Thanks for this. Very informative. Was interesting to hear Anupam reiterate that DDOS Standard can protect anything within a VNET with a public IP address. What about App services not within VNET? Is there a service that we can use to mitigate against DDOS attacks on PAAS services not within a VNET?
Ragulan Sivabalakrishnan no I did not get a reply for that. Based on what I have researched, best bet is to add a WAF in front to at least mitigate L7 attacks. However it won’t entirely eliminate DDOS as DDOS can be done in a variety of ways on L4
Good Information. When you say " notification send to Azure security Center and through Azure monitor". DO you mean after the attack has been mitigated by Microsoft, the affected customer receives notifications via Azure Security Center and Azure Monitor?
Provided as a complimentary service among others like Azure Firewall and DDoS Std, WAF is needed to protect against L7 attacks on web applications viz. sql injection, xss scripting etc. Firewall can allow organizations to control the flow of traffic inbound/outbound from the hub VNET. While DDoS Std, protects the public IPs of both WAF, Firewall and other services in the hub VNET from DDoS attacks. Network security requires holistic approach, defense in depth, zero trust - where if one layer/control is breached; other layers/controls are available to provide protection.
The way Anupam is elaborating about DDOS protuction amazing supper cool
Thanks for this. Very informative. Was interesting to hear Anupam reiterate that DDOS Standard can protect anything within a VNET with a public IP address. What about App services not within VNET? Is there a service that we can use to mitigate against DDOS attacks on PAAS services not within a VNET?
Did you get an answer for this question from Microsoft Haripraghash please? If yes please share it with me. Thanks
Ragulan Sivabalakrishnan no I did not get a reply for that. Based on what I have researched, best bet is to add a WAF in front to at least mitigate L7 attacks. However it won’t entirely eliminate DDOS as DDOS can be done in a variety of ways on L4
All PaaS services have basic DDoS enabled by default.
docs.microsoft.com/en-us/azure/app-service/overview-security
Good Information. When you say " notification send to Azure security Center and through Azure monitor". DO you mean after the attack has been mitigated by Microsoft, the affected customer receives notifications via Azure Security Center and Azure Monitor?
How does WAF/WAG integrate with Azure FW in this scenario.
Provided as a complimentary service among others like Azure Firewall and DDoS Std, WAF is needed to protect against L7 attacks on web applications viz. sql injection, xss scripting etc. Firewall can allow organizations to control the flow of traffic inbound/outbound from the hub VNET. While DDoS Std, protects the public IPs of both WAF, Firewall and other services in the hub VNET from DDoS attacks. Network security requires holistic approach, defense in depth, zero trust - where if one layer/control is breached; other layers/controls are available to provide protection.
Thanks so much
Thanks
Mhhh 2944$/month for an anti ddos attack seems very cheap :')