DDoS Protection of azure services with Application gateway

Satyam Chauhan 492 Reputation points
2023-03-16T20:20:39.6966667+00:00

Hi,

I want to protect my app services and other azure services from DDoS attack, for this I wanted to implement DDoS Network Protection with PaaS web application architecture https://learn.microsoft.com/en-us/azure/ddos-protection/ddos-protection-reference-architectures#paas-web-application

ddos-network-protection-paas-web-app

I created an application gateway of WAF tier. In the backend pool I added the app services to be protected from DDoS attacks.

I am now able to access the application from both ways, using the default domain of the app services and by using the public ip address of the application gateway. I am not able to understand which one of them is DDoS protected.

Please help as I am new to Application gateway.

Thanks,

Satyam

Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
949 questions
{count} votes

1 answer

Sort by: Most helpful
  1. ChaitanyaNaykodi-MSFT 22,136 Reputation points Microsoft Employee
    2023-03-17T00:49:01.4866667+00:00

    @Satyam Chauhan

    Thank you for reaching out and glad to know you are proceeding with this approach. I have replied to your previous query here.

    I am now able to access the application from both ways, using the default domain of the app services and by using the public ip address of the application gateway. I am not able to understand which one of them is DDoS protected.

    The public IP address of the application gateway will be protected by DDOS, as Azure DDOS protects the Public IPs of the resources that are deployed in ARM based VNETs. This is the list of services which can be protected.

    I understand that your web-app is still accessible over internet by its default domain, the solution here is apply restrictions on your Web-app so that it only accepts traffic from your Application Gateway. You can restrict this access by using Access restriction rules based on service endpoints this allows you to lock down inbound access to the app making sure the source address is from Application Gateway OR Use Azure App Service static IP restrictions. For example, you can restrict the web app so that it only receives traffic from the application gateway. Use the app service IP restriction feature to list the application gateway VIP as the only address with access. This is currently documentation here.

    I understand you are new to Azure Application Gateway. You can go through this video to understand how Application Gateway works.

    As you are planning to proceed with this approach, I just wanted to share that there multiple ways you can integrate you integrate your web app with application gateway. You can go through this document for more information.

    Hope this helps! Please let me know if you have any additional questions.


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments