Implementing Azure DDoS Protection Standard for Application Resilience

Implementing Azure DDoS Protection Standard for Application Resilience

09/14/2024

This technical and educational article aims to guide security analysts, IT administrators, and systems engineers in implementing and configuring Azure DDoS Protection Standard to ensure the resiliency of applications hosted on Azure. Distributed Denial of Service (DDoS) attacks are one of the biggest threats to the availability of online services. Azure DDoS Protection Standard provides advanced DDoS attack mitigation capabilities, protecting Azure resources against volumetric, protocol, and application layer attacks, ensuring business continuity and user experience [1].

Introduction

In the current digital landscape, the availability of applications and services is as critical as their security and integrity. DDoS attacks aim to overload a service's resources, making it unavailable to legitimate users. Such attacks can result in significant financial losses, reputational damage and disruption of critical operations. Azure DDoS Protection Standard is an Azure-native solution that provides comprehensive protection against these attacks, using a global mitigation network and machine learning-based detection algorithms to identify and deflect malicious traffic before it reaches your resources [2].

This practical guide will cover creating a DDoS protection plan, enabling protection for virtual networks and public IP addresses, integrating with other Azure services like Azure Web Application Firewall (WAF) and Azure Firewall, and validating protection through attack simulations. Step-by-step instructions and examples of Azure CLI commands will be provided so that the reader can implement and test a robust defense against DDoS attacks, strengthening the resilience of their cloud applications and infrastructure.

Why is Azure DDoS Protection Standard crucial?

  • Comprehensive Mitigation: Protects against volumetric attacks (e.g. UDP floods, SYN), protocol attacks (e.g. SYN-ACK floods, IP fragmentation) and application layer attacks (e.g. HTTP floods) [3].
  • Automatic Detection and Adaptation: Uses machine learning algorithms to detect attacks in real time and adjust mitigation policies without manual intervention.
  • Global Scale: Leverages the global scale of the Azure network to absorb and deflect large volumes of attack traffic.
  • Detailed Telemetry: Provides rich telemetry, mitigation logs, and attack metrics in Azure Monitor for analysis and investigation.
  • Native Integration: Seamlessly integrates with other Azure security services, such as Azure Firewall and Azure WAF, for defense in depth.
  • Cost Guarantee: Provides cost protection for scaled resources during a DDoS attack, covering credits for resources that would be scaled to absorb the attack.

Prerequisites

To implement Azure DDoS Protection Standard, you will need the following items:

  1. Active Azure Subscription: An Azure subscription to create and manage resources.
  2. Administrative Access: An account with the role of Owner or Contributor in the Azure subscription, or in the resource group where the VNets and public IPs are located.
  3. Virtual Networks (VNets): The VNets that host the resources you want to protect (e.g. VMs, Load Balancers, Application Gateways).
  4. Public IP Addresses: Resources with public IP addresses (e.g. VMs with public IP, public Load Balancers, Application Gateways) that will be the potential target of DDoS attacks.
  5. Azure CLI or Azure PowerShell: Installed and configured command-line tools to interact with Azure.

Step by Step: Implementing Azure DDoS Protection Standard

Let's configure Azure DDoS Protection Standard to protect your resources.

1. Creating a DDoS Protection Plan

The first step is to create a DDoS protection plan. This plan is a global resource that you can link to multiple VNets across different regions and subscriptions.

  1. Open your browser and navigate to the Azure portal: https://portal.azure.com.
  2. Log in with an account that has the necessary permissions.
  3. In the top search field, type DDoS protection plans and select it from the results.
  4. Click + Create.
  5. Fill in the plan details:
    • Signature: IfSelect your Azure subscription.
    • Resource group: Create a new resource group (e.g. RG-DDoS-Protection) or select an existing one.
    • Name: Give your plan a name (ex: DDoS-Plan-Artigos).
    • Region: Select the region where you want the plan to be managed (does not affect global protection).
  6. Click Review + create and then Create.

2. Enabling DDoS Protection for a Virtual Network

After you create the DDoS protection plan, you need to link it to the virtual networks that contain the resources you want to protect.

  1. In the Azure portal, navigate to the VNet you want to protect (ex: VNet-Hub created in the Azure Firewall article).
  2. In the left navigation pane of the VNet, select DDoS Protection.
  3. Under DDoS Protection Plan, select the plan you created (ex: DDoS-Plan-Artigos).

  4. Click Save.

    • Azure CLI command to enable DDoS Protection on a VNet: ```bash # Get the DDoS plan ID DDP_PLAN_ID=$(az network ddos-protection plan show --name DDoS-Plan-Artigos --resource-group RG-DDoS-Protection --query id -o tsv)

      Update the VNet to use the DDoS plan

      az network vnet update --name VNet-Hub --resource-group RG-Firewall-Artigos --ddos-protection-plan $DDP_PLAN_ID --ddos-protection-plan-enable true ```

3. Securing Public IP Addresses

When a VNet is enabled for DDoS Protection Standard, all resources with public IP addresses within that VNet (e.g., public IP VMs, public Load Balancers, Application Gateways) are automatically protected. There is no need to configure protection individually for each public IP.

  • Verification: To confirm that a public IP is protected, you can navigate to the public IP resource in the Azure portal. In the Overview section, you will see the associated DDoS Protection Plan.

4. Integration with Azure Web Application Firewall (WAF) and Azure Firewall

For defense in depth, it is recommended to combine Azure DDoS Protection Standard with other network security solutions.

  • Azure Web Application Firewall (WAF): WAF protects web applications against common web attacks (e.g. SQL injection, cross-site scripting) that DDoS Protection does not cover. Deploy WAF in front of your web applications (e.g. with Azure Application Gateway or Azure Front Door). The DDoS Protection Standard protects the network layer of the WAF, while the WAF protects the application layer [4].

