QuickStart: Create and configure Azure DDoS Network Protection using Bicep
This QuickStart describes how to use Bicep to create a distributed denial of service (DDoS) protection plan and virtual network (VNet), then enable the protection plan for the VNet. An Azure DDoS Network Protection plan defines a set of virtual networks that have DDoS protection enabled across subscriptions. You can configure one DDoS protection plan for your organization and link virtual networks from multiple subscriptions to the same plan.
Bicep is a domain-specific language (DSL) that uses declarative syntax to deploy Azure resources. It provides concise syntax, reliable type safety, and support for code reuse. Bicep offers the best authoring experience for your infrastructure-as-code solutions in Azure.
Prerequisites
If you don't have an Azure subscription, create a free account before you begin.
Review the Bicep file
The Bicep file used in this quickstart is from Azure Quickstart Templates.
@description('Specify a DDoS protection plan name.')
param ddosProtectionPlanName string
@description('Specify a DDoS virtual network name.')
param virtualNetworkName string
@description('Specify a location for the resources.')
param location string = resourceGroup().location
@description('Specify the virtual network address prefix')
param vnetAddressPrefix string = '172.17.0.0/16'
@description('Specify the virtual network subnet prefix')
param subnetPrefix string = '172.17.0.0/24'
@description('Enable DDoS protection plan.')
param ddosProtectionPlanEnabled bool = true
resource ddosProtectionPlan 'Microsoft.Network/ddosProtectionPlans@2021-05-01' = {
name: ddosProtectionPlanName
location: location
}
resource virtualNetwork 'Microsoft.Network/virtualNetworks@2021-05-01' = {
name: virtualNetworkName
location: location
properties: {
addressSpace: {
addressPrefixes: [
vnetAddressPrefix
]
}
subnets: [
{
name: 'default'
properties: {
addressPrefix: subnetPrefix
}
}
]
enableDdosProtection: ddosProtectionPlanEnabled
ddosProtectionPlan: {
id: ddosProtectionPlan.id
}
}
}
The Bicep file defines two resources:
Deploy the Bicep file
In this example, the Bicep file creates a new resource group, a DDoS protection plan, and a VNet.
Save the Bicep file as main.bicep to your local computer.
Deploy the Bicep file using either Azure CLI or Azure PowerShell.
az group create --name exampleRG --location eastus az deployment group create --resource-group exampleRG --template-file main.bicep --parameters ddosProtectionPlanName=<plan-name> virtualNetworkName=<network-name>
Note
Replace <plan-name> with a DDoS protection plan name. Replace <network-name> with a DDoS virtual network name.
When the deployment finishes, you should see a message indicating the deployment succeeded.
Review deployed resources
Use the Azure portal, Azure CLI, or Azure PowerShell to list the deployed resources in the resource group.
az resource list --resource-group exampleRG
Clean up resources
When no longer needed, use the Azure portal, Azure CLI, or Azure PowerShell to delete the resource group and its resources.
az group delete --name exampleRG
Next steps
To learn how to view and configure telemetry for your DDoS protection plan, continue to the tutorials.