none
Can DDoS Protection Service be used with classic Azure App Service Web Apps? RRS feed

  • Question

  • Hi,

    I have a classic Azure App Service Web App running. I am keen to have it DDoS protected. 

    Wanted to know - can I use DDoS Protection Service with a classic Azure App Service Web App?

    If there is no direct way of using DDoS Protection Service, is there a workaround?

    Regards,

    Saurabh

    Wednesday, February 21, 2018 3:20 AM

All replies

  • Azure DDos Protection does not work at Layer 7. It works at Layer 4 to help protect from network level. And you have nothing to do with Azure DDos protection rather than just enabling it. Depending on the layer you want to protect (4 or 7) the solution may vary. If you want to prevent HTTP flooding, then consider going with Azure Application Gateway, 3rd web application firewall virtual appliance or just a virtual machine running an open-source firewall (e.g. ModSecurity).


    Thuan Soldier

    Personal Blog | Twitter | Microsoft Azure Defense In Depth Guide

    Thursday, February 22, 2018 2:19 AM
  • Thank you Thuan.

    So if I understand correctly - DDoS Protection Service works on Layer 4 ... and hence the same cannot be configured with the classic Azure App Service Web App. Am I correct?

    If the above understanding is correct, then you are saying that protection for the classic Azure App Service Web App can be applied only at layer 7 ... and hence for the same we can go with options like Azure App Gateway (which actually works only with ASE and not with classic App Service Web App) or any other s/w which works at layer 7. Am I correct in my understanding?

    Regards,

    Saurabh

    Thursday, February 22, 2018 8:05 AM
  • Yes, for the supported protocol of DDOS attack mitigation, please read this article https://docs.microsoft.com/en-us/azure/virtual-network/ddos-protection-overview

    "Protocol attacks: These attacks render a target inaccessible by exploiting a weakness in the layer 3 and layer 4 protocol stack. It includes, SYN flood attacks, reflection attacks, and other protocol attacks." 

    Because your App Service Plan is not ASE so it doesn't have a virtual network. Hence, DDos protection is not actually useful in protecting your web application. That is why I recommended you to have a look at any approach to mitigating HTTP-based DDoS attack

    Not only working with ASE, Azure Application Gateway can be a front-end gate to inspect HTTP before redirecting requests to your web app. Of course, there has to be a HTTP handler to handle incoming Http request from Azure Application Gateway. 


    Thuan Soldier

    Personal Blog | Twitter | Microsoft Azure Defense In Depth Guide

    Thursday, February 22, 2018 8:52 AM