Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable DDoS Standard Protection for Virtual Networks

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: Network-012

Ensure that DDoS Standard Protection feature is enabled for all your security-critical Microsoft Azure virtual networks (VNETs). DDoS Protection Standard is a premium paid cloud feature that offers enhanced Distributed Denial-of-Service (DDoS) mitigation capabilities via adaptive tuning, attack alert notifications, and telemetry to protect against the impacts of large DDoS attacks for all the protected resources available within your Azure virtual networks.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

A Distributed Denial-of-Service (DDoS) attack represents a malicious attempt to disrupt the normal traffic of a targeted web server, service or network by overwhelming the target or its infrastructure with a flood of HTTP traffic. DDoS attacks achieve effectiveness by utilizing multiple compromised virtual machines (VMs) or networks as the sources of traffic. DDoS standard protection enables you to protect your Azure cloud resources from DDoS attacks with always-on monitoring and automatic network attack mitigation.

Audit

To determine if DDoS standard protection is enabled for your Azure virtual networks (VNETs), perform the following actions:

Using Azure Portal

01 Sign in to Azure Management Portal.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 From the Subscription filter box, select the Azure account subscription that you want to examine.

04 From the Type filter box, select Virtual network to list only the virtual networks (VNETs) available in the selected Azure subscription.

05 Click on the name of the virtual network that you want to examine.

06 In the navigation panel, under Settings, select DDoS protection to access the DDoS protection configuration available for the selected VNET.

07 On the DDoS protection page, check the DDoS Protection Standard configuration setting status. If the setting status is set to Disabled, the selected Microsoft Azure virtual network is not configured with DDoS protection.

08 Repeat steps no. 5 – 7 for each virtual network (VNET) available in the selected subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) using custom query filters to list the IDs of the subscriptions available in your Azure account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
  "abcdabcd-1234-abcd-1234-abcdabcdabcd",
  "abcd1234-abcd-1234-abcd-abcd1234abcd",
]

03 Run network vnet list command (Windows/macOS/Linux) using custom query filters to list the names of all virtual networks (and the name of their associated resource groups), available in the selected Azure subscription: 

az network vnet list
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd
	--output table
	--query '[*].{name:name, resourceGroup:resourceGroup}'

04 The command output should return a table with requested identifiers: 

Name              ResourceGroup
----------------  ------------------------------
cc-project5-vnet  cloud-shell-storage-westeurope
cc-frontend-vnet  cloud-shell-storage-westeurope

05 Run network vnet show command (Windows/macOS/Linux) using the name of the Azure virtual network (VNET) that you want to examine and its associated resource group as identifier parameters, to describe the DDoS Protection Standard configuration status set for the selected Azure VNET: 

az network vnet show
	--name cc-project5-vnet
	--resource-group cloud-shell-storage-westeurope
	--query 'enableDdosProtection'

06 The command output should return the requested configuration status (true for enabled, false for disabled): 

false

If the network vnet show command output returns false, as shown in the example above, the DDoS Protection Standard security feature is not enabled for the selected Microsoft Azure virtual network.

07 Repeat step no. 5 and 6 for each virtual network (VNET) created within the selected subscription.

08 Repeat steps no. 3 – 7 for each subscription available in your Microsoft Azure cloud account.

Remediation / Resolution

To enable Distributed Denial-of-Service (DDoS) standard protection for your existing Azure virtual networks (VNETs), perform the following actions:

Using Azure Portal

01 Sign in to Azure Management Portal.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 From the Subscription filter box, select the Azure account subscription that you want to access.

04 From the Type filter box, select Virtual network to list only the Azure virtual networks created in the selected Azure subscription.

05 Click on the name of the virtual network (VNET) that you want to reconfigure.

06 In the navigation panel, under Settings, select DDoS protection to access the DDoS protection configuration settings available for the selected VNET.

07 On the DDoS protection page, perform the following:

  1. Under DDoS Protection Standard, select Enable to enable DDoS Protection Standard feature for the selected Microsoft Azure virtual network.
  2. In the DDoS protection plan section, click on Create a DDoS protection plan link to set up the required DDoS protection plan.
  3. On the Create a DDoS protection plan page, provide a name for your DDoS protection plan and make sure that the appropriate location and resource group are selected. Click Create to create your new DDoS protection plan. IMPORTANT: By clicking Create, you agree that you are aware of the cost and pricing structure of an Azure DDoS protection plan and are willing to accept the charges.
  4. Navigate back to the DDoS protection page, select the newly created DDoS plan from the DDoS protection plan dropdown list, then click Save to apply the changes. The selected Azure virtual network (VNET) is now protected against advanced Distributed Denial-of-Service (DDoS) attacks.

08 Repeat steps no. 5 – 7 for each mission-critical virtual network available in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run network ddos-protection create command (Windows/macOS/Linux) to create a DDoS protection plan, required for enabling DDoS Protection Standard feature, and apply it to the cloud resources within the specified subscription: 

az network ddos-protection create
	--name cc-ddos-standard-plan
	--location westeurope
	--resource-group cloud-shell-storage-westeurope
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd
	--query 'name'

02 The command output should return the name of the new DDoS protection plan: 

"cc-ddos-standard-plan"

03 Run network vnet update command (Windows/macOS/Linux) using the name of the newly created DDoS protection plan as value for the --ddos-protection-plan parameter to enable Azure DDoS Protection Standard feature for the selected virtual network. By submitting the command request, you agree that you are aware of the cost and pricing structure of an Azure DDoS protection plan and are willing to accept the charges: 

az network vnet update
	--name cc-project5-vnet
	--resource-group cloud-shell-storage-westeurope
	--ddos-protection true
	--ddos-protection-plan cc-ddos-standard-plan
	--query 'enableDdosProtection'

04 The command output should return the security feature configuration status: 

true

05 Repeat step no. 3 and 4 for each security-critical virtual network deployed in the selected Azure subscription.

06 Repeat steps no. 1 – 5 for each subscription created within your Microsoft Azure cloud account.

References

Publication date Jul 20, 2020

Related Network rules