Microsoft AZ-700: Deploy Azure DDoS Protection by Using the Azure Portal

Reading Time: 3 minutes

Notes from MS Learn AZ-700 Module 6: Design and implement network security – Unit 3: Deploy Azure DDoS Protection by Using the Azure Portal

  • Distributed Denial of Service (DDoS)
    • DoS attack that has goal of preventing access to services/systems
    • Originates from one location
    • DDoS attack originates from multiple networks and systems
    • DDoS are largely available and security concern facing customers moving apps to the cloud
    • DDoS tries to drain API’s or app resources making it unavailable
    • DDoS can be targeted at endpoints that are publicly reachable via internet
  • DDoS Implementation
    • Azure DDoS Protection, combining with app design best practices aids in defense again DDoS attacks.
    • Multiple service tiers available
      • Network Protection
        • Provides mitigation capabilities over DDoS infra Protection
        • Tuned specifically to AZ VNet resources
        • Simple to enable and requires no app modification
        • Policies applied to public IP associated with resources in VNet
        • Real-time telemetry through Azure Monitor views during attach, and historically
        • Rich mitigation analytics via diagnostic settings
        • App layer protection available via Azure App Gateway WAF
        • Protection for IPv4 and IPv6 public addrs
      • IP Protection
        • DDoS IP Protection is pay-per protected IP
        • Contains same core features as DDoS Network Protection
        • Value-added services such as
          • DDoS rapid response support
          • Cost Protection
          • Discounts on WAF
    • Protects resources in VNets
    • Protection includes:
      • VM Public IP Addresses
      • Load Balancers
      • App Gateways
    • When coupled with App. Gateway WAF can provide full L3-7 mitigation capabilities
  • Types of DDoS Attacks
    • Can mitigate the following types of attacks
      • Volumetric attacks
        • Flood network layer with large amounts of what looks like legit traffic
        • Include UDP floods, amplification flood, and other spoofed-packet floods
      • Protocol Attacks
        • Attack renders target inaccessible exploiting L3 and L4 weaknesses
        • Includes SYN flood, reflection, and other protocol attacks
      • Resource (App) layer attacks
        • Target web application packets to disrupt transmission between hosts
        • Includes HTTP protocol violations, SQL injection, cross-site scripting, and other L7 attacks
  • Azure DDoS protection features
    • Examples include
      • Native platform integration
        • Native integration into Azure and configured via portal
      • Turnkey protection
        • Simplified config protecting all resource right away
      • Always-on traffic monitoring
        • App traffic patterns monitored 24/7
      • Adaptive tuning
        • Profiling and adjusting to service traffic
      • Attack analytics
        • Detailed reports every 5 mins during attack
        • Complete summary after attack ends
      • Attack Metricks and alerts
        • Summary metrics from each attack through. Azure Monitor
        • Alerts configured at start/stop of attack, and duration of attack
        • Uses built-in attack metrics
      • Multi-layered protection
        • When deployed with WAF, DDoS Protection protected network and app layer
  • More details about some of the above DDoS Protection Features
  • Always-on traffic monitoring
    • Monitors actual traffic utilization
    • Constantly compares against defined thresholds
    • When threshold exceeded, mitigation initiated automatically
    • When back below threshold, mitigation stopped
    • During mitigation, traffic towards protected resource redirected and checks performed
      • Ensure packets conform to inet specs and aren’t malformed
      • Interact with client to determine if traffic potentially spoofed (e.g. SYN Auth or SYN Cookie or dropping packet to force re-transmit)
      • Rate-limit packets if no other enforcement can be performed
    • DDoS protection drops attack traffic and forwards remaining traffic
    • Within a few minutes – notified using Azure Monitor metrics
    • Configuring logging on DDOS Protection telemetry logs for future analysis
    • Metric data is retained for 30 days.
  • Adaptive real-time tuning
    • DDoS Protection service aids to protect customers and prevent impacts to others
  • Attack metrics, alerts, logs
    • DDoS Protection exposes rich telemetry using Azure Monitor
    • Configure alerts for any metric DDoS Protection uses
    • Integrate logging with Splunk (Azure Event Hubs, Azure Monitor Logs, and Azure Storage for advanced analysis using Azure Monitor Diagnostics
    • Steps
      • In Portal
        • Monitor > Metrics
          • Select Resource group
          • Select resource type of Public IP Address
          • Select the Azure Public IP Address
        • DDoS metrics visible in the Available metrics pane
    • DDoS Protection applies 3 autotuned mitigation policies for each public IP of protected resource in VNet DDoS is enabled
      • SYN
      • TCP
      • UDP
    • View policy thresholds
      • Inbound [SYN/TCP/UDP] packets to trigger mitigation metrics
    • Policy thresholds autoconf via machine learning-based network traffic profiling
    • DDoS mitigation occurs for IP under attack only when threshold exceeded
    • If pub IP under attack, value for Under DDoS attack or not metric changes to 1 while mitigation being performed
  • Multi-layered Protection
    • Specific resource attacks at app layer – recommended a WAF be configured
    • WAF inspected inbound web traffic to block SQL Injection, Cross Site Scripting, DDoS, and other L3 attacks
    • Azure provides WAF as feature of App Gateway for centralized protection of web apps
    • Other WAF offerings from partners in Azure Marketplace
    • Even web app FW are susceptible to volumetric and state exhaustion
      • Enable DDoS protection on WAF VNet to aid in protection of these
  • Deploying DDoS Protection Plan
    • Key stages of deploying DDoS Protection:
      • Create Resource Group
      • Create DDoS Protection Plan
      • Enable DDoS Protection on new/existing VNet or IP addr
      • Configure DDoS telemetry
      • Configure DDoS diagnostic logs
      • Configure DDoS alerts
      • Run a test DDoS attack to verify results
Share this article:

Permanent link to this article: https://www.packetpilot.com/microsoft-az-700-deploy-azure-ddos-protection-by-using-the-azure-portal/

Leave a Reply

Your email address will not be published.