Can I use Azure DDoS protection with common App Services plans instead of App Services Environment (ASE)? RRS feed

  • Question

  • I see Azure DDoS protection can be enabled at the VNET level, and I understand that I can configure the integration of an App Services web app with a VNET, but is that enough to place my application under DDoS protection?

    I am under the impression that the VNET integration in App Services is only meant to give the application access to resources that live in a VNET. Is that really the case? Or will such integration also place the application under the DDoS protection that is enabled for the VNET?

    Do I need to have a fully isolated App Services Environment (ASE) in a VNET to keep web applications under the DDoS protection plan of the VNET?

    Saturday, May 12, 2018 12:20 AM

All replies

  • There are 2 types of Azure DDOS Protection, Basic and Standard.

    Azure DDos Protection Basic provides protection for all public IP addresses within Azure, and the protection is always enabled and working. This will cover any App service with a public IP.

    Azure DDOS Protection Standard Provides additional mitigation capabilities over the Basic service tier that are tuned specifically to Azure Virtual Network resources. Unfortunately, it will not directly protect an Azure App Service at this time, however you can configure your app service to take advantage of DDOS Protection Standard. In order for your App Service to come under Azure DDOS Protection Standard, you will need to have your ASE behind an application gateway(which can also have a WAF) or Load Balancer, and then enable DDOS protection Standard on the VNET that the App Gateway / Load Balancer is in. 

    You can also see the architecture in the "PaaS Web application" reference architecture in the DDOS Protection reference Architectures 

    For additional information about DDOS Protection in Azure, please review the Azure DDOS Best Practices Documentation.
    Tuesday, May 15, 2018 10:55 PM