What's behind Azure DDoS Protection

Security concerns still inhibit cloud use in Germany. These concerns are justified. The number of documented DDoS attacks increased by 380% in the first quarter of 2017 compared to the first quarter of 2016, according to Nexusguard.

Microsoft has responded by developing DDoS Protection. DDoS Protection is available in Basic and Standard versions. In the free Basic version, which is always active in the virtual network, Layer 3 and Layer 4 monitoring protects on a global level. Optionally, Layer 7 monitoring can be activated via a web application gateway.

 

  • DDoS Protection
  • Always on monitoring
  • Automatic mitigation for L3/L4 attacks
  • L7 Protection with Application Gateway Web application firewall
  • Globally deployed
  • Automatic protection for Azure DNS Zones
  • Protection policies tuned to your VNet
  • Loggin, alerting, and telemetry
  • Resource cost scale protection
  • Basic
  •  
  •  
  •  
  • Standard

 

If you activate the standard version, further features are added. Among other things, a behaviour pattern of the application is learned by means of 24/7 monitoring and assigned to a suitable security profile. If determined threshold values are then exceeded, a defence mechanism is started and the valid data traffic is redirected. This happens continuously from Layer 3 to Layer 7. Up to 60 different types of attacks are detected and defended against worldwide. An important aspect is logging and alerting. Attack metrics are visible in Azure Monitor. Attack alerts are displayed in Azure Log Analytics, Splunk, via email or directly in the Azure Portal.

Diagram: Azure DDoS Protection - source MicrosoftDiagram: Azure DDoS Protection - source Microsoft

For the extended protection in the Standard Edition, an interesting cost model is used. You pay a flat rate of €2,483.00 per month (as of 6/18), which includes up to 100 resources. Resources are, for example, public IPs, load balancers, application gateways or service fabric. The list of resources will be expanded in the future. If you use more than 100 resources, each additional resource costs 25 €. In addition, outgoing data traffic is staggered into different TB ranges starting at 0.178 € per GB.

Again, cloud service cost management is important. Azure DDoS Protection can quickly lead to high bills. In our opinion, the flat rate for the standard version is a bit too high. Not every company needs 100 resources. We hope that Microsoft will make improvements here to increase the acceptance of the product and its distribution.

Sources:
https://www.nexusguard.com/threat-report-q4-2017
https://docs.microsoft.com/de-de/azure/virtual-network/ddos-protection-overview

Scalable
# Keywords