Activate and monitor Distributed Denial-of-Service (DDoS) protection

1.4 Monitor Networks

📘Microsoft Azure Networking Solutions (AZ-700)

---

1. What is DDoS?

• DDoS stands for Distributed Denial-of-Service.
• It’s a type of cyber attack where many computers (often hacked machines or botnets) try to flood a service with traffic so that it becomes unavailable.
• In Azure, DDoS attacks can target things like:
  • Azure Virtual Networks (VNets)
  • Application Gateways
  • Public IP addresses

---

2. Azure DDoS Protection Overview

Azure provides two levels of DDoS protection:

A. Basic (Free)

• Automatically included with every Azure public IP.
• Provides always-on traffic monitoring and automatic attack mitigation for common attacks.
• No configuration needed.
• Suitable for small-scale workloads.

B. Standard (Paid)

• Offers advanced DDoS protection features for critical applications.
• Key features include:
  1. Adaptive tuning: Automatically adjusts thresholds based on your application’s normal traffic.
  2. Attack mitigation: Filters out malicious traffic while allowing legitimate traffic.
  3. Real-time telemetry and alerts: Provides metrics and alerts if an attack occurs.
  4. Cost protection: Reduces scaling charges caused by sudden traffic spikes during attacks.

---

3. Activating DDoS Protection in Azure

Step 1: Create a DDoS Protection Plan

• Go to Azure Portal → Create a Resource → Networking → DDoS Protection Plan.
• Give it a name, select the subscription, and resource group.
• Standard plan is recommended for production workloads.

Step 2: Associate with a Virtual Network (VNet)

• After creating the plan, link it to a VNet:
  1. Go to your VNet → Settings → DDoS Protection.
  2. Enable protection → select your DDoS Protection Plan.
• This ensures all public IPs in that VNet are protected.

---

4. Monitoring DDoS Protection

A. Metrics in Azure Monitor

• Azure DDoS provides telemetry data you can monitor in Azure Monitor.
• Key metrics:
  1. DDoS Attack Alerts: Detects ongoing attacks.
  2. Packet drops: Shows malicious packets that were blocked.
  3. Traffic volume: Helps identify abnormal spikes in traffic.

B. Alerts

• You can create alerts in Azure Monitor for:
  • Attack detected
  • Mitigation started
  • Mitigation stopped
• Alerts can be sent via email, SMS, or webhook.

C. Attack Analytics

• Standard DDoS provides a detailed attack report:
  • Attack type (Volumetric, Protocol, or Application layer)
  • Start and end time
  • Number of blocked packets
• Reports are useful for auditing and compliance.

---

5. Real-life IT Context (Non-Physical Analogy)

• Imagine your web server is under attack by thousands of automated bots sending fake traffic.
• DDoS Protection Standard watches all incoming traffic, automatically filters out malicious traffic, and keeps your service running.
• You can see alerts in Azure Monitor and review reports to ensure your server wasn’t compromised.

---

6. Key Exam Points

When studying for AZ-700, remember:

1. Types of DDoS protection:
   • Basic (Free)
   • Standard (Paid)
2. How to activate DDoS Standard:
   • Create DDoS Protection Plan
   • Associate with VNet
3. Monitoring and alerts:
   • Use Azure Monitor metrics
   • Create alerts for attack detection
4. DDoS attack telemetry:
   • Attack type, duration, blocked packets
5. Integration:
   • DDoS Standard works with Application Gateway, Load Balancers, and Public IPs.

---

✅ Quick Memory Tip for Exam:

• Plan → Protect → Monitor → Alert → Report
  Think of it as the 5-step flow for DDoS Standard in Azure.