Manage DDoS Protection Plans: permissions and restrictions
A DDoS protection plan works across regions and subscriptions. The same plan can be linked to virtual networks from other subscriptions in different regions, across your tenant. The subscription the plan is associated to incurs the monthly recurring bill for the plan, as well as overage charges, in case the number of protected public IP addresses exceed 100. For more information on DDoS pricing, see pricing details.
- Before you can complete the steps in this tutorial, you must first create an Azure DDoS Protection plan.
|Microsoft.Network/ddosProtectionPlans/read||Read a DDoS protection plan|
|Microsoft.Network/ddosProtectionPlans/write||Create or update a DDoS protection plan|
|Microsoft.Network/ddosProtectionPlans/delete||Delete a DDoS protection plan|
|Microsoft.Network/ddosProtectionPlans/join/action||Join a DDoS protection plan|
To enable DDoS protection for a virtual network, your account must also be assigned the appropriate actions for virtual networks.
Once a DDoS Protection Plan has been enabled on a Virtual Network, subsequent operations on that Virtual Network still require the
Microsoft.Network/ddosProtectionPlans/join/action action permission.
Creation of more than one plan is not required for most organizations. A plan cannot be moved between subscriptions. If you want to change the subscription a plan is in, you have to delete the existing plan and create a new one.
For customers who have various subscriptions, and who want to ensure a single plan is deployed across their tenant for cost control, you can use Azure Policy to restrict creation of Azure DDoS Protection plans. This policy will block the creation of any DDoS plans, unless the subscription has been previously marked as an exception. This policy will also show a list of all subscriptions that have a DDoS plan deployed but should not, marking them as out of compliance.