Configure Azure DDoS Protection metric alerts through portal

Azure DDoS Protection provides detailed attack insights and visualization with DDoS Attack Analytics. Customers protecting their virtual networks against DDoS attacks have detailed visibility into attack traffic and actions taken to mitigate the attack via attack mitigation reports & mitigation flow logs. Rich telemetry is exposed via Azure Monitor including detailed metrics during the duration of a DDoS attack. Alerting can be configured for any of the Azure Monitor metrics exposed by DDoS Protection. Logging can be further integrated with Microsoft Sentinel, Splunk (Azure Event Hubs), OMS Log Analytics, and Azure Storage for advanced analysis via the Azure Monitor Diagnostics interface.

In this article, you'll learn how to configure metrics alerts through Azure Monitor.

Prerequisites

  • An Azure account with an active subscription. Create an account for free.
  • DDoS Network Protection must be enabled on a virtual network or DDoS IP Protection (Preview) must be enabled on a public IP address.
  • DDoS Protection monitors public IP addresses assigned to resources within a virtual network. If you don't have any resources with public IP addresses in the virtual network, you must first create a resource with a public IP address. You can monitor the public IP address of all resources deployed through Resource Manager (not classic) listed in Virtual network for Azure services (including Azure Load Balancers where the backend virtual machines are in the virtual network), except for Azure App Service Environments. To continue with this How-To guide, you can quickly create a Windows or Linux virtual machine.  

Configure metric alerts through portal

You can select any of the available Azure DDoS Protection metrics to alert you when there’s an active mitigation during an attack, using the Azure Monitor alert configuration.

  1. Sign in to the Azure portal.

  2. In the search box at the top of the portal, enter Alerts. Select Alerts in the search results.

  3. Select + Create on the navigation bar, then select Alert rule.

    Screenshot of creating Alerts.

  4. On the Create an alert rule page, select + Select scope, then select the following information in the Select a resource page.

    Screenshot of selecting DDoS Protection attack alert scope.

    Setting Value
    Filter by subscription Select the Subscription that contains the public IP address you want to log.
    Filter by resource type Select Public IP Addresses.
    Resource Select the specific Public IP address you want to log metrics for.
  5. Select Done, then select Next: Condition.

  6. On the Condition page, select + Add Condition, then in the Search by signal name search box, search and select Under DDoS attack or not.

    Screenshot of adding DDoS Protection attack alert condition.

  7. In the Create an alert rule page, enter or select the following information. Screenshot of adding DDoS Protection attack alert signal.

    Setting Value
    Threshold Leave as default.
    Aggregation type Leave as default.
    Operator Select Greater than or equal to.
    Unit Leave as default.
    Threshold value Enter 1. For the Under DDoS attack or not metric, 0 means you're not under attack while 1 means you are under attack.
  8. Select Next: Actions then select + Create action group.

Create action group

  1. In the Create action group page, enter the following information, then select Next: Notifications. Screenshot of adding DDoS Protection attack alert action group basics.

    Setting Value
    Subscription Select your Azure subscription that contains the public IP address you want to log.
    Resource Group Select your Resource group.
    Region Leave as default.
    Action Group Enter myDDoSAlertsActionGroup.
    Display name Enter myDDoSAlerts.
  2. On the Notifications tab, under Notification type, select Email/SMS message/Push/Voice. Under Name, enter myUnderAttackEmailAlert.

    Screenshot of adding DDoS Protection attack alert notification type.

  3. On the Email/SMS message/Push/Voice page, select the Email check box, then enter the required email. Select OK.

    Screenshot of adding DDoS Protection attack alert notification page.

  4. Select Review + create and then select Create.

Continue configuring alerts through portal

  1. Select Next: Details.

    Screenshot of adding DDoS Protection attack alert details page.

  2. On the Details tab, under Alert rule details, enter the following information.

    Setting Value
    Severity Select 2 - Warning.
    Alert rule name Enter myDDoSAlert.
  3. Select Review + create and then select Create after validation passes.

Within a few minutes of attack detection, you should receive an email from Azure Monitor metrics that looks similar to the following picture:

Screenshot of a DDoS Attack Alert.

You can also learn more about configuring webhooks and logic apps for creating alerts.

Clean up resources

You can keep your resources for the next tutorial. If no longer needed, delete the alerts.

  1. In the search box at the top of the portal, enter Alerts. Select Alerts in the search results.

    Screenshot of Alerts page.

  2. Select Alert rules.

    Screenshot of Alert rules page.

  3. In the Alert rules page, select your subscription.

  4. Select the alerts created in this tutorial, then select Delete.

Next steps

In this article, you learned how to configure metric alerts through Azure Monitor.

To learn how to test and simulate a DDoS attack, see the simulation testing guide: