QuickStart: Create and configure Azure DDoS IP Protection using Azure CLI

Get started with Azure DDoS IP Protection by using Azure CLI. In this QuickStart, you'll enable DDoS IP protection and link it to a public IP address.

Diagram of DDoS IP Protection protecting the Public IP address.


Azure Cloud Shell

Azure hosts Azure Cloud Shell, an interactive shell environment that you can use through your browser. You can use either Bash or PowerShell with Cloud Shell to work with Azure services. You can use the Cloud Shell preinstalled commands to run the code in this article, without having to install anything on your local environment.

To start Azure Cloud Shell:

Option Example/Link
Select Try It in the upper-right corner of a code or command block. Selecting Try It doesn't automatically copy the code or command to Cloud Shell. Screenshot that shows an example of Try It for Azure Cloud Shell.
Go to https://shell.azure.com, or select the Launch Cloud Shell button to open Cloud Shell in your browser. Button to launch Azure Cloud Shell.
Select the Cloud Shell button on the menu bar at the upper right in the Azure portal. Screenshot that shows the Cloud Shell button in the Azure portal

To use Azure Cloud Shell:

  1. Start Cloud Shell.

  2. Select the Copy button on a code block (or command block) to copy the code or command.

  3. Paste the code or command into the Cloud Shell session by selecting Ctrl+Shift+V on Windows and Linux, or by selecting Cmd+Shift+V on macOS.

  4. Select Enter to run the code or command.

If you choose to install and use the CLI locally, this quickstart requires Azure CLI version 2.0.56 or later. To find the version, run az --version. If you need to install or upgrade, see Install the Azure CLI.

Create a resource group

In Azure, you allocate related resources to a resource group. You can either use an existing resource group or create a new one.

To create a resource group, use az group create. In this example, we'll name our resource group MyResourceGroup and use the East US location:

    az group create \
        --name MyResourceGroup \
        --location eastus

Enable DDoS IP Protection on a public IP address

New public IP address

You can enable DDoS IP Protection when creating a public IP address. In this example, we'll name our public IP address myStandardPublicIP:

    az network public-ip create \
        --resource-group MyResourceGroup \
        --name myStandardPublicIP \
        --location eastus \
        --allocation-method Static \
        --sku Standard \
        --ddos-protection-mode Enabled

Existing public IP address

You can enable DDoS IP Protection on an existing public IP address.

    az network public-ip update \
        --resource-group MyResourceGroup \
        --name myStandardPublicIP \
        --ddos-protection-mode Enabled

Disable DDoS IP Protection:

You can disable DDoS IP Protection on an existing public IP address.

    az network public-ip update \
        --resource-group MyResourceGroup \
        --name myStandardPublicIP \
        --ddos-protection-mode Disabled 


When changing DDoS IP protection from Enabled to Disabled, telemetry for the public IP resource will no longer be active.

Validate and test

Check the details of your DDoS IP Protection:

    az network public-ip show \
        --resource-group MyResourceGroup \
        --name myStandardPublicIP

Under ddosSettings, Verify protectionMode as Enabled.

Clean up resources

You can keep your resources for the next guide. If no longer needed, delete the MyResourceGroup resource group. When you delete the resource group, you also delete all its related resources.

When deleting the resource group, use az group delete:

    az group delete \
        --name MyResourceGroup 

Next steps

In this quickstart, you created:

  • A resource group
  • A public IP address
  • Enabled DDoS IP Protection using Azure CLI.

To learn how to configure telemetry for DDoS Protection, continue to the how-to guides.