How to enable Azure DDoS Protection for an existing VNet
In this post, I’ll show you how to create a standard DDoS plan and associate it with an existing virtual network using PowerShell and the Azure CLI. Distributed denial of service (DDoS) attacks are becoming more and more frequent and it is one of the main security problems that customers who have their resources in the cloud must face. Currently, Azure DDoS protection has two tiers of service:
Basic:
- It’s free and it is automatically enabled as part of the Azure platform.
- It uses the full scale of the Azure global network to distribute and mitigate attack traffic between regions.
- Provides protection for Azure IPv4 and IPv6 public IP addresses.
Standard:
- The DDoS Protection service will have a fixed monthly charge, as well as a charge for data processed.
- DDoS Protection is enabled at the Virtual Network level.
- Real-time telemetry is available through Azure Monitor’s views during an attack and to analyze historical data.
Prerequisites
- You created a Resource Group for these resources and the new ones deployed in this tutorial will join that group. If you want to know how to create a Resource Group, check out this link.
- You already created the necessary Virtual Network and subnet. If you want to know how to create a Virtual Network, check out this link.
Azure PowerShell Workaround #
If you want to know how to install the PowerShell Azure module on your machine, check out this link. The simplest way to get started is to sign in interactively at the command line.
Connect-AzAccount
This cmdlet will bring up a dialog box prompting you for your email address and password associated with your Azure account. If you have more than one subscription associated with your mail account, you can choose the default subscription. To perform this task, we will use the following commands:
Get-AzSubscription
Select-AzSubscription -Subscription "My Subscription"
Once you set your default subscription, you’re ready to start.
Set the variables #
Here, we define the characteristics of our environment and the resource’s properties.
#Define the parameters for the Azure resources.
$location = "northeurope"
$resourceGroupName = "RG-DEMO-NE"
#Define the existing VNet information.
$vNetName = "VNET-DEMO-NE"
Create a DDoS protection plan #
First, you should create a DDoS Protection plan with the New-AzDdosProtectionPlan command.
New-AzDdosProtectionPlan `
-Name "DemoDdosPlan" `
-ResourceGroupName $resourceGroupName `
-Location $location `
-Tag @{environment="www.jorgebernhardt.com"}
#
Enable DDoS for an existing virtual network #
Once the DDoS protection plan is created, you must associate your virtual network with it. First, we store the objects (DDoS Protection Plan and Virtual Network) in variables, then we update the DdosProtectionPlan property with a PSResourceId object that contains a reference to the ID of our DDoS plan and we activate the DDos protection in our network and finally, using the Set-AzVirtualNetwork command, we apply the changes in our network.
$ddosProtectionPlan = Get-AzDdosProtectionPlan `
-name "DemoDdosPlan"
$vnet = Get-AzVirtualNetwork `
-Name $vNetName `
-ResourceGroupName $resourceGroupName
$vnet.DdosProtectionPlan = New-Object Microsoft.Azure.Commands.Network.Models.PSResourceId
$vnet.DdosProtectionPlan.Id = $ddosProtectionPlan.Id
$vnet.EnableDdosProtection = $true
$vnet | Set-AzVirtualNetwork
Verify the deployment #
To verify that the changes have been applied correctly use the Get-AzDdosProtectionPlan command.
Get-AzDdosProtectionPlan -name "DemoDdosPlan"
#
Disassociate Ddos Protection Plan to a virtual network #
To disassociate the DDoS plan from your virtual network, you should use the following commands.
$vnet.DdosProtectionPlan = $null
$vnet.EnableDdosProtection = $false
$vnet | Set-AzVirtualNetwork
Get-AzDdosProtectionPlan -name "DemoDdosPlan"
#
Remove a DDoS protection plan #
If you want to remove the DDoS plan, you should use the Remove-AzDdosProtectionPlan cmdlet with the following syntax.
Remove-AzDdosProtectionPlan `
-name "DemoDdosPlan" `
-ResourceGroupName $resourceGroupName
Azure CLI Workaround #
In this case, we will use Azure Cloud Shell, a browser-based shell built into Azure Portal. This allows us to use the Azure command-line tools (Azure CLI and Azure PowerShell) directly from a browser. If you want to know more about Azure Cloud Shell, check out this link. First, we define the characteristics of our environment and store the values in variables.
resourceGroupName="RG-DEMO-NE"
storageAccount="stoaccountcli"
vNetName="VNET-DEMO-NE"
Create a DDoS protection plan #
First, you should create a DDoS protection plan with the following command.
az network ddos-protection create \
--name DemoDdosPlan \
--resource-group $resourceGroupName \
--location $location \
--tags "Environment": "www.JorgeBernhardt.com"
#
Enable DDoS for an existing virtual network #
Associating a DDoS Plan using Azure CLI involves two commands, you must first associate the DDoS plan with the virtual network and then activate the DDoS protection on the virtual network. To associate the DDoS plan with your virtual network, you should use the following command.
az network ddos-protection update \
--name DemoDdosPlan \
--resource-group $resourceGroupName \
--vnets $vNetName
Once the DDoS plan is associated with your network, you can now enable DDoS protection on your network, to do this use the following command.
az network vnet update \
--name $vNetName \
--resource-group $resourceGroupName \
--ddos-protection-plan DemoDdosPlan \
--ddos-protection true
#
Verify the deployment #
To verify that the changes have been applied correctly use the following command.
az network ddos-protection show \
--name DemoDdosPlan \
--resource-group $resourceGroupName
#
Disassociate Ddos Protection Plan to a virtual network #
To disassociate the DDoS plan from your virtual network, you should use the following commands. First, you should disable DDoS protection on your virtual network.
az network vnet update \
--name $vNetName \
--resource-group $resourceGroupName \
--ddos-protection false
and then disassociate the DDoS plan from your virtual network.
az network ddos-protection update \
--name DemoDdosPlan \
--resource-group $resourceGroupName \
--vnets $null
#
Remove a DDoS protection plan #
If you want to remove the DDoS plan, you should use the following command.
az network ddos-protection delete \
--name DemoDdosPlan \
--resource-group $resourceGroupName
Thanks for reading my post. I hope you find it useful.
If you want to know more about Azure DDoS Protection, check out this link.