Deploying DDoS Protection Standard with Azure Policy

Published Nov 30 2020 01:08 PM 3,297 Views

One of the most important questions customers ask when deploying Azure DDoS Protection Standard for the first time is how to manage the deployment at scale. A DDoS Protection Plan represents an investment in protecting the availability of resources, and this investment must be applied intentionally across an Azure environment.


Creating a DDoS Protection Plan and associating a few virtual networks using the Azure portal takes a single administrator just minutes, making it one of the easiest to deploy resources in Azure. However, in larger environments this can be a more difficult task, especially when it comes to managing the deployment as network assets multiply.


Azure DDoS Protection Standard is deployed by creating a DDoS Protection Plan and associating VNets to that plan. The VNets can be in any subscription in the same tenant as the plan. While the deployment is done at the VNet level, the protection and the billing are both based on the public IP address resources associated to the VNets. For instance, if an Application Gateway is deployed in a certain VNet, its public IP becomes a protected resource, even though the virtual network itself only directly contains private addresses.


A consideration worth making is that the cost is not insignificant – a DDoS Protection plan starts at $3,000 USD per month for up to 100 protected IPs, adding $30 per public IP beyond 100. When the commitment has been made to investing in this protection, it is very important for you to be able to ensure that investment is applied across all required assets.


Azure Policy to Audit and Deploy

We just posted an Azure Policy sample to the Azure network security GitHub repository that will audit whether a DDoS Protection Plan is associated to VNets, then optionally create a remediation task that will create the association to protect the VNet.


The logic of the policy can be seen in the screenshot below. All virtual networks in the assignment scope are evaluated against the criteria of whether DDoS Protection is enabled and has a plan attached:




Further down in the definition, there is a template that creates the association of the DDoS Protection Plan to the VNets in scope. Let’s look at what it takes to use this sample in a real environment.


Creating a Definition

To create an Azure Policy Definition:


  1. Navigate to Azure Policy --> Definitions and select '+ Policy Definition.'
  2. For the Definition Location field, select a subscription. This policy will still be able to be assigned to other subscriptions via Management Groups.
  3. Define an appropriate Name, Description, and Category for the Policy.
  4. In the Policy Rule box, replace the example text with the contents of VNet-EnableDDoS.json
  5. Save.


Assigning the Definition

Once the Policy Definition has been created, it must be assigned to a scope. This gives you the ability to either deploy the policy to everything, using either Management Group or Subscription as the scope, or select which resources get DDoS Protection Standard protection based on Resource Group.

To assign the definition:


  1. From the Policy Definition, click Assign.
  2. On the Basics tab, choose a scope and exclude resources if necessary.
  3. On the Parameters tab, choose the Effect (DeployIfNotExists if you want to remediate) and paste in the Resource ID of the DDoS Protection Plan in the tenant:


  4. On the Remediation tab, check the box to create a remediation task and choose a location for the managed identity to be created. Network Contributor is an appropriate role:


  5. Create.


Modifying the Policy Definition

The process outlined above can be used to apply DDoS Protection to collections of resources as defined by the boundaries of management groups, subscriptions, and resource groups. However, these boundaries do not always represent an exhaustive list of where DDoS Protection should or should not be applied. Sure, some customers want to attach a DDoS Protection Plan to every VNet, but most will want to be more selective.


Even if resource groups are granular enough to determine whether DDoS Protection should be applied, Policy Assignments are limited to a single RG per assignment, so the process of creating an assignment for every resource group is prohibitively tedious.


One solution to the problem of policy scoping is to modify the definition rather than the assignment. Let’s use the example of an environment where DDoS Protection is required for all production resources. Production environments could exist in many different subscriptions and resource groups, and this could change as new environments are stood up.


The solution here is to use tags as the identifier of production resources. In order to use this as a way to scope Azure Policy Assignments, you must modify the definition. To do this, a short snippet needs to be added to the policy rule, along with corresponding parameters (or copied from VNet-EnableDDoS-Tags.json)




After modifying a definition to look for tag values, the corresponding assignment will look slightly different:




In this configuration, a single Policy Definition can be assigned to a wide scope, such as a Management Group, and every tagged resource within will be in scope.


Verifying Compliance

When a Policy Assignment is created using a remediation action, the effect of the policy should guarantee compliance with requirements. To gain visibility into the auditing and remediation done by the policy, you can go to Azure Policy à Compliance and select the assignment to monitor:




A successful remediation task denotes that the VNet is now protected by Azure DDoS Protection Standard.


End-to-End Management with Azure Policy

Moving beyond plan association to VNets, there are some other requirements of DDoS Protection that Azure Policy can help with.


On the Azure network security GitHub repo, you can find a policy to restrict creation of more than one DDoS Protection Plan per tenant, which helps to ensure that those with access cannot inadvertently drive up costs.


Another sample is available to keep diagnostic logs enabled across all Public IP Addresses, which keeps valuable data flowing to the teams that care about such data.


The point that should be taken from this post is that Azure Policy is a great mechanism to audit and enforce compliance with DDoS Protection requirements, and it has the power to control most other aspects of Azure security and compliance.


Occasional Visitor

The links to github appear to be broken. Can these be updated please. Thanks!


@linaIT thanks for the heads-up! The links have been updated. Thanks for being patient as we reorganize our repo.

Occasional Visitor

Thanks Anthony - great article by the way.

Occasional Visitor

This is a great article.  Thanks for sharing.


I do want to warn anyone planning to use this as is that the arm template will set your DDoS settings to enabled and apply the plan (awesome), but it will also change your DNS server settings on your virtual networks from custom to azure provided if you use custom dns (not awesome).  If any machines get rebooted after this happens, you may no longer be able to sign on or connect to some resources internally.  In our case, we applied this to over 100+ virtual networks with a policy remediation task and it broke all of our custom DNS.  We have reached out to Microsoft on it, so I will follow up if we get an answer.

 The issue was that the template basically replaced the existing dhcp properties.  This was the message in the logs:

DhcpOptions contains an array of DNS servers available to VMs deployed in the virtual network. Standard DHCP option for a subnet overrides VNET DHCP options.

And a screenshot: 

Screen Shot 2021-03-03 at 8.30.49 PM.png


@jsoconno thank you for the feedback. Yes, we did recently discover this same issue and are working to resolve. For now, if you know you have custom DNS servers set on the VNets this policy will apply to, you can add the following line to the properties in the deployment section:

                              "dhcpOptions": "[reference(resourceId('Microsoft.Network/virtualNetworks', parameters('vnetName')), '2020-07-01', 'Full').properties.dhcpOptions]",

Unfortunately, doing this causes the deployment to fail when there are no dhcpOptions set, so make sure to scope accordingly. We expect to come up with a solution soon that allows one policy to cover both scenarios. If you happen to think of a solution before we get a chance, feel free to submit a pull request to our repo.

Thanks again for reading!

Version history
Last update:
‎Feb 09 2021 09:51 AM
Updated by: