers from ever-changing distributed denial-of-service (DDoS) attacks. One of the major challenges of cloud computing is ensuring customer solutions maintain security and application availability. Microsoft has been addressing this challenge with its Azure DDoS Protection service, which was launched in public preview in 2017 and became generally available in 2018. Since its inception, Microsoft has renamed its Azure DDoS Protection service to better reflect its capabilities and features. We’ll discuss how this protection service has transformed through the years and provide more insights into the levels of protection offered by the separate tiers.

Azure DDoS Protection Services

Platform Level Protection

When Azure DDoS Protection was first introduced, Azure highlighted two levels of protection services; Azure DDoS Protection Basic, used to protect the Azure platform and Azure shared services, and Azure DDoS Protection Standard, a paid-for offering designed to safeguard customer applications with advanced mitigation techniques.

In 2022, Azure DDoS Protection Basic was formally renamed Azure DDoS Infrastructure Protection, aiming to reflect the layer as to where this protection is placed. Azure DDoS Infrastructure Protection is a default, platform-level protection that secures and maintains the availability of Azure services in public and government cloud regions. It monitors and mitigates DDoS attacks that target an Azure region or Azure service with the aim of disrupting availability for all Azure customers. This protection is provided free of charge and does not require any configuration or activation. It safeguards critical Microsoft and consumer services like Azure Front Door, Azure DNS, Azure shared services, Microsoft 365, LinkedIn, Bing, and Xbox gaming.

However, it’s important to note that while Azure DDoS Infrastructure Protection is designed to protect the Azure platform from large-scale DDoS attacks, it does not specifically protect individual customer workloads. Large-scale attacks can still impact customer workloads, even if they don’t disrupt the overall Azure platform.

To address this, Azure DDoS Network Protection was introduced, formerly known as Azure DDoS Protection Standard. This service is designed to offer more control and visibility over DDoS defense for individual customer workloads. It provides a more customized solution that guarantees application availability for Azure customers. This means that even if a large-scale attack occurs, Azure DDoS Network Protection can help ensure that your specific applications remain available and secure.

Workload Level Protection

Azure DDoS Network Protection is one of two offerings of Azure’s premium DDoS protection service on the Azure platform. This application-based level protection helps defend customer applications hosted in Azure from large-scale DDoS attacks by monitoring an application’s traffic patterns 24/7 and automatically mitigating an attack once detected. Azure DDoS Network Protection employs advanced mitigation techniques to ensure customer workloads are secure and to allow legitimate traffic to reach the application, a superior solution to Azure DDoS Infrastructure Protection, which relies mainly on rate limit mitigation techniques. These techniques include:

Ensure packets conform to internet specifications and are not malformed.
Interact with the client to determine if the traffic is potentially a spoofed packet.
Rate-limit packets, if no other enforcement method can be performed.

This solution also adapts to the application’s traffic over time, using intelligent traffic profiling to tune customized threshold policies covering TCP SYN, TCP, and UDP packet per second (pps) thresholds. Offering attack analytics, metrics, and alerting, Azure DDoS Network Protection provides customers with detailed attack insights and visualization with DDoS Attack Analytics. Customers protecting their virtual networks against DDoS attacks have detailed visibility into attack traffic and actions taken to mitigate the attack via attack mitigation reports & mitigation flow logs.

To further support Azure customers during an active DDoS attack, when Azure DDoS Network Protection is enabled, customers will have access to the DDoS Rapid Response (DRR) team, who can help with attack investigation during an attack and post-attack analysis.

Additionally, if a resource is protected with Azure DDoS Network Protection, any scale out costs during a DDoS attack are covered and customers will get the cost credit back for those scaled out resources.

Examples of costs associated with a documented DDoS attack:

Data process (ingress/egress) for Azure Firewall, Application Gateway with WAF
Scale out of Virtual Machines and Azure Kubernetes Service
Data egress for network bandwidth (Happens during an amplification attack when DDoS impacted apps make outbound connections.)
Scale out of backend PaaS resources like SQL, CosmosDB, Storage, App Services etc.

This protection can be enabled for any new or existing virtual network in an Azure Tenant with a DDoS protection plan and supports up to 100 Public IPs with the ability to add more. With turnkey protection, instant protection is applied to all resources in a virtual network as soon as Azure DDoS Network Protection is enabled.

Azure DDoS IP Protection is the second offering for Azure’s premier DDoS protection service. This tier of service is aimed at supporting Azure’s Small and Medium Business (SMB) customers with enterprise level DDoS protection at an affordable price point. Azure DDoS IP Protection offers the same essential capabilities as Azure DDoS Network Protection, using the same advanced mitigation techniques, providing the same insights and reports, and utilizing the full scale and capacity of Azure’s globally deployed network. Although core engineering features match, the following value-added services are not provided:

DDoS Rapid Response support
Cost Protection

Different than applying protection to an entire virtual network, Azure DDoS IP Protection is a pay-per-protected IP model. Matching turnkey protection, instant protection is applied to a Public IP when Azure DDoS IP Protection is enabled for it.

Conclusion

Developers and administrators need to adopt proactive and reactive measures to protect their systems from DDoS attacks and ensure a smooth and secure user experience. These attacks aim to overwhelm the server's resources, disrupt the availability and performance of the system, and cause financial and reputational losses. Azure has been providing cloud customers with different levels of protection against DDoS attacks since before 2017. By implementing Azure DDoS Protection services like Azure DDoS Network Protection or Azure DDoS IP Protection, developers and administrators can feel confident in their security and resilience against DDoS threats. For information on how to protect your web services from Layer 7 DDoS attacks, please check out this link for Application Gateway and this link for Azure Front Door.