| title | description | author | ms.author | ms.service | ms.topic | ms.date | ms.custom |
|---|---|---|---|---|---|---|---|
Configure Azure DDoS Protection Plan using Azure Firewall Manager |
Learn how to use Azure Firewall Manager to configure Azure DDoS Protection Plan Standard |
vhorne |
victorh |
firewall-manager |
how-to |
09/30/2021 |
template-how-to |
Azure Firewall Manager is a platform to manage and protect your network resources at scale. You can associate your virtual networks with a DDoS protection plan within Azure Firewall Manager.
Important
Using Azure Firewall Manager to configure an Azure DDoS Protection Plan is currently in PREVIEW. See the Supplemental Terms of Use for Microsoft Azure Previews for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
Tip
DDoS Protection Standard currently does not support virtual WANs. However, you can workaround this limitation by force tunneling Internet traffic to an Azure Firewall in a virtual network that has a DDoS Protection Plan associated with it.
Under a single tenant, DDoS protection plans can be applied to virtual networks across multiple subscriptions. For more information about DDoS protection plans, see Azure DDoS Protection Standard overview.
To see how this works, you'll create a firewall policy and then a virtual network secured with an Azure Firewall. Then you'll create a DDoS Protection Plan and then associate it with the virtual network.
Use Firewall Manager to create a firewall policy.
- From the Azure portal, open Firewall Manager.
- Select Azure Firewall Policies.
- Select Create Azure Firewall Policy.
- For Resource group, select DDoS-Test-rg.
- Under Policy details, Name, type fw-pol-01.
- For Region, select West US 2.
- Select Review + create.
- Select Create.
Use Firewall Manager to create a secured virtual network.
- Open Firewall Manager.
- Select Virtual Networks.
- Select Create new Secured Virtual Network.
- For Resource group, select DDoS-Test-rg.
- For Region, select West US 2.
- For Hub Virtual Network Name, type Hub-vnet-01.
- For Address range, type 10.0.0.0/16.
- Select Next : Azure Firewall.
- For Public IP address, select Add new and type fw-pip for the name and select OK.
- For Firewall subnet address space, type 10.0.0.0/24.
- Select the fw-pol-01 for the Firewall Policy.
- Select Next : Review + create.
- Select Create.
Create a DDoS Protection Plan using Firewall Manager. You can use the DDoS Protection Plans page to create and manage your Azure DDoS Protection Plans.
:::image type="content" source="media/configure-ddos/firewall-ddos.png" alt-text="Screenshot of the Firewall Manager DDoS Protection Plans page":::
- Open Firewall Manager.
- Select DDoS Protection Plans.
- Select Create.
- For Resource group, select Create new.
- Type DDos-Test-rg for the resource group name.
- Under Instance details, Name, type DDoS-plan-01.
- For Region, select (US) West US 2.
- Select Review + create.
- Select Create.
Now you can associate the DDoS Protection Plan with the secured virtual network.
- Open Firewall Manager.
- Select Virtual Networks.
- Select the check box for Hub-vnet-01.
- Select Manage Security, Add DDoS Protection Plan.
- For DDoS protection standard, select Enable.
- For DDoS protection plan, select DDoS-plan-01.
- Select Add.
- After the deployment completes, select Refresh.
You should now see that the virtual network has an associated DDoS Protection Plan.
:::image type="content" source="media/configure-ddos/ddos-protection.png" alt-text="Screenshot showing virtual network with DDoS Protection Plan":::
To learn more about DDoS Protection Plans, see: