Testing Azure DDoS Protection Basic

Azure DDoS Protection Basic is provided for free for each IPv4 and IPv6 Public IP Address that is purchased. However, unlike the DDoS Standard product, there are no alerting or metrics provided. Same goes with any DDoS mitigation reports.

Being a free product, having DDoS protection provide excellent value especially when these type of services are normally very costly if you were to implement this in your own data center.

So how do you know how effective or if it even works?

Reading Microsoft’s documentation regarding the product at https://docs.microsoft.com/en-us/azure/virtual-network/ddos-protection-overview, Microsoft has partnered with BreakingPoint Cloud where you can simulate DDoS attacks. After creating a free trial account on BreakingPoint Cloud, you are provided with 5Gb of traffic for DDoS simulations.

There are multiple option to select for the DDoS attack profile.

There are also multiple test sizes that can be selected. However, due to the trial account only providing 5Gb, you would be limited to selecting the smallest packet size.

Similarly, with the test duration, there are multiple durations, but due to the 5Gb limitation, you would only be able to select 10 minutes.

Prior to starting the test, you would need to verify your Azure subscription by providing the Azure Subscription ID and then logging into your Azure tenancy to prove that you own the resource.

Enter the public IP and port number then you are ready to begin the test.

I looked Azure Monitor’s network utilization of the VM being tested on and could see that there is a spike in network utilization during the test which would be expected.

However, the network spike only lasted 3 minutes whereas the DDoS test was running for 10 minutes which leads to the conclusion that Azure detected and mitigated the DDoS simulated attack after 3 minutes of it happening.

If DDoS Protection Standard was purchased, we would be able to see the DDoS metrics appear in Azure Monitor’s Public IP Address metrics. Since this only the Basic version, there is no information provided.

In summary, DDoS Protection Basic works and is basically a set and forget product. However, as the documentation suggests, the SLA is based on the Azure Region with best effort support.

If you require MS Support, SLA on your application as well as metrics, alerts and reports, DDoS Protection Standard would be highly recommended.

Post Tagged with , , , , , ,

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.