Protect your public load balancer with Azure DDoS Protection

Azure DDoS Protection provides advanced mitigation features like adaptive tuning, attack alert notifications, and monitoring to safeguard public load balancers against large-scale DDoS attacks. In this tutorial, you will learn how to:

• Set up a DDoS Protection plan.
• Build a virtual network with DDoS Protection and the Bastion service enabled.
• Configure a Standard SKU public load balancer, including frontend IP, health probes, backend pool, and load-balancing rules.
• Deploy a NAT gateway to enable outbound internet access for the backend pool.
• Create virtual machines, install IIS, and configure them to demonstrate port forwarding and load-balancing functionality.

Create a DDoS Protection Plan

1. Sign in to the Azure portal.
2. Use the search bar at the top of the portal to search for DDoS Protection. From the search results, select DDoS protection plans, then click + Create.
3. On the Basics tab of the Create a DDoS protection plan page, provide the necessary information as prompted.
4. Click Review + Create, and then select Create to deploy the DDoS protection plan.

Create the Virtual Network

You'll set up a virtual network, a subnet, and an Azure Bastion host, and associate it with a DDoS Protection plan. The virtual network and subnet will host the load balancer and virtual machines. The Bastion host will securely manage the virtual machines and allow the installation of IIS to test the load balancer. The DDoS Protection plan will protect all public IP resources within the virtual network.

• Search for Virtual Network: In the Azure portal search bar, type Virtual Network and select Virtual Networks from the search results.
• Create a Virtual Network: In the Virtual Networks page, click + Create. On the Create Virtual Network page, enter or select the required information on the Basics tab

• Configure IP Addresses: Navigate to the IP Addresses tab or click Next: IP Addresses at the bottom of the page.

• Under the Subnet name, click on default. If no subnet exists, select + Add subnet.

• Edit Subnet: In the Edit subnet pane, provide the required details.

Click Save or Add to confirm.

• Enable Security Features: Go to the Security tab. Under BastionHost, select Enable and provide the required details.

• Under DDoS Network Protection, select Enable and choose myDDoSProtectionPlan from the drop-down menu.

• Review and Create: Navigate to the Review + Create tab or click the Review + Create button. Click Create to deploy the virtual network.

Create a Zone-Redundant Load Balancer

You'll set up a zone-redundant load balancer to distribute traffic across virtual machines. Zone redundancy ensures that the load balancer remains operational even if one or more availability zones in the region fail, as long as at least one zone is healthy.

During the setup, you will configure the following:

• Frontend IP address
• Backend pool
• Inbound load-balancing rules
• Health probe

Steps to Create the Load Balancer

• Search for Load Balancer: In the Azure portal search bar, type Load balancer and select Load balancers from the search results.
• Initiate Creation: On the Load balancer page, click + Create. In the Basics tab of the Create load balancer page, enter or select the required details.

• Configure Frontend IP: At the bottom of the page, select Next: Frontend IP configuration. In the Frontend IP configuration tab, click + Add a Frontend IP configuration.
• Set the following: Name: Enter myFrontend. IP Version: Select IPv4. IP Type: Choose IP address. Public IP Address: Select Create New and name it myPublicIP. Availability Zone: Choose Zone-redundant. Leave Routing preference as Microsoft Network. Click OK, then Add.
• Set Up Backend Pool: Click Next: Backend pools at the bottom of the page. In the Backend Pools tab, click + Add a Backend Pool.
• In the Add backend pool pane: Name: Enter myBackendPool. Virtual Network: Select myVNet. Backend Pool Configuration: Choose IP Address. Click Save.
• Define Inbound Rules: Select Next: Inbound rules. In the Inbound rules tab, click + Add a load balancing rule.
• Provide the necessary details in the Add load balancing rule pane and click Add.

• Review and Deploy: Click the Review + Create button at the bottom of the page. After validation, select Create to deploy the load balancer.

Create a NAT Gateway

In this section, you'll set up a NAT gateway to provide outbound internet access for resources in your virtual network. For additional options regarding outbound rules, refer to Network Address Translation (SNAT) for outbound connections.

Steps to Create a NAT Gateway

• Search for NAT Gateway: In the Azure portal search bar, type NAT gateway and select NAT gateways from the search results.
• Start the Creation Process: On the NAT gateways page, click + Create.

• Configure the Basics: In the Create network address translation (NAT) gateway page, provide the necessary information.
• Set Outbound IP: Navigate to the Outbound IP tab or click Next: Outbound IP at the bottom of the page. Next to Public IP addresses, select Create a new public IP address. In the Add public IP address pane: Name: Enter myNATgatewayIP. Click OK.
• Specify Subnet Details: Go to the Subnet tab or click Next: Subnet. Under Virtual network, select myVNet. Under the Subnet name, choose myBackendSubnet.
• Review and Deploy: Click the Review + Create button or navigate to the Review + Create tab. After validation, select Create to deploy the NAT gateway.

