Azure DDoS - Public IP and Virtual network

Question

Dear Team,

We have a setup where we are going to use a public ip for Azure Firewall (Hub vNet) and this Azure Firewall is in a virtual network (Hub vNet) which is connecting to backend application running on ARO on seprate vNet (Spoke vNet)

Do I need to use both Azure DDoS IP protection to protect public IP and Azure DDoS network protection to protect virtual nerwork.

Please advice.

Answer 1

Hi,

For your Azure setup with a public IP for Azure Firewall in a Hub VNet and backend applications in a Spoke VNet, you should apply Azure DDoS Protection Standard to both the public IP and the virtual network. This protection will cover the public IP attached to your Azure Firewall and extend enhanced DDoS mitigation capabilities to your entire virtual network, including your backend applications. This approach ensures comprehensive protection against DDoS attacks for both the network entry point and the internal network infrastructure.

Kindly if you find the provided information helpful and it resolves your query, please consider accepting the answer. Your feedback is valuable and helps ensure the quality and relevance of the responses.

Answer 2

Yes, that's correct. For the public IP on the Azure Firewall, you use Azure DDoS IP protection. For the Hub and Spoke vNet architecture, you use Azure DDoS Network protection, which will cover the entire virtual network infrastructure. This two-tiered approach ensures both the specific entry point and the broader network are safeguarded against DDoS attacks.

Kindly if you find the provided information helpful and it resolves your query, please consider accepting the answer. Your feedback is valuable and helps ensure the quality and relevance of the responses.