  • Azure Firewall: Azure Firewall provides network and application traffic filtering, threat intelligence, and IDPS. When used in conjunction with DDoS Protection Standard, Firewall can inspect legitimate traffic after DDoS mitigation, adding another layer of security.

Validation and Testing

Validating the effectiveness of the Azure DDoS Protection Standard is crucial. However, never perform an actual DDoS attack against your own resources without explicit permission from Microsoft. Microsoft offers a DDoS simulation testing program for customers.

1. Checking DDoS Protection Telemetry

During an attack (or simulation), Azure DDoS Protection Standard provides detailed metrics in Azure Monitor.

  1. In the Azure portal, navigate to your DDoS protection plan (ex: DDoS-Plan-Artigos).
  2. In the left navigation pane, select Metrics.
  3. You can view metrics like:
    • DDoS attack traffic (inbound): Inbound attack traffic.
    • DDoS attack packets (inbound): Inbound attack packets.
    • DDoS attack bytes (inbound): Inbound attack bytes.
    • DDoS attack dropped packets (inbound): Attack packets dropped.

2. Configuring Alerts for DDoS Attacks

It is essential to set up alerts to be notified when a DDoS attack is in progress.

  1. In the Azure portal, navigate to your DDoS protection plan.
  2. In the left navigation pane, select Alerts.
  3. Click + Create alert rule.
  4. Configure the condition for the alert, using metrics such as Under DDoS attack or not (value 1 indicates attack, 0 indicates normal) or DDoS attack traffic (inbound).
  5. Configure the alert actions (e.g. send email, SMS, webhook, trigger an Azure Function or Logic App).

3. Conducting a DDoS Attack Simulation (with approved partners)

Microsoft collaborates with partnerDDoS testing capabilities to enable customers to simulate attacks in a controlled and secure manner against their resources protected by Azure DDoS Protection Standard. Never attempt to simulate a DDoS attack on your own without approval and coordination from Microsoft and an approved partner.

  1. Contact a Microsoft-approved DDoS testing partner: Companies like BreakingPoint (Keysight) or Radware offer DDoS simulation services.
  2. Coordinate with Microsoft: Inform Microsoft of the planned test to prevent Azure automatic mitigation from interpreting the test as a real attack and taking unexpected actions.
  3. Monitor during Testing: During the simulation, monitor DDoS Protection metrics in Azure Monitor to observe mitigation in action and verify the resiliency of your application.

Security Tips and Best Practices

  • Robust Application Design: Azure DDoS Protection Standard is most effective when combined with a robust and resilient application design. This includes scalable architectures, load balancing, caching and fault tolerance.
  • Defense in Depth: Don't just rely on DDoS Protection. Combine it with other security solutions like Azure Firewall, Azure WAF, and NSGs to create a defense-in-depth strategy.
  • Cost Optimization: The Standard plan protects all public IP resources in linked VNets. Consider grouping resources into protected VNets to optimize costs.
  • Active Monitoring: Configure alerts in Azure Monitor for DDoS attacks and actively monitor telemetry to understand attack behavior and mitigation effectiveness.
  • Regular Testing: Conduct DDoS attack simulations with approved partners regularly to validate the effectiveness of your protection and identify any gaps.
  • DNS Protection: Consider using Azure DNS with built-in DDoS protection to protect your DNS servers from attacks.
  • Application Layer Protection: For web applications, use Azure WAF to protect against layer 7 attacks, which DDoS Protection Standard does not directly address.
  • Rate Limiting: Implement rate limiting on your application gateways or reverse proxies to mitigate low-volume application layer attacks.

Common Troubleshooting

  • DDoS Protection not enabled: Verify that the DDoS protection plan has been created and that the VNet is linked to it. Confirm that the resources you hope to protect have public IP addresses.
  • DDoS attack not detected: Verify that the attack traffic is actually directed to the protected public IPs. Ensure telemetry metrics are being collected in Azure Monitor. There may be a slight delay in detecting low-volume attacks.
  • Application still affected during an attack: This may indicate that the attack is not purely DDoS (e.g. application layer attack that needs WAF) or that the application itself is not resilient enough. Review application design and WAF integration.
  • DDoS alerts not received: Check alert rules configured in Azure Monitor. Make sure notification actions are configured correctly and that recipients are receiving notifications.
  • Performance issues after activation: DDoS Protection Standard is a network service and generally does not cause performance issues. If there is slowness, investigate other components of your architecture (e.g. VMs, Load Balancers, Firewalls, WAF).

Conclusion

Azure DDoS Protection Standard is a critical service for any organization looking to protect its applications and services against the growing threat of DDoS attacks. By providing automatic, scalable, and comprehensive mitigation, it ensures the availability and resilience of Azure resources. Effective implementation of the DDoS Protection Standard, combined with robust application design, defense in depth with other security solutions, and continuous monitoring, enables organizations to maintain business continuity and protect the user experience. With this practical guide, security professionals will be well-equipped to configure, validate, and manage Azure DDoS Protection Standard, strengthening the security posture and resiliency of their cloud applications.

References:

[1] Microsoft Learn. Pro OverviewAzure DDoS protection. Available at: https://learn.microsoft.com/pt-br/azure/ddos-protection/ddos-protection-overview [2] Microsoft Learn. Types of DDoS attacks. Available at: https://learn.microsoft.com/pt-br/azure/ddos-protection/ddos-attack-types [3] Microsoft Learn. Azure DDoS Protection layer comparison. Available at: https://learn.microsoft.com/pt-br/azure/ddos-protection/ddos-protection-sku-comparison [4] Microsoft Learn. DDoS protection reference architectures. Available at: https://learn.microsoft.com/pt-br/azure/ddos-protection/ddos-protection-reference-architectures