Azure DDoS Protection is a service that provides protection against Distributed Denial of Service (DDoS) attacks on Azure resources like virtual machines, application gateways, and Azure Load Balancers. The service can be enabled on a virtual network or a public IP address to mitigate DDoS attacks.
In this tutorial, we will cover the following topics:
- Create a resource group
- Create a virtual network
- Create a DDoS Protection plan
- Enable DDoS Protection on a public IP address
- Enable DDoS Protection on a virtual network
- Verify DDoS Protection
Note: This tutorial assumes that you have an Azure account and Azure CLI installed on your system.
Step 1: Create a resource group
The first step is to create a resource group in which we will create our virtual network and DDoS Protection plan. To create a resource group using the Azure CLI, run the following command:
az group create --name MyResourceGroup --location eastus
Replace MyResourceGroup with a name of your choice, and eastus with a location of your choice.
Step 2: Create a virtual network
The next step is to create a virtual network in the resource group we just created. To create a virtual network using the Azure CLI, run the following command:
az network vnet create --resource-group MyResourceGroup --name MyVirtualNetwork --address-prefixes 10.0.0.0/16 --subnet-name MySubnet --subnet-prefix 10.0.0.0/24
Replace MyVirtualNetwork with a name of your choice, and 10.0.0.0/16 and 10.0.0.0/24 with IP address ranges of your choice.
Step 3: Create a DDoS Protection plan
The next step is to create a DDoS Protection plan in the resource group we just created. To create a DDoS Protection plan using the Azure CLI, run the following command:
az network ddos-protection plan create --resource-group MyResourceGroup --name MyDdosPlan --location eastus
Replace MyDdosPlan with a name of your choice, and eastus with a location of your choice.
Step 4: Enable DDoS Protection on a public IP address
The next step is to enable DDoS Protection on a public IP address. To create a public IP address using the Azure CLI, run the following command:
az network public-ip create --resource-group MyResourceGroup --name MyPublicIp --sku Standard --location eastus --ddos-protection Enabled
Replace MyPublicIp with a name of your choice, and eastus with a location of your choice.
Step 5: Enable DDoS Protection on a virtual network
The next step is to enable DDoS Protection on the virtual network we created earlier. To enable DDoS Protection on a virtual network using the Azure CLI, run the following command:
az network vnet update --name MyVirtualNetwork --resource-group MyResourceGroup --ddos-protection-plan MyDdosPlan
Replace MyVirtualNetwork with the name of your virtual network, and MyDdosPlan with the name of your DDoS Protection plan.
Step 6: Verify DDoS Protection
To verify that DDoS Protection is enabled on your resources, you can use the Azure portal or the Azure CLI. To verify using the Azure CLI, run the following command:
az network ddos-protection show --resource-group MyResourceGroup --name MyDdosPlan
This will display the details of your DDoS Protection plan, including the resources that are protected by the plan.
You can also verify that DDoS Protection is enabled on your public IP address by running the following command:
az network public-ip show --resource-group MyResourceGroup --name MyPublicIp --query ddosSettings.protectedIP
This will display the IP address that is protected by DDoS Protection.
Conclusion
In this tutorial, we covered how to create a resource group, virtual network, and DDoS Protection plan using the Azure CLI. We also covered how to enable DDoS Protection on a public IP address and a virtual network, and how to verify that DDoS Protection is enabled on your resources.
By following these steps, you can ensure that your Azure resources are protected against DDoS attacks, helping you to keep your applications and services available to your users.