Announcing DDoS Protection preview for Azure JR Mayberry Principal Product Manager Azure Networking

What is a DDoS attack? $150 $500/minute 33% Can buy resources to launch DDoS attacks for a week —Trend Micro Research A Distributed Denial of Service (DDoS) attack is an attempt to make an online service unavailable by exhausting its resources (bandwidth, compute, etc.) It can break online commerce or be used as a form extortion or hacktivism $500/minute Estimated cost for the majority of online services impacted by DDoS attacks —Arbor Networks 33% Percentage of downtime incidents attributed to DDoS attacks —Verisign/Merit Research

Security shared responsibility model Azure Customer Microsoft Azure Reduce surface area Leverage cloud elasticity Write fault protection in code Provide platform features Publish best practices Integrate threat intelligence Defenses at all layers Design for failure Expose telemetry and data Provision global capacity

Global Leading Azure DDoS Protection DDoS mitigation presence DDoS mitigation capacity DDoS Protection Basic is our existing built in protection for the Azure Cloud DDoS Protection Basic and Standard Always on and automatically mitigates Leverages the global scale of Azure’s Network Can shift and distribute mitigation globally Extensive operational pedigree protecting all Microsoft’s online assets including Xbox and O365 Microsoft code, Microsoft control plane, highly flexible and agile Comprehensive set of network layer attack protections

Azure DDoS Protection service Azure DDoS Protection Standard—new offering with additional features beyond Basic Simplified provisioning for all protected resource types in a virtual network Adaptive tuning based on platform insights and application traffic patterns Application layer protection with Azure Application Gateway WAF Integration with Azure Monitor for analytics, insights and alerting Free preview available now in East U.S., West U.S., West Central U.S. More features and more regions will be launched during preview Azure DDoS Protection Attacker Azure Backbone Virtual Network

Azure DDoS Protection offerings Basic Standard Feature Always on monitoring Automatic mitigation for Layer 3/4 attacks L7 Protection with AppGW WAF Globally deployed Protection policies tuned to your VNet Logging, alerting, and telemetry Resource cost scale protection DDoS Protection Basic is included automatically with all Azure subscriptions

Azure DDoS Protection scenarios ATTACK ATTACK ATTACK Microsoft Azure Microsoft Azure Microsoft Azure DDoS Protection AppGW WAF Azure DNS Layer 3/4 DDoS protection tuned to your applications Layer 3-7 DDoS protection with AppGW WAF DNS Zone DDoS protection

DDoS Protection provisioning One click provisioning during create or modify of a Virtual Network resource No application changes are required All resource types on the Virtual Network are automatically protected Enabled via Azure Portal or PowerShell

Protected resource types L3/L4 adaptive tuning Internet traffic No tuning or regular oversight is required DDoS Protection understands your resources and resource configuration Virtual Network builds a profile of normal traffic Machine Learning algorithms set and adjust protection policies as traffic patterns change over time Mitigation is performed when protection policies are exceeded Microsoft Azure Virtual Network Public VIP DDoS Protection Telemetry Platform Protected resource types

Telemetry, monitoring, and alerting Rich telemetry is exposed via Azure Monitor interface Detailed metrics are available for the duration of an attack Historical attack metrics Alerting and logging can be configured for any DDoS metric Logging can be integrated with Splunk, OMS Log Analytics, and Azure Storage

DDoS Protection with AppGW WAF Virtual Network ATTACK CLEAN Public IP AppGW WAF combined with DDoS Protection provides comprehensive Layer 3–7 protection AppGW WAF protects your website from: Request rate-limiting HTTP Protocol violations HTTP Protocol anomalies SQL Injection Cross site scripting Discounted AppGW WAF included with DDoS Protection Standard at GA

Demo JR Mayberry

GA Feature Roadmap Azure Resource Policy integration to require DDoS Protection enablement Additional protection telemetry Self-service scheduling of simulated DDoS attacks against your resources Azure Security Center recommendation Cost Protection provides resource credits for scale out during a documented attack Additional DDoS Protection best practice documentation

Register for preview at aka.ms/ddosprotection DDoS Protection Basic is available in all Azure regions DDoS Protection Standard is available now in preview Available in US. East, U.S. West, U.S. West Central regions Preview will be expanded globally in Q4 ‘17

Please evaluate this session Your feedback is important to us! From your PC or Tablet visit MyIgnite at http://myignite.microsoft.com From your phone download and use the Ignite Mobile App by scanning the QR code above or visiting https://aka.ms/ignite.mobileapp

Appendix

PowerShell for DDoS Protection Set up macro to retrieve properties PS> $vnetProps = (Get-AzureRmResource -ResourceType "Microsoft.Network/virtualNetworks" -ResourceGroup <rgname> -ResourceName “<resourcename>").Properties Retrieve properties PS> $vnetProps enableDdosProtection   : False   Enable DDoS protection PS> $vnetProps.enableDdosProtection = $true Set properties PS> Set-AzureRmResource -PropertyObject $vnetProps -ResourceGroupName <rgname> -ResourceName <resourcename> -ResourceType Microsoft.Network/virtualNetworks    

DDoS resiliency shared responsibility model Option 2 DDoS resiliency shared responsibility model Client Microsoft Text Text Text Text Text Text Text Text Text Text Text Text Text Text