QuickStart: Create and configure Azure DDoS Network Protection using ARM template
This QuickStart describes how to use an Azure Resource Manager template (ARM template) to create a distributed denial of service (DDoS) protection plan and virtual network (VNet), then enables the protection plan for the VNet. An Azure DDoS Network Protection plan defines a set of virtual networks that have DDoS protection enabled across subscriptions. You can configure one DDoS protection plan for your organization and link virtual networks from multiple subscriptions to the same plan.
An Azure Resource Manager template is a JavaScript Object Notation (JSON) file that defines the infrastructure and configuration for your project. The template uses declarative syntax. You describe your intended deployment without writing the sequence of programming commands to create the deployment.
If your environment meets the prerequisites and you're familiar with using ARM templates, select the Deploy to Azure button. The template will open in the Azure portal.
Prerequisites
If you don't have an Azure subscription, create a free account before you begin.
Review the template
The template used in this quickstart is from Azure Quickstart Templates.
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.5.6.12127",
"templateHash": "14909118711877377105"
}
},
"parameters": {
"ddosProtectionPlanName": {
"type": "string",
"metadata": {
"description": "Specify a DDoS protection plan name."
}
},
"virtualNetworkName": {
"type": "string",
"metadata": {
"description": "Specify a DDoS virtual network name."
}
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Specify a location for the resources."
}
},
"vnetAddressPrefix": {
"type": "string",
"defaultValue": "172.17.0.0/16",
"metadata": {
"description": "Specify the virtual network address prefix"
}
},
"subnetPrefix": {
"type": "string",
"defaultValue": "172.17.0.0/24",
"metadata": {
"description": "Specify the virtual network subnet prefix"
}
},
"ddosProtectionPlanEnabled": {
"type": "bool",
"defaultValue": true,
"metadata": {
"description": "Enable DDoS protection plan."
}
}
},
"resources": [
{
"type": "Microsoft.Network/ddosProtectionPlans",
"apiVersion": "2021-05-01",
"name": "[parameters('ddosProtectionPlanName')]",
"location": "[parameters('location')]"
},
{
"type": "Microsoft.Network/virtualNetworks",
"apiVersion": "2021-05-01",
"name": "[parameters('virtualNetworkName')]",
"location": "[parameters('location')]",
"properties": {
"addressSpace": {
"addressPrefixes": [
"[parameters('vnetAddressPrefix')]"
]
},
"subnets": [
{
"name": "default",
"properties": {
"addressPrefix": "[parameters('subnetPrefix')]"
}
}
],
"enableDdosProtection": "[parameters('ddosProtectionPlanEnabled')]",
"ddosProtectionPlan": {
"id": "[resourceId('Microsoft.Network/ddosProtectionPlans', parameters('ddosProtectionPlanName'))]"
}
},
"dependsOn": [
"[resourceId('Microsoft.Network/ddosProtectionPlans', parameters('ddosProtectionPlanName'))]"
]
}
]
}
The template defines two resources:
Deploy the template
In this example, the template creates a new resource group, a DDoS protection plan, and a VNet.
To sign in to Azure and open the template, select the Deploy to Azure button.
Enter the values to create a new resource group, DDoS protection plan, and VNet name.
- Subscription: Name of the Azure subscription where the resources will be deployed.
- Resource group: Select an existing resource group or create a new resource group.
- Region: The region where the resource group is deployed, such as East US.
- Ddos Protection Plan Name: The name of for the new DDoS protection plan.
- Virtual Network Name: Creates a name for the new VNet.
- Location: Function that uses the same region as the resource group for resource deployment.
- Vnet Address Prefix: Use the default value or enter your VNet address.
- Subnet Prefix: Use the default value or enter your VNet subnet.
- Ddos Protection Plan Enabled: Default is
true
to enable the DDoS protection plan.
Select Review + create.
Verify that template validation passed and select Create to begin the deployment.
Review deployed resources
To copy the Azure CLI or Azure PowerShell command, select the Copy button. The Try it button opens Azure Cloud Shell to run the command.
az network ddos-protection show \
--resource-group MyResourceGroup \
--name MyDdosProtectionPlan
The output shows the new resources.
{
"etag": "W/\"abcdefgh-1111-2222-bbbb-987654321098\"",
"id": "/subscriptions/b1111111-2222-3333-aaaa-012345678912/resourceGroups/MyResourceGroup/providers/Microsoft.Network/ddosProtectionPlans/MyDdosProtectionPlan",
"location": "eastus",
"name": "MyDdosProtectionPlan",
"provisioningState": "Succeeded",
"resourceGroup": "MyResourceGroup",
"resourceGuid": null,
"tags": null,
"type": "Microsoft.Network/ddosProtectionPlans",
"virtualNetworks": [
{
"id": "/subscriptions/b1111111-2222-3333-aaaa-012345678912/resourceGroups/MyResourceGroup/providers/Microsoft.Network/virtualNetworks/MyVNet",
"resourceGroup": "MyResourceGroup"
}
]
}
Clean up resources
When you're finished you can delete the resources. The command deletes the resource group and all the resources it contains.
az group delete --name MyResourceGroup
Next steps
To learn how to view and configure telemetry for your DDoS protection plan, continue to the tutorials.