One of the most important questions customers ask when deploying Azure DDoS Protection Standard for the first time is how to manage the deployment at scale. A DDoS Protection Plan represents an inves...
Updated Oct 18, 2023
Version 5.0
Blog Post
This is a great article. Thanks for sharing.
Spoiler
I do want to warn anyone planning to use this as is that the arm template will set your DDoS settings to enabled and apply the plan (awesome), but it will also change your DNS server settings on your virtual networks from custom to azure provided if you use custom dns (not awesome). If any machines get rebooted after this happens, you may no longer be able to sign on or connect to some resources internally. In our case, we applied this to over 100+ virtual networks with a policy remediation task and it broke all of our custom DNS. We have reached out to Microsoft on it, so I will follow up if we get an answer.
The issue was that the template basically replaced the existing dhcp properties. This was the message in the logs:
DhcpOptions contains an array of DNS servers available to VMs deployed in the virtual network. Standard DHCP option for a subnet overrides VNET DHCP options.
And a screenshot: