← Back to Dashboard

Design 26: DDoS Protection

Summary

This design protects your network from Distributed Denial of Service (DDoS) attacks.

Topology: The DDoS Protection Plan is a global resource attached to the Hub VNet. By peering, all Spoke VNets are also protected.

1. Key Design Decisions (ADR)

ADR-01: SKU Selection

  • Decision: DDoS Network Protection (formerly Standard).
  • Rationale: Provides dedicated monitoring, adaptive tuning, and cost protection (credits for scaling during attack). Basic is free but generic.

ADR-02: Scope

  • Decision: Attach to Hub VNet.
  • Rationale: Protects the VPN Gateway and Firewall in the Hub. Since Spokes are peered, they inherit the protection (if plan is linked to them too, or if traffic comes via Hub). *Best Practice: Link Plan to all VNets.*

2. High-Level Design (HLD)

+--------------+           +--------------------------+           +--------------+
|  Attacker    |           |        HUB VNet          |           |  SPOKE VNet  |
|  (Botnet)    |           |      (Protected)         |           |  (Protected) |
|              |           |                          |           |              |
+------+-------+           +------------+-------------+           +------+-------+
       |                                |                                |
       v                                | (Peering)                      |
+------+-------+                        v                                v
|  Azure Edge  |           +------------+-------------+           +------+-------+
|  (Scrubbing) |---------->| VPN Gateway              |<--------->|  Public IP   |
|              |           |                          |           |  (Load Bal)  |
+--------------+           +--------------------------+           +--------------+

3. Low-Level Design (LLD)

                               PRIMARY REGION (East US)
+-----------------------------------------------------------------------+
| DDoS Protection Plan: ddos-plan-corp                                  |
| (Global Resource)                                                     |
+-----------------------------------|-----------------------------------+
                                    |
                                    v
+-----------------------------------|-----------------------------------+
| HUB VNet: vnet-hub (10.0.0.0/16)  |                                   |
| [x] DDoS Protection: Enabled      |                                   |
|     (Linked to ddos-plan-corp)    |                                   |
+-----------------------------------|-----------------------------------+
                                    |
                                    v
+-----------------------------------|-----------------------------------+
| SPOKE VNet: vnet-spoke            |                                   |
| [x] DDoS Protection: Enabled      |                                   |
|     (Linked to ddos-plan-corp)    |                                   |
+-----------------------------------|-----------------------------------+
                                    |
                                    | (Global Coverage)
                                    v
+-----------------------------------------------------------------------+
| SECONDARY REGION (West US) - DR Site                                  |
|                                                                       |
|   +-----------------------+                                           |
|   | DR HUB VNet           |                                           |
|   | [x] DDoS Enabled      |                                           |
|   +-----------------------+                                           |
+-----------------------------------------------------------------------+

4. Component Rationale

  • Scrubbing Center: Azure's massive edge network that absorbs traffic. Bad traffic is dropped; good traffic is forwarded to your VNet.

5. Strategy: High Availability (HA)

  • SLA: 99.99%.
  • Built-in: Always on.

6. Strategy: Disaster Recovery (DR)

  • Implementation: Global Resource.
  • Process: The Plan itself is global. You simply link your DR VNets (in West US) to the same Plan. No failover needed.

7. Strategy: Backup

  • N/A.

8. Strategy: Security

  • Adaptive Tuning: Azure learns your "normal" traffic pattern (e.g., 50 Mbps). If it spikes to 5 Gbps, it triggers mitigation.
  • Alerts: Configure Azure Monitor to email you when "Under DDoS Attack" metric = 1.

9. Well-Architected Framework Analysis

  • Reliability: High.
  • Security: Excellent.
  • Cost Optimization: Low. Expensive (~$3,000/month). Covers up to 100 IPs. Only for Enterprise.
  • Operational Excellence: High. DRR (DDoS Rapid Response) team support included.
  • Performance Efficiency: High. No latency added during normal operations.

10. Detailed Traffic Flow

1. Attack: Botnet sends 100 Gbps UDP flood to your Public IP.

2. Detection: Azure Edge detects anomaly (Volume > Threshold).

3. Diversion: Traffic diverted to Scrubbing Tunnel.

4. Filtering: Malicious packets dropped. Legitimate user packets kept.

5. Forwarding: Clean traffic delivered to your VNet.

6. Result: App stays online.

11. Runbook: Deployment Guide (Azure Portal)

11. Runbook: Deployment Guide (Azure Portal)

Phase 1: Create DDoS Plan

1. Search: "DDoS protection plans" -> + Create.

2. Resource Group: Create rg-ddos-protection.

3. Name: ddos-plan-corp.

4. Region: East US (The plan is regional but can protect VNets globally).

5. Create.

Phase 2: Enable on Hub VNet

1. Go to vnet-hub (or create a new VNet to test).

2. Settings -> DDoS protection.

3. Enable: Check the box.

4. DDoS protection plan: Select ddos-plan-corp.

5. Save.

* *Note: This incurs the monthly fee immediately.*

Phase 3: Enable on Spoke VNet

1. Go to vnet-spoke.

2. Settings -> DDoS protection.

3. Enable: Check the box.

4. DDoS protection plan: Select ddos-plan-corp.

5. Save.

Phase 4: Configure Alert

1. Go to Monitor -> Alerts -> + Create -> Alert rule.

2. Scope: Select the Public IP Address of your Hub Gateway or Firewall.

3. Signal: Search for Under DDoS attack or not.

4. Logic:

* Operator: Greater than.

* Threshold: 0 (1 means under attack).

5. Actions:

* Create Action Group ag-security-team.

* Notification: Email security@contoso.com.

6. Details:

* Severity: 0 - Critical.

* Alert rule name: Alert-DDoS-Attack.

7. Create.