This blog post was co-authored by JR Mayberry, Principal PM Manager & Anupam Vij, Senior Program Manager, Azure Networking.
Distributed Denial of Service (DDoS) attacks are one of the top availability and security concerns voiced by customers moving their applications to the cloud. These concerns are justified as the number of documented DDoS attacks grew 380% in Q1 2017 over Q1 2016 according to data from Nexusguard. In October 2016, a number of popular websites were impacted by a massive cyberattack consisting of multiple denial of service attacks. It’s estimated that up to one third of all Internet downtime incidents are related to DDoS attacks.
As the types and sophistication of network attacks increases, Azure is committed to providing our customers with solutions that continue to protect the security and availability of applications on Azure. Security and availability in the cloud is a shared responsibility. Azure provides platform level capabilities and design best practices for customers to adopting and apply into application designs meeting their business objectives.
Today we're excited to announce the preview of Azure DDoS Protection Standard. This service is integrated with Virtual Networks and provides protection for Azure applications from the impacts of DDoS attacks. It enables additional application specific tuning, alerting and telemetry features beyond the basic DDoS Protection which is included automatically in the Azure platform.
Azure DDoS Protection Service offerings
Azure DDoS Protection Basic service
Basic protection is integrated into the Azure platform by default and at no additional cost. The full scale and capacity of Azure’s globally deployed network provides defense against common network layer attacks through always on traffic monitoring and real-time mitigation. No user configuration or application changes are required to enable DDoS Protection Basic.
Azure DDoS Protection Standard service
Azure DDoS Protection Standard is a new offering which provides additional DDoS mitigation capabilities and is automatically tuned to protect your specific Azure resources. Protection is simple to enable on any new or existing Virtual Network and requires no application or resource changes. Standard utilizes dedicated monitoring and machine learning to configure DDoS protection policies tuned to your Virtual Network. This additional protection is achieved by profiling your application’s normal traffic patterns, intelligently detecting malicious traffic and mitigating attacks as soon as they are detected. DDoS Protection Standard provides attack telemetry views through Azure Monitor, enabling alerting when your application is under attack. Integrated Layer 7 application protection can be provided by Application Gateway WAF.
Azure DDoS Protection Standard service features
Native Platform Integration
Azure DDoS Protection is natively integrated into Azure and includes configuration through the Azure Portal and PowerShell when you enable it on a Virtual Network (VNet).
Turn Key Protection
Simplified provisioning immediately protects all resources in a Virtual Network with no additional application changes required.
Always on monitoring
When DDoS Protection is enabled, your application traffic patterns are continuously monitored for indicators of attacks.
DDoS protection understands your resources and resource configuration and customizes the DDoS Protection policy to your Virtual Network. Machine Learning algorithms set and adjust protection policies as traffic patterns change over time. Protection policies define protection limits, and mitigation is performed when actual network traffic exceeds the policies threshold.
L3 to L7 Protection with Application Gateway
Azure DDoS Protection service in combination with Application Gateway Web application firewall provides DDoS Protection for common web vulnerabilities and attacks.
- Request rate-limiting
- HTTP Protocol Violations
- HTTP Protocol Anomalies
- SQL Injection
- Cross site scripting
DDoS Protection telemetry, monitoring & alerting
Rich telemetry is exposed via Azure Monitor including detailed metrics during the duration of a DDoS attack. Alerting can be configured for any of the Azure Monitor metrics exposed by DDoS Protection. Logging can be further integrated with Splunk (Azure Event Hubs), OMS Log Analytics and Azure Storage for advanced analysis via the Azure Monitor Diagnostics interface.
When the DDoS Protection services goes GA, Cost Protection will provide resource credits for scale out during a documented attack.
Azure DDoS Protection Standard service availability
Azure DDoS Protection is now available for preview in select regions in US, Europe, and Asia. For details, see DDoS Protection.
How do I get started?
DDoS Protection is in preview and there is no cost for the service during preview. Azure customers may register for the Azure DDoS Protection service here.
To learn more about the service, please see the Azure DDoS Protection service documentation.