Skip to content

How to protect your Azure resources against DDoS attacks

As #Azure cloud architects who deal with cybersecurity every day, SNOK is well aware that defending against #DDoS attacks is one of the most difficult challenges posed by modern technology. DDoS attacks can vary widely, from relatively simple to...

SNOK, as #Azure cloud architects who deal with cybersecurity every day, is well aware that defending against #DDoS attacks is one of the most difficult challenges posed by modern technology.

DDoS attacks can vary widely, from relatively simple to highly sophisticated, and predicting attack patterns is difficult, making them a persistent threat. Their aim is to flood our resources with traffic from multiple sources, rendering them unresponsive to legitimate users and, in extreme cases, causing service outages.

It is essential to follow best practices and implement robust measures to minimise their impact, particularly when our SAP systems are exposed to the outside world.

One of the best approaches is to use a multi-layered strategy, for example an architecture with two resource groups (RGs) and one VNet. A DDoS protection plan is added to the VNet component, but it can also be added directly to a public IP address.

The first RG is connected to a public IP and contains a #WAF (Web Application Firewall) to filter traffic from the internet to the RG containing the application service, represented by a Linux web application and a service plan. Connections from the internet are filtered by the DDoS protection plan to check for patterns recognised as DDoS attacks before they reach the application gateway, which contains the WAF.

This multi-layered approach, combined with other best practices such as deploying Azure DDoS Protection, provides very good protection against DDoS attacks, guaranteeing the availability and security of cloud resources. The DDoS protection plan and the WAF work together to filter and block malicious traffic, allowing only legitimate traffic to flow through to the application service.

Azure DDoS Protection is an automated solution that is precisely tuned to protect specific Azure resources within a VNet and requires no changes to the application or resources.

It offers two levels of protection - basic and standard. Basic protection is automatically enabled across all Azure services at no additional cost, while standard protection offers advanced features and broader protection capabilities.

By following best practices and deploying Azure DDoS Protection, we can ensure the availability and security of our applications and services in the face of an ever-evolving DDoS threat landscape. Its automated, precisely tuned capabilities and two-tier protection options make it a reliable solution that can help us stay ahead of potential attacks.

In summary, we should treat adherence to best practices and the deployment of Azure DDoS Protection as key steps in securing our resources against DDoS attacks. Combining a multi-layered approach, a DDoS protection plan and a WAF, together with other best practices, provides robust defence against these attacks, guaranteeing the availability and security of our resources in the cloud.

If you need support in configuring this service, please get in touch with us.

Tematy: Other it-advisory-integration Microsoft Azure

Get in touch