If you are considering the activation of Azure DDoS Protection Standard – a great solution to better protect your Azure Virtual Network (VNet) resources from DDoS attacks – you may ask yourself: Which VNet(s) should you enable the service in? Or how many IPs can be covered by the base pricing? This sometimes isn’t trivial to find out, especially if you have a large or complex Azure infrastructure, made of multiple VNets and public resource types.
Azure DDoS Protection Standard protects the following public resources:
Virtual Machine Network Interface Cards (NIC) (directly attached to a Public IP)
Virtual Network Gateways
Public Load Balancers
The biggest challenge when estimating DDoS Protection Standard usage is that counting how many Public IPs are within a VNet is not easy math, as there is no direct association between a Public IP and a VNet. You always have at least one resource in between both, that is making the bridge. For example, NICs, Application Gateways, Bastions, Firewalls, etc. all have a reference to the subnet they were deployed in and to the Public IP that is exposing them to the Internet.
Furthermore, Public Load Balancers are not directly associated with a VNet, as they refer directly only to the NIC of the backend pools. This math can get very complicated!
This article helps you identify all the Public IPs in use and the respective VNet, so that you can prioritize protecting the VNets with the most critical public resources and, on the way, estimate the costs of your solution – Azure DDos Protection Standard base pricing covers 100 Public IPs with each additional IP being billed individually (see pricing details).
The Public IPs per VNet math is done with the help of three Azure Resource Graph (ARG) queries. Each query returns the same columns, which you can then export to CSV and join all together. Unfortunately, ARG has limitations that do not allow for a single query joining everything. For your convenience, I published a PowerShell script (Az.Accounts + Az.ResourceGraph PowerShell modules required) that does all this and nicely gives you a single CSV file at the end. You can then import the CSV(s) into Excel and build a pivot table aggregating Public IP counts per VNet. These are the columns returned:
Id - Public IP resource Id
ipAddress – Public IP address (may be empty if dynamic allocation and the respective resource is not allocated)
name – Public IP name
associatedResourceType – networkinterfaces, azurefirewalls, etc.
This is the most complex query, because it must uncover the Load Balancer backend network interfaces to identify their VNet. Due to its complexity, this query can only be run in the Azure Portal and had to be adapted in the PowerShell script I referred to above, to deal with the ARG limitations I already mentioned.
And that’s it! Now your Azure DDoS Protection Standard Costs Estimation is much easier! Hope this helps ;)
The sample scripts are not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.