Forum Discussion
sachip-msft
Microsoft
MicrosoftAzure Firewall Public IP and DDoS protection
Hi,
We have a zero trust network setup where we use Azure Firewall Standard Edition with hub/spoke model, there is mandatory requirement to assign few Public IP addresses to the firewall, we have i...
Hi sachip-msft
1. If the Azure Firewall public IPs are not included in a DDoS protection plan, they will be protected by Azure's basic DDoS protection. This basic protection is designed to handle common network layer attacks and comes at no additional cost. However, it does not have the same level of customization, mitigation policies, and attack telemetry as the Standard DDoS protection plan. If your network doesn't require the additional features provided by the Standard DDoS protection plan, you may choose to rely on basic protection.
2. Azure Firewall has some built-in protections against DDoS attacks. It is a stateful firewall that automatically scales to handle changing network traffic. It can handle millions of flows simultaneously, and Azure's basic DDoS protection will help mitigate common network layer attacks. However, for more advanced protection and features, the Standard DDoS protection plan is recommended.
3. There isn't a strict recommendation that customers must use a DDoS protection plan when deploying an Azure Firewall. The decision depends on your specific requirements and risk tolerance. If your network is not exposed to the internet, and you don't expect any high-profile or targeted attacks, you may decide that the basic protection is sufficient. However, for enhanced security, customization, and peace of mind, a Standard DDoS protection plan is recommended.
In summary, if your environment has no ingress and the only resources in the DDoS plan are the Firewall's public IPs, you may choose to rely on Azure's basic DDoS protection, keeping in mind that it won't provide the same level of protection, customization, and telemetry as the Standard plan.
1. If the Azure Firewall public IPs are not included in a DDoS protection plan, they will be protected by Azure's basic DDoS protection. This basic protection is designed to handle common network layer attacks and comes at no additional cost. However, it does not have the same level of customization, mitigation policies, and attack telemetry as the Standard DDoS protection plan. If your network doesn't require the additional features provided by the Standard DDoS protection plan, you may choose to rely on basic protection.
2. Azure Firewall has some built-in protections against DDoS attacks. It is a stateful firewall that automatically scales to handle changing network traffic. It can handle millions of flows simultaneously, and Azure's basic DDoS protection will help mitigate common network layer attacks. However, for more advanced protection and features, the Standard DDoS protection plan is recommended.
3. There isn't a strict recommendation that customers must use a DDoS protection plan when deploying an Azure Firewall. The decision depends on your specific requirements and risk tolerance. If your network is not exposed to the internet, and you don't expect any high-profile or targeted attacks, you may decide that the basic protection is sufficient. However, for enhanced security, customization, and peace of mind, a Standard DDoS protection plan is recommended.
In summary, if your environment has no ingress and the only resources in the DDoS plan are the Firewall's public IPs, you may choose to rely on Azure's basic DDoS protection, keeping in mind that it won't provide the same level of protection, customization, and telemetry as the Standard plan.