-
Notifications
You must be signed in to change notification settings - Fork 4
Governance Policies Azure Networking DDoS Protection
Governance policies for Ddos Protection
Domain: azure-networking
| Name | Description |
|---|---|
| DDoS Protection with VNet association and alerts | DDoS plan associated with VNets, metric alerts on public IPs, and diagnostic logging |
| Description | Instead |
|---|---|
| Do not deploy public-facing services without DDoS Protection | Create a DDoS Protection Plan and associate with all VNets containing public IPs |
| Do not skip attack notification alerts | Configure metric alerts on IfUnderDDoSAttack for all public IP addresses |
| Check | Severity | Description |
|---|---|---|
| AZ-DDOS-001 | Required | Deploy DDoS Protection Plan and associate with all VNets containing public-facing resources |
| AZ-DDOS-002 | Required | Configure DDoS attack metric alerts on all public IP addresses |
| AZ-DDOS-003 | Recommended | Enable DDoS diagnostic logging for attack analytics and post-incident review |
Deploy DDoS Protection Plan and associate with all VNets containing public-facing resources
Severity: Required
Rationale: DDoS Network Protection provides enhanced mitigation beyond Azure's basic infrastructure protection
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Network/ddosProtectionPlans
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.Network/virtualNetworks | VNet DDoS association | Associate the DDoS Protection Plan with VNets that have public IP addresses |
| Microsoft.Insights/diagnosticSettings | diag-ddos | Diagnostic settