Dec 06 2022 08:14 AM
Hi,
We have a zero trust network setup where we use Azure Firewall Standard Edition with hub/spoke model, there is mandatory requirement to assign few Public IP addresses to the firewall, we have included these assigned public IP addresses to a DDoS plan as well. There is no ingress in this environment (It is backend message processing system which does not need any internet / frontend web APIs).
As we are running this in production, we see many DDoS mitigation alerts on firewall Public IPs.
We are thinking of reducing cost and removing DDoS protection plan because only resources that are the plan are firewall's public IP addresses, hence the questions are:
1. how the azure firewall will behave if assigned public IPs are not included in DDoS protection plan?
2. Do azure firewall internally have bult in mechanism to defend against DDoS attacks on its public IPs
3. Is there standard recommendation that when Azure firewall is deployed, customers also must use DDoS plan?
Mar 27 2023 10:39 PM - edited Mar 27 2023 10:42 PM
Azure Firewall has NO inbuild DDoS Protection feature. You must enroll in a DDoS Plan and join. By Default Microsoft provides basic DDoS prevention as free . It is usually advisable to have a DDOS protection if you have computers that has internet traffic or public IP address .
However, you can associate a DDoS Protection Plan with an Azure Firewall in a virtual network that already contains a DDoS Protection Plan. You can create and manage your Azure DDoS Protection Plans using Firewall
Refer this URL https://learn.microsoft.com/en-us/azure/firewall-manager/configure-ddos
Please "Accept as Answer" if it helped so it can help others in community looking for help on similar topics.
Apr 22 2023 03:50 AM