Governance Policies Azure Networking DDoS Protection - Azure/az-prototype GitHub Wiki
Governance policies for Ddos Protection
Domain: azure-networking
| Name | Description |
|---|---|
| DDoS Protection with VNet association and alerts | DDoS plan associated with VNets, metric alerts on public IPs, and diagnostic logging |
| Description | Instead |
|---|---|
| Do not deploy public-facing services without DDoS Protection | Create a DDoS Protection Plan and associate with all VNets containing public IPs |
| Do not skip attack notification alerts | Configure metric alerts on IfUnderDDoSAttack for all public IP addresses |
| Check | Severity | Description |
|---|---|---|
| AZ-DDOS-001 | Required | Deploy DDoS Protection Plan and associate with all VNets containing public-facing resources |
| AZ-DDOS-002 | Required | Configure DDoS attack metric alerts on all public IP addresses |
| AZ-DDOS-003 | Recommended | Enable DDoS diagnostic logging for attack analytics and post-incident review |
Deploy DDoS Protection Plan and associate with all VNets containing public-facing resources
Severity: Required
Rationale: DDoS Network Protection provides enhanced mitigation beyond Azure's basic infrastructure protection
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Network/ddosProtectionPlans
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.Network/virtualNetworks | VNet DDoS association | Associate the DDoS Protection Plan with VNets that have public IP addresses |
| Microsoft.Insights/diagnosticSettings | diag-ddos | Diagnostic settings for DDoS mitigation flow logs and attack analytics |
| Microsoft.Insights/metricAlerts | alert-ddos | Metric alert for DDoS attack notifications on public IP addresses |
Configure DDoS attack metric alerts on all public IP addresses
Severity: Required
Rationale: Immediate notification of DDoS attacks enables rapid response and mitigation tuning
Agents: terraform-agent, bicep-agent, cloud-architect, monitoring-agent
- Microsoft.Network/ddosProtectionPlans
Enable DDoS diagnostic logging for attack analytics and post-incident review
Severity: Recommended
Rationale: Diagnostic logs provide attack vectors, dropped packets, and mitigation reports for forensics
Agents: terraform-agent, bicep-agent, cloud-architect, monitoring-agent
- Microsoft.Network/ddosProtectionPlans