Create Virtual Machines

In this section, you will create two virtual machines (VMs), myVM1 and myVM2, each deployed in a different availability zone (Zone 1 and Zone 2). These VMs will be added to the backend pool of the load balancer you created earlier.

Steps to Create the Virtual Machines

• Search for Virtual Machines: In the Azure portal search bar, type Virtual machine and select Virtual machines from the search results.
• Start VM Creation: On the Virtual Machines page, click + Create > Azure virtual machine.

• Configure Basics for myVM1: In the Basics tab of the Create a Virtual Machine page, provide or select the required values.
• Configure Networking: Navigate to the Networking tab directly or proceed through Next: Disks, then Next: Networking. In the Networking tab, configure the necessary settings to ensure the VM is added to the backend pool of your load balancer.

• Review and Create: Click Review + Create, verify the settings, and then select Create.
• Repeat for myVM2: Follow steps 1–5 to create the second virtual machine (myVM2) with the same settings as myVM1, except Place myVM2 in a different availability zone (Zone 2).

Once both VMs are created, they will be ready to function as part of the backend pool for the load balancer.

Install IIS

• Search for Virtual Machines: In the Azure portal search bar, type Virtual machine and select Virtual machines from the search results.
• Connect to myVM1: Select myVM1 from the list of virtual machines. On the Overview page, click Connect and choose Bastion. Enter the username and password you created during VM setup. Click Connect to access the server desktop.
• Open PowerShell: On the server desktop, go to Start > Windows PowerShell > Windows PowerShell.
• Run Commands to Configure IIS: In the PowerShell window, execute the following commands to Install the IIS server. Remove the default iisstart.htm file. Create a new iisstart.htm file that displays the name of the VM.

# Install IIS

Install-WindowsFeature -name Web-Server -IncludeManagementTools?

# Remove default iisstart.htm

Remove-Item -Path C:\inetpub\wwwroot\iisstart.htm?

# Create a new iisstart.htm

Add-Content -Path "C:\inetpub\wwwroot\iisstart.htm" -Value "Welcome to myVM1"

Repeat these steps for myVM2, updating the last command to reflect the name of the second VM.

• ?Close the Bastion session with myVM1.
• Repeat steps to install IIS and the updated iisstart.htm file on myVM2.

Test the Load Balancer

• Locate the Public IP Address: In the Azure portal search bar, type Public IP and select Public IP addresses from the search results. From the list, select myPublicIP.
• Copy the IP Address: On the myPublicIP details page, copy the value under the IP address.

• Test the Load Balancer: Open a web browser and paste the public IP address into the address bar. The custom VM page from the IIS web server should appear, confirming the load balancer is distributing traffic successfully.

Azure DDoS Protection Features: Always-On Traffic Monitoring

Azure DDoS Protection continuously monitors incoming traffic and compares it against the thresholds defined in the DDoS policy. If the traffic exceeds these thresholds, DDoS mitigation is triggered automatically.

Once the traffic volume drops below the defined thresholds, mitigation is stopped. During the mitigation process, the following checks are performed on the traffic sent to the protected resource:

• Packet Validation: Ensures that packets conform to Internet standards and are not malformed.
• Client Interaction: Determines if the traffic may be from a spoofed packet (e.g., using SYN Auth, SYN Cookie, or dropping a packet to force retransmission).
• Rate Limiting: If no other mitigation method is applicable, packets are rate-limited to control traffic flow.

Adaptive Real-Time Tuning

To address the complexity of attacks, such as multi-vector DDoS attacks, and the unique behaviors of tenant applications, Azure DDoS Protection offers tailored, per-customer protection policies. This is achieved through two key features:

• Automatic Learning: The service learns the traffic patterns for each customer (per public IP) at Layers 3 and 4.
• Minimized False Positives: Azure’s large scale enables it to absorb substantial traffic, reducing the likelihood of false positives during mitigation.

?Azure DDoS Protection Mitigation Policies

1. Access DDoS Metrics: In the Azure portal, navigate to Monitor > Metrics. In the Metrics pane, select the resource group, choose Public IP Address as the resource type, and select your Azure public IP address. DDoS metrics will appear in the Available metrics pane.
2. Mitigation Policies: Azure DDoS Protection applies three auto-tuned mitigation policies—TCP SYN, TCP, and UDP—for each public IP associated with a protected resource in a virtual network with DDoS protection enabled. To view the policy thresholds, select the metric Inbound packets to trigger DDoS mitigation.

?Metric for an IP address under a DDoS attack

If the public IP address is under attack, the value for the metric Under DDoS attack or not changes to 1 as DDoS Protection performs mitigation on the attack traffic.

DDoS Network Protection Virtual Machine Architecture

DDoS Network Protection is activated on the virtual network associated with the Azure (internet) load balancer, which has a public IP linked to it

DDoS IP Protection Virtual Machine Architecture

DDoS IP Protection is enabled on the frontend public IP address of a public load balancer.

DDoS Network Protection Windows N-Tier Architecture

DDoS Network Protection is enabled on the virtual network, providing DDoS protection for all public IPs at Layers 3 and 4. For Layer 7 protection, deploy the Application Gateway with the WAF SKU.

?Types of Attacks Mitigated by Azure DDoS Protection

Azure DDoS Protection can mitigate the following types of attacks:

• Volumetric Attacks: These attacks overwhelm the network layer by flooding it with a large volume of seemingly legitimate traffic. Examples include UDP floods, amplification floods, and spoofed-packet floods. Azure DDoS Protection mitigates these high-volume attacks by leveraging Azure's global network scale to absorb and scrub traffic automatically.
• Protocol Attacks: These attacks target weaknesses in the Layer 3 and Layer 4 protocol stack, making a target system inaccessible. Common examples are SYN flood attacks, reflection attacks, and other protocol-based attacks. DDoS Protection mitigates these attacks by distinguishing between malicious and legitimate traffic, interacting with the client, and blocking harmful traffic.
• Resource (Application) Layer Attacks: These attacks focus on disrupting web application traffic, targeting data transmission between hosts. Examples include HTTP protocol violations, SQL injection, cross-site scripting (XSS), and other Layer 7 attacks. To protect against these, Azure recommends using a Web Application Firewall (WAF), such as the Azure Application Gateway WAF, alongside DDoS Protection. Additionally, third-party web application firewall solutions are available in the Azure Marketplace.

Inline DDoS Protection with Gateway Load Balancer and Partner NVAs

DDoS attacks on latency-sensitive workloads, such as gaming, can cause disruptions lasting 2-10 seconds. Gateway Load Balancer protects these workloads by injecting relevant NVAs into the ingress path of internet traffic. Once connected to a Standard Public Load Balancer frontend or virtual machine IP configuration, no additional setup is required to ensure traffic flows to and from the application endpoint through the Gateway Load Balancer.

Inbound traffic is inspected by the NVAs, and clean traffic is routed back to the backend infrastructure (e.g., gaming servers). Traffic flows from the consumer virtual network to the provider virtual network and back, with the option for the networks to be in different subscriptions, tenants, or regions, offering greater flexibility and ease of management.

?Enabling Azure DDoS Protection on the VNet of a Standard Public Load Balancer frontend or the virtual machine VNet protects against L3/4 DDoS attacks.

1. Unfiltered game traffic from the internet is directed to the game servers' public IP Load Balancer.
2. The traffic is then redirected to the chained Gateway Load Balancer's private IP.
3. The unfiltered traffic is inspected for DDoS attacks in real time by the partner NVAs.
4. Cleaned traffic is returned to the game servers for processing.

Azure DDoS Protection on the game servers' Load Balancer safeguards against L3/4 DDoS attacks, with protection policies automatically tuned based on the game server's traffic profile and application scale.

Introducing to Azure DDoS Protection

Enabling Azure DDoS Protection on the VNet of a Standard Public Load Balancer frontend or the virtual machine VNet protects against L3/4 DDoS attacks.

1. Unfiltered game traffic from the internet is directed to the game servers' public IP Load Balancer.
2. The traffic is then redirected to the chained Gateway Load Balancer's private IP.
3. The unfiltered traffic is inspected for DDoS attacks in real time by the partner NVAs.
4. Cleaned traffic is returned to the game servers for processing.

Azure DDoS Protection on the game servers' Load Balancer safeguards against L3/4 DDoS attacks, with protection policies automatically tuned based on the game server's traffic profile and application scale.

Attack Analytics, Telemetry, Monitoring, and Alerting

Azure DDoS Protection automatically identifies and mitigates DDoS attacks with no user intervention.

If the protected resource is under a subscription with Microsoft Defender for Cloud, DDoS Protection sends an alert to Defender for Cloud whenever an attack is detected and mitigated.

Alternatively, you can configure alerts for active mitigations on a protected public IP by using the "Under DDoS attack or not" metric. Additionally, you can set up alerts for other DDoS metrics and access attack telemetry to analyze attack scale, dropped traffic, attack vectors, top contributors, and more.

Engage DRR During an Active Attack

To engage DRR during an active attack, follow these steps in the Azure portal:

• When creating a new support request, select Issue Type as Technical.
• Choose Service as DDoS Protection.
• Select a resource from the Resource drop-down menu. Ensure you choose a DDoS Plan linked to the virtual network being protected.

• On the next Problem page, set Severity to A - Critical Impact and Problem Type to Under attack.

• Fill in additional details and submit the support request.

?

?