Azure DDoS Protection and Mitigation Services | Microsoft Azure (original) (raw)
Distributed denial of service (DDoS) is a type of attack where an attacker sends more requests to an application than the application is capable of handling. This depletes resources, affecting the application's availability and its ability to service customers. Over the past few years, companies have experienced a sharp increase in these attacks, which are becoming more sophisticated and larger in magnitude. DDoS attacks can target any endpoint that's publicly reachable through the internet.
DDoS Protection products, combined with application design best practices, provide enhanced DDoS mitigation features to defend against DDoS attacks. It's automatically tuned to help protect your specific Azure resources in a virtual network. It has several advantages over the default platform-level DDoS protection, including logging, alerting, and telemetry. See DDoS Network Protection Overview for more details.
DDoS Protection is zone-resilient by default, and managed by the service itself. No customer configuration is necessary to enable zone resiliency.
Use the Azure DDoS Protection service in combination with a web application firewall (WAF) for protection both at the network layer (layer 3 and 4, offered by DDoS Protection ) and at the application layer (layer 7, offered by a WAF). Offerings include Application Gateway WAF and other web application firewall apps available in Azure Marketplace.
Public IPs in an Azure Resource Manager-based Azure Virtual Network are currently the only type of protected resource. Platform as a Service (PaaS) services (multitenant) are not supported. See About Azure DDoS Protection tier comparison for details.
The metrics of an attack should be visible on the portal within 5 minutes. If your resource is under attack, other metrics will start showing up on portal within 5 to 7 minutes.