Quickstart: Create and configure Azure DDoS IP Protection using ARM template

This quickstart describes how to use an Azure Resource Manager template (ARM template) to create an IP address, then enable distributed denial of service (DDoS) IP Protection. Azure DDoS IP Protection is a pay-per-protected IP model that contains the same core engineering features as DDoS Network Protection.

An Azure Resource Manager template is a JavaScript Object Notation (JSON) file that defines the infrastructure and configuration for your project. The template uses declarative syntax. You describe your intended deployment without writing the sequence of programming commands to create the deployment.

If your environment meets the prerequisites and you're familiar with using ARM templates, select the Deploy to Azure button. The template will open in the Azure portal.

Button to deploy the Resource Manager template to Azure.

Prerequisites

  • If you don't have an Azure subscription, create a free account before you begin.

Review the template

This template creates a single Standard SKU public IP with DDoS IP Protection enabled. The template used in this quickstart is from Azure Quickstart Templates.

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "metadata": {
    "_generator": {
      "name": "bicep",
      "version": "0.11.1.770",
      "templateHash": "6149835408625045037"
    }
  },
  "parameters": {
    "publicIpName": {
      "type": "string",
      "defaultValue": "publicIp",
      "metadata": {
        "description": "Name of the Public IP Address resource"
      }
    },
    "sku": {
      "type": "string",
      "defaultValue": "Standard",
      "allowedValues": [
        "Basic",
        "Standard"
      ],
      "metadata": {
        "description": "SKU of the Public IP Address"
      }
    },
    "publicIPAllocationMethod": {
      "type": "string",
      "defaultValue": "Static",
      "allowedValues": [
        "Dynamic",
        "Static"
      ],
      "metadata": {
        "description": "The Allocation Method used for the Public IP Address"
      }
    },
    "tier": {
      "type": "string",
      "defaultValue": "Regional",
      "allowedValues": [
        "Regional",
        "Global"
      ],
      "metadata": {
        "description": "SKU Tier of the Public IP Address"
      }
    },
    "ddosProtectionMode": {
      "type": "string",
      "defaultValue": "Enabled",
      "allowedValues": [
        "VirtualNetworkInherited",
        "Enabled",
        "Disabled"
      ],
      "metadata": {
        "description": "DDoS Protection Mode of the Public IP Address, use Enabled for DDoS IP Protection"
      }
    },
    "location": {
      "type": "string",
      "defaultValue": "[resourceGroup().location]",
      "metadata": {
        "description": "Specify a location for the resources."
      }
    }
  },
  "resources": [
    {
      "type": "Microsoft.Network/publicIPAddresses",
      "apiVersion": "2022-05-01",
      "name": "[parameters('publicIpName')]",
      "location": "[parameters('location')]",
      "sku": {
        "name": "[parameters('sku')]",
        "tier": "[parameters('tier')]"
      },
      "properties": {
        "publicIPAllocationMethod": "[parameters('publicIPAllocationMethod')]",
        "ddosSettings": {
          "protectionMode": "[parameters('ddosProtectionMode')]"
        }
      }
    }
  ]
}

The template defines one resource:

Deploy the template

In this example, the template creates a new resource group, a DDoS protection plan, and a VNet.

  1. To sign in to Azure and open the template, select the Deploy to Azure button.

    Button to deploy the Resource Manager template to Azure.

  2. Enter the values to create a new resource group, Public IP address, and enable DDoS IP Protection.

    Screenshot of DDoS IP Protection ARM quickstart template.

    • Subscription: Name of the Azure subscription where the resources will be deployed.
    • Resource group: Select an existing resource group. In this example, we'll create a new Resource group. Select Create new, enter MyResourceGroup, then select OK.
    • Region: The region where the resource group is deployed. In this example, we'll select East US.
    • Public Ip Name: The name of the new Public IP Address. In this example, we'll enter myStandardPublicIP
    • Sku: SKU of the Public IP Address. In this example, we'll select Standard.
    • Public IP Allocation Method: The Allocation Method used for the Public IP Address. In this example, we'll select Static.
    • Tier: SKU Tier of the Public IP Address. In this example, we'll select Regional.
    • Ddos Protection Mode: DDoS Protection Mode of the Public IP Address. In this example, we'll select Enabled.
    • Location: Specify a location for the resources. In this example, we'll leave as default.
  3. Select Review + create.

  4. Verify that template validation passed and select Create to begin the deployment.

Note

DDoS IP Protection is enabled only on Public IP Standard SKU.

Review deployed resources

To copy the Azure CLI or Azure PowerShell command, select the Copy button. The Try it button opens Azure Cloud Shell to run the command.

#Gets the public IP address
$publicIp = Get-AzPublicIpAddress -Name myStandardPublicIP -ResourceGroupName MyResourceGroup 

#Checks and returns the status of the public IP address
 $publicIp


The output shows the new resource and protectionModeDDoS shows IP Protection is Enabled.

Name                     : myStandardPublicIP
ResourceGroupName        : MyResourceGroup
Location                 : eastus
Id                       : /subscriptions/abcdefgh-1111-2222-bbbb-987654321098/resourceGroups/MyResourceGroup/providers/Microsoft.Network/publicIPAddresses/myStandardPublicIP
Etag                     : W/"abcdefgh-1111-2222-bbbb-987654321098"
ResourceGuid             : abcdefgh-1111-2222-bbbb-987654321098
ProvisioningState        : Succeeded
Tags                     : 
PublicIpAllocationMethod : Static
IpAddress                : 20.168.244.236
PublicIpAddressVersion   : IPv4
IdleTimeoutInMinutes     : 4
IpConfiguration          : null
DnsSettings              : null
DdosSettings             : {"ProtectionMode": "Enabled"}
Zones                    : {}
Sku                      : {"Name": "Standard","Tier": "Regional"}
IpTags                   : []
ExtendedLocation         : null

Clean up resources

When you're finished, you can delete the resources. The command deletes the resource group and all the resources it contains.

Remove-AzResourceGroup -Name 'MyResourceGroup'

Next steps

To learn how to view and configure telemetry for your DDoS protection plan, continue to the tutorials.