Enable DDoS During Landing Zone Accelerator (Deploy from a Custom Template)

Perry Chandler 145 Reputation points
2023-06-24T09:08:41.8266667+00:00

Hi,

I am using the Azure Landing Zone Accelerator GUI Configuration as an Information gathering exercise to ensure that I provide our IT team with the correct tools to support the Azure Landing Zone. They choose the options and we enable them in Terraform. My question regards DDoS specifically and the configuration option - "Enable DDoS Network Protection"

Microsoft Documentation, specifically this document:

https://azure.microsoft.com/en-us/blog/azure-ddos-protection-for-virtual-networks-generally-available/

Says that Basic Protection is enabled by Default.

What does that mean for the Terraform Installation, do we not have to configure DDoS at all within Terraform?

My concern is accidently enabling DDoS standard and costing the company £2,387.

Any help would be appreciated.

Thanks, Perry.

Azure DDos Protection
Azure DDos Protection
An Azure service that provides defense against distributed denial-of-service (DDoS) attacks.
63 questions
Accepted answer
  1. GitaraniSharma-MSFT 47,676 Reputation points Microsoft Employee
    2023-06-26T12:02:57.8533333+00:00

    Hello @Perry Chandler ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I understand that you are deploying Azure landing zones using Terraform referencing the Azure Landing Zone Accelerator GUI Configuration and you would like to know if you don't have to configure DDOS protection as Basic DDOS Protection is enabled by Default.

    As mentioned in the deploy landing zones with terraform document, the DDoS Protection plan module is optional and it can deploy DDoS Network Protection, and link Virtual Networks to the plan if needed.

    NOTE: The Azure landing zones guidance recommends enabling DDoS Network Protection to increase protection of your Azure platform. To prevent unexpected costs in non-production and MVP deployments, this capability is disabled in the Azure landing zones Terraform module due to the cost associated with this resource. For production environments, we strongly recommend enabling this capability.

    Regarding the default DDOS protection - At no additional cost, Azure DDoS infrastructure protection protects every Azure service that uses public IPv4 and IPv6 addresses. This DDoS protection service helps to protect all Azure services, including platform as a service (PaaS) service such as Azure DNS. Azure DDoS infrastructure protection requires no user configuration or application changes. Azure provides continuous protection against DDoS attacks.

    Refer: https://learn.microsoft.com/en-us/azure/ddos-protection/ddos-protection-sku-comparison#skus

    https://learn.microsoft.com/en-us/azure/ddos-protection/ddos-protection-reference-architectures

    https://learn.microsoft.com/en-us/azure/ddos-protection/ddos-faq#are-services-unsafe-in-azure-without-the-service-

    So, it completely depends on your requirement. If you have a production environment and want to increase protection of your Azure resources, you could optionally deploy the DDoS Protection plan resources using the azurerm_network_ddos_protection_plan Terraform module as mentioned in below link:

    https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/deploy-landing-zones-with-terraform#ddos-protection-plan

    If you are fine with the default Azure DDoS infrastructure protection, then you don't need to add the DDoS Protection plan module to your Terraform installation.

    Kindly let us know if the above helps or you need further assistance on this issue.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest