Azure DDoS and Cloudflare DDoS

N-Open 160 Reputation points
2023-11-21T08:15:43.3566667+00:00

Dear Team,

One of our client having a tenant and single subscription. Client is looking to use Cloudflare DDoS and all internet traffic coming via Cloudflare Tunnel to Azure subscription/Tenant.

We need your support to understand in which situations we will need to use Azure DDoS instead of Cloudflare DDoS.

  1. Some applications running in the tenant will be single region based.
  2. Some applications running in the tenant will be two region based. The applications are going to use Font Door for regional load balancing.

Can Cloudflare services be implemented before traffic reaches Azure front door??? Please guide.

Kindly advice which scenarios we can use Azure DDoS and Cloudflare DDoS.

Azure DDos Protection
Azure DDos Protection
An Azure service that provides defense against distributed denial-of-service (DDoS) attacks.
71 questions
Azure Front Door
Azure Front Door
An Azure service that provides a cloud content delivery network with threat protection.
699 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,539 questions
0 comments No comments
{count} votes

Accepted answer
  1. KapilAnanth-MSFT 47,286 Reputation points Microsoft Employee
    2023-11-21T10:09:29.53+00:00

    @N-Open

    Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

    I understand that you would like to understand more about DDOS Capabilities in Azure.

    We will not be able to comment much on third party vendor's DDOS Capabilities. I shall recommend you to reach out to the vendor.

    Now in Azure, We have two DDOS Plans

    • DDoS Network Protection - Azure DDoS Network Protection, combined with application design best practices, provides enhanced DDoS mitigation features to defend against DDoS attacks
    • DDoS IP Protection - DDoS IP Protection is a pay-per-protected IP model

    Both of them are designed for services that are deployed in a virtual network.

    A complete list of Protected Resources can be found here.

    You will note that neither of the above covers AFD , as it is not deployed into a VNET.

    The strategy employ Azure Front Door along with a web application firewall. Azure Front Door offers platform-level protection against network-level DDoS attacks

    For more information : DDoS protection on Front Door.

    To address your queries,

    • We must understand how your traffic comes into Azure.
    • Can you be more specific when you say "Cloudflare Tunnel to Azure"?
      • To exactly which Azure resource?
        • And how is this "Tunneling" to Public Azure resource is configured?

    1.Some applications running in the tenant will be single region based.

    As long as the traffic comes in via a Public IP attached to one of the Protected Resources, Azure DDOS will be able to support the workload.

    2.Some applications running in the tenant will be two region based. The applications are going to use Font Door for regional load balancing.

    • If the traffic comes in via AFD, as stated, only **platform-level protection **is supported
    • However, if the backend of the AFD are in turn a Protected Resource (such as App gateway or a Load Balancer), then DDOS Protection would still apply to the individual regional App.

    P.S:

    Kindly let us know if this helps or you need further assistance on this issue.

    Thanks,

    Kapil


    Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.