DDoS question RRS feed

  • Question

  • Hi, question on DDoS feature. 

    If I have an external MSFT LB with public IP address and backend internal private IP endpoints. How do I protect the LB using DDoS profile? From my understanding, DDoS profiles can only be applied to vnets. In which case, external LBs do not belong to a vnet, therefore, it cannot be protected. 

    If this assumption proves correct..? Why then bother with DDoS on the internal vnet if all end points only have internal IP addresses?

    Is the option here to switch LB to app gate with WAF?


    Tuesday, November 20, 2018 1:03 PM


  • Azure DDoS Protection comes in 2 parts, Basic and Standard. Azure DDoS Basic is always on for ALL azure public IP Addresses, so your existing public LB will fall under the protection of Azure DDoS protection Basic. 

    Azure DDoS Protection Standard is enabled on your VNET, and protects all resources inside of your VNET. 

    If you are looking for a firewall, you can use an App Gatweway with WAF, or an Azure Firewall. You cannot convert your existing Load Balancer into an App Gateway, you will need to delete and recreate. 

    If you have any additional questions, please let me know. 

    Tuesday, November 20, 2018 9:54 PM