Announcements, Azure DDoS Protection, Security
Defend against DDoS attacks with Azure DDoS IP Protection
By Amir Dahan Senior Program Manager, Azure Networking
4 min read
Distributed denial of service (DDoS) attacks continue to rise as new threats and attack techniques emerge. With DDoS attacks becoming more frequent, it’s important for organizations of all sizes to be proactive and stay protected all year round. Small and medium businesses (SMBs) face the same risks as larger organizations though are more vulnerable as they often lack resources and specialized expertise.
We are committed to providing security solutions to all our customers. We are announcing the general availability of Azure DDoS IP Protection SKU, a new SKU of Azure DDoS Protection designed to meet the needs of SMBs.
Enterprise-grade DDoS protection at an affordable price point
Azure DDoS IP Protection provides enterprise-grade DDoS protection at an affordable price point. It offers the same essential capabilities as Azure DDoS Network Protection (previously known as Azure DDoS Protection Standard) to protect your resources and applications against evolving DDoS attacks. Customers also have the flexibility to enable protection on individual public IP addresses.
“DDoS protection is a must have today for critical websites. Azure DDoS Protection provides comprehensive protection though the existing DDoS Network Protection SKU did not fit the price point for smaller organizations. We are happy that the DDoS IP Protection SKU provides the same level of protection as the Network Protection SKU at an affordable price point and the flexibility to protect individual public IPs.”—Derk van der Woude, CTO, Nedscaper.
“We are excited that the DDoS IP Protection SKU provides enterprise-grade, cost effective DDoS protection for customers with smaller cloud environments with only a few public IP endpoints in the cloud.”—Markus Lintuala, Senior Technical Consultant, Elisa.
Key features of Azure DDoS IP Protection
- Massive mitigation capacity and scale—Defend your workloads against the largest and most sophisticated attacks with cloud scale DDoS protection backed by Azure’s global network. This ensures that we can mitigate the largest attacks reported in history and thousands of attacks daily.
- Protection against attack vectors—DDoS IP Protection mitigates volumetric attacks that flood the network with a substantial amount of seemingly legitimate traffic. They include UDP floods, amplification floods, and other spoofed-packet floods. DDoS IP Protection mitigates these potential multi-gigabyte attacks by absorbing and scrubbing them, with Azure’s global network scale, automatically. It also protects against protocol attacks that may render a target inaccessible, by exploiting a weakness in the layer 3 and layer 4 protocol stack. They include SYN flood attacks, reflection attacks, and other protocol attacks. DDoS IP Protection mitigates these attacks, differentiating between malicious and legitimate traffic, by interacting with the client, and blocking malicious traffic. Resource (application) layer attacks target web applications and include HTTP/S floods and low and slow attacks. Use Azure Web Application Firewall to defend against these attacks.
- Native integration into Azure portal—DDoS IP Protection is natively integrated into the Azure portal for easy setup and deployment. This level of integration enables DDoS IP Protection to identify your Azure resources and their configuration automatically.
- Seamless protection—DDoS IP Protection seamlessly safeguards your resources. There’s no need to deploy anything in your Azure Virtual Network (VNet), or to change your current networking architecture. DDoS is deployed as an overlay on top of your current networking services.
- Adaptive tuning—Protect your apps and resources while minimizing false-negatives with adaptive tuning tuned to the scale and actual traffic patterns of your application. Applications running in Azure are inherently protected by the default infrastructure-level DDoS protection. However, the protection that safeguards the infrastructure has a much higher threshold than most applications have the capacity to handle, so while a traffic volume may be perceived as harmless by the Azure platform, it can be devastating to the application that receives it. Adaptive tuning guarantees your applications are protected when application-targeted attacks are undetected by Azure’s DDoS infrastructure-level protection offered to all Azure customers.
- Attack analytics, metrics, and logging—Monitor DDoS attacks near real-time and respond quickly to attacks with visibility into attack lifecycle, vectors, and mitigation. With DDoS IP Protection, customers can monitor when the attack is taking place, collect statistics on mitigation, and view the detection thresholds assigned by the adaptive tuning engine to make sure they align with expected traffic baselines. Diagnostic logs offer a deep-dive view on attack insights, allowing customers to investigate attack vectors, traffic flows, and mitigations to support them in their DDoS response strategy.
- Integration with Microsoft Sentinel and Microsoft Defender for Cloud– Strengthen your security posture with rich attack analytics and telemetry integrated with Microsoft Sentinel. We offer a Sentinel solution that includes comprehensive analytics and alert rules to support customers in their Security Orchestration, Automation, and Response (SOAR) strategy. Customers can setup and view security alerts and recommendations provided by Defender for Cloud.
Choosing the right Azure DDoS protection SKU for your needs
Azure DDoS protection is available in two SKUs:
- DDoS IP Protection is recommended for SMB customers with a few public IP resources who need a comprehensive DDoS protection solution that is fully managed, easy to deploy, and monitor.
- DDoS Network Protection is recommended for larger enterprises and organizations looking to protect their entire deployment that spans multiple virtual networks and includes many public IP addresses. It also offers additional features like cost protection, DDoS Rapid Response, and discounts on Azure Web Application Firewall.
Let’s see a detailed comparison between these two SKUs:
DDoS IP Protection can be enabled from the public IP address resource Overview blade.
Protection status in the Properties tab shows if the resource is DDoS protected, and what is the protection type (either Network or IP Protection).
For more information on DDoS IP Protection, see Azure DDoS IP Protection documentation.
Azure DDoS IP Protection pricing
With DDoS IP Protection, you only pay for the public IP resources protected. The cost is a fixed monthly amount for each public IP resource protected with no additional variable costs. For more details on pricing, visit the Azure DDoS Protection pricing page.
- Azure portal
- Configure DDoS telemetry
- Configure DDoS diagnostic logging
- Monitoring Azure DDoS Protection
- Test with simulation partners