locked
Does Azure DDOS Protection protects PaaS components like Webapps, Blobs and SQL? RRS feed

  • Question

  • User-2011555853 posted

    Hi all,

    I have set up an online service which is made up of Azure Webapp, Blob and SQL. They are all PaaS.

    Now I saw Azure DDOS Protection and Mitigation, which protects you against SQL injection, cross-site scripting attacks and session hijacks.

    Will this protect my resources? Will it protect Webapps, blob and SQL?

    Thank you.

    Thursday, September 20, 2018 9:53 AM

Answers

  • User283571144 posted

    Hi b3hdad,

    b3hdad

    Now I saw Azure DDOS Protection and Mitigation, which protects you against SQL injection, cross-site scripting attacks and session hijacks.

    Will this protect my resources? Will it protect Webapps, blob and SQL?

    According to this article:

    "Protocol attacks: These attacks render a target inaccessible by exploiting a weakness in the layer 3 and layer 4 protocol stack. It includes, SYN flood attacks, reflection attacks, and other protocol attacks." 

    Azure DDos Protection does not work at Layer 7,  Azure Webapp, Blob and SQL are in the layer7.

    Since the App Service Plan is not ASE so it doesn't have a virtual network.

    Hence, DDos protection is not actually useful in protecting your web application, Blob and SQL. 

    If you want to use it, you should firstly create a Azure Application Gateway, it can be a front-end gate to inspect HTTP before redirecting requests to your service.

    Then you could use zure DDOS Protection protects Azure Application Gateway.

    Best Regards,

    Brando

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Friday, September 21, 2018 2:26 AM

All replies

  • User283571144 posted

    Hi b3hdad,

    b3hdad

    Now I saw Azure DDOS Protection and Mitigation, which protects you against SQL injection, cross-site scripting attacks and session hijacks.

    Will this protect my resources? Will it protect Webapps, blob and SQL?

    According to this article:

    "Protocol attacks: These attacks render a target inaccessible by exploiting a weakness in the layer 3 and layer 4 protocol stack. It includes, SYN flood attacks, reflection attacks, and other protocol attacks." 

    Azure DDos Protection does not work at Layer 7,  Azure Webapp, Blob and SQL are in the layer7.

    Since the App Service Plan is not ASE so it doesn't have a virtual network.

    Hence, DDos protection is not actually useful in protecting your web application, Blob and SQL. 

    If you want to use it, you should firstly create a Azure Application Gateway, it can be a front-end gate to inspect HTTP before redirecting requests to your service.

    Then you could use zure DDOS Protection protects Azure Application Gateway.

    Best Regards,

    Brando

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Friday, September 21, 2018 2:26 AM
  • User-2011555853 posted

    Hi Brando,

    Thank you very much for your reply. It does make sense. I believe you are referring to section "Protect against DDoS attacks at Layers 3-7" in that link, which I failed to read

    and connect the dots properly. 

    Thanks again.

    Friday, September 21, 2018 2:51 AM