Edit

Share via

QuickStart: Create and configure Azure DDoS Network Protection using Azure CLI

  • Article

Get started with Azure DDoS Network Protection by using Azure CLI.

A DDoS protection plan defines a set of virtual networks that have DDoS Network Protection enabled, across subscriptions. You can configure one DDoS protection plan for your organization and link virtual networks from multiple subscriptions to the same plan.

In this QuickStart, you'll create a DDoS protection plan and link it to a virtual network.

Diagram of DDoS Network Protection.

Prerequisites

Azure Cloud Shell

Azure hosts Azure Cloud Shell, an interactive shell environment that you can use through your browser. You can use either Bash or PowerShell with Cloud Shell to work with Azure services. You can use the Cloud Shell preinstalled commands to run the code in this article, without having to install anything on your local environment.

To start Azure Cloud Shell:

Option Example/Link
Select Try It in the upper-right corner of a code or command block. Selecting Try It doesn't automatically copy the code or command to Cloud Shell. Screenshot that shows an example of Try It for Azure Cloud Shell.
Go to https://shell.azure.com, or select the Launch Cloud Shell button to open Cloud Shell in your browser. Button to launch Azure Cloud Shell.
Select the Cloud Shell button on the menu bar at the upper right in the Azure portal. Screenshot that shows the Cloud Shell button in the Azure portal

To use Azure Cloud Shell:

  1. Start Cloud Shell.

  2. Select the Copy button on a code block (or command block) to copy the code or command.

  3. Paste the code or command into the Cloud Shell session by selecting Ctrl+Shift+V on Windows and Linux, or by selecting Cmd+Shift+V on macOS.

  4. Select Enter to run the code or command.

If you choose to install and use the CLI locally, this quickstart requires Azure CLI version 2.0.56 or later. To find the version, run az --version. If you need to install or upgrade, see Install the Azure CLI.

Create a DDoS Protection plan

In Azure, you allocate related resources to a resource group. You can either use an existing resource group or create a new one.

To create a resource group, use az group create. In this example, we'll name our resource group MyResourceGroup and use the East US location:

az group create \
    --name MyResourceGroup \
    --location eastus

Now create a DDoS protection plan named MyDdosProtectionPlan:

az network ddos-protection create \
    --resource-group MyResourceGroup \
    --name MyDdosProtectionPlan

Enable DDoS protection for a virtual network

Enable DDoS protection for a new virtual network

You can enable DDoS protection when creating a virtual network. In this example, we'll name our virtual network MyVnet:

az network vnet create \
    --resource-group MyResourceGroup \
    --name MyVnet \
    --location eastus \
    --ddos-protection-plan MyDdosProtectionPlan \
    --ddos-protection true

Note

You cannot move a virtual network to another resource group or subscription when DDoS Protection is enabled for the virtual network. If you need to move a virtual network with DDoS Protection enabled, disable DDoS Protection first, move the virtual network, and then enable DDoS Protection. After the move, the auto-tuned policy thresholds for all the protected public IP addresses in the virtual network are reset.

Enable DDoS protection for an existing virtual network

When creating a DDoS protection plan, you can associate one or more virtual networks to the plan. To add more than one virtual network, simply list the names or IDs, space-separated. In this example, we'll add MyVnet:

az group create \
    --name MyResourceGroup \
    --location eastus

az network ddos-protection create \
    --resource-group MyResourceGroup \
    --name MyDdosProtectionPlan 
    --vnets MyVnet

Alternatively, you can enable DDoS protection for a given virtual network:

az network vnet update \
    --resource-group MyResourceGroup \
    --name MyVnet \
    --ddos-protection-plan MyDdosProtectionPlan \
    --ddos-protection true

Disable DDoS protection for a virtual network

Update a given virtual network to disable DDoS protection:

az network vnet update \
    --resource-group MyResourceGroup \
    --name MyVnet \
    --ddos-protection-plan MyDdosProtectionPlan \
    --ddos-protection false

Validate and test

First, check the details of your DDoS protection plan:

az network ddos-protection show \
    --resource-group MyResourceGroup \
    --name MyDdosProtectionPlan

Verify that the command returns the correct details of your DDoS protection plan.

Clean up resources

You can keep your resources for the next tutorial. If no longer needed, delete the MyResourceGroup resource group. When you delete the resource group, you also delete the DDoS protection plan and all its related resources.

To delete the resource group use az group delete:

az group delete \
--name MyResourceGroup

Note

If you want to delete a DDoS protection plan, you must first dissociate all virtual networks from it.

Next steps

To learn how to view and configure telemetry for your DDoS protection plan, continue to the tutorials.

View and configure DDoS protection telemetry