can Azure DDOS protection protect classic VMs at the level of IP address?

Question

can Azure DDOS protection protect classic VMs at the level of IP address?

Answer 1

Hello @Scott Richardson ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

I understand that you would like to know if Azure DDOS protection can protect classic VMs at the level of IP address.

As mentioned in the Azure DDoS Protection limitations doc,

Virtual machines in Classic/RDFE deployments aren't supported.

Cloud Services gets a default VIP (Virtual IP Address) when a VM is added to a cloud service. The Virtual IP Address is the address associated with the implicit load balancer. You can reserve an IP Address in Azure and associate it with a Cloud Service to ensure that the IP Address is sticky, but it still remains a Virtual IP address.

Public IP address (ARM model), however is a resource exposed by the Microsoft.Network provider. Public IP address can be static (reserved) or dynamic. Dynamic public IPs can be assigned to a Load Balancer. Public IPs can be secured using Security Groups.

Refer: https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/deployment-models#understand-support-for-the-models

If you want to protect the Public IP address using DDOS protection, then consider migrating them to ARM model.

When you migrate an existing public static IP address, reserved IPs, from the classic deployment model to Azure Resource Manager, the migrated public IP will be a basic SKU type and it is protected under DDoS Network Protection.

Refer: https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/deployment-models#migrate-from-classic-to-resource-manager

https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/public-ip-upgrade-classic

Kindly let us know if the above helps or you need further assistance on this issue.

---

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.