Edit

Tutorial: View and configure Azure DDoS protection telemetry

  • Article

Azure DDoS Protection provides detailed attack insights and visualization with DDoS Attack Analytics. Customers protecting their virtual networks against DDoS attacks have detailed visibility into attack traffic and actions taken to mitigate the attack via attack mitigation reports & mitigation flow logs. Rich telemetry is exposed via Azure Monitor including detailed metrics during the duration of a DDoS attack. Alerting can be configured for any of the Azure Monitor metrics exposed by DDoS Protection. Logging can be further integrated with Microsoft Sentinel, Splunk (Azure Event Hubs), OMS Log Analytics, and Azure Storage for advanced analysis via the Azure Monitor Diagnostics interface.

In this tutorial, you'll learn how to:

  • View Azure DDoS Protection telemetry
  • View Azure DDoS Protection mitigation policies
  • Validate and test Azure DDoS Protection telemetry

If you don't have an Azure subscription, create a free account before you begin.

Prerequisites

  • If you don't have an Azure subscription, create a free account before you begin.
  • Before you can complete the steps in this tutorial, you must first create a DDoS simulation attack to generate the telemetry. Telemetry data is recorded during an attack. For more information, see Test DDoS Protection through simulation.

View Azure DDoS Protection telemetry

Telemetry for an attack is provided through Azure Monitor in real time. While mitigation triggers for TCP SYN, TCP & UDP are available during peace-time, other telemetry is available only when a public IP address has been under mitigation.

You can view DDoS telemetry for a protected public IP address through three different resource types: DDoS protection plan, virtual network, and public IP address.

For more information on metrics, see Monitoring Azure DDoS Protection for details on DDoS Protection monitoring logs.

View metrics from DDoS protection plan

  1. Sign in to the Azure portal and select your DDoS protection plan.
  2. On the Azure portal menu, select or search for and select DDoS protection plans then select your DDoS protection plan.
  3. Under Monitoring, select Metrics.
  4. Select Add metric then select Scope.
  5. In the Select a scope menu, select the Subscription that contains the public IP address you want to log.
  6. Select Public IP Address for Resource type then select the specific public IP address you want to log metrics for, and then select Apply.
  7. For Metric select Under DDoS attack or not.
  8. Select the Aggregation type as Max.

Screenshot of creating DDoS protection metrics menu.

View metrics from virtual network

  1. Sign in to the Azure portal and browse to your virtual network that has DDoS protection enabled.
  2. Under Monitoring, select Metrics.
  3. Select Add metric then select Scope.
  4. In the Select a scope menu, select the Subscription that contains the public IP address you want to log.
  5. Select Public IP Address for Resource type then select the specific public IP address you want to log metrics for, and then select Apply.
  6. Under Metric select your chosen metric then under Aggregation select type as Max.

Note

To filter IP Addresses select Add filter. Under Property, select Protected IP Address, and the operator should be set to =. Under Values, you will see a dropdown of public IP addresses, associated with the virtual network, that are protected by Azure DDoS Protection.

Screenshot of DDoS diagnostic settings.

View metrics from Public IP address

  1. Sign in to the Azure portal and browse to your public IP address.
  2. On the Azure portal menu, select or search for and select Public IP addresses then select your public IP address.
  3. Under Monitoring, select Metrics.
  4. Select Add metric then select Scope.
  5. In the Select a scope menu, select the Subscription that contains the public IP address you want to log.
  6. Select Public IP Address for Resource type then select the specific public IP address you want to log metrics for, and then select Apply.
  7. Under Metric select your chosen metric then under Aggregation select type as Max.

Note

When changing DDoS IP protection from enabled to disabled, telemetry for the public IP resource will not be available.

View DDoS mitigation policies

Azure DDoS Protection applies three auto-tuned mitigation policies (TCP SYN, TCP & UDP) for each public IP address of the protected resource, in the virtual network that has DDoS protection enabled. You can view the policy thresholds by selecting the Inbound TCP packets to trigger DDoS mitigation and Inbound UDP packets to trigger DDoS mitigation metrics with aggregation type as 'Max', as shown in the following picture:

Screenshot of viewing mitigation policies.

Validate and test

To simulate a DDoS attack to validate DDoS protection telemetry, see Validate DDoS detection.

Next steps

In this tutorial, you learned how to:

  • Configure alerts for DDoS protection metrics
  • View DDoS protection telemetry
  • View DDoS mitigation policies
  • Validate and test DDoS protection telemetry

To learn how to configure attack mitigation reports and flow logs, continue to the next tutorial.

View and configure DDoS diagnostic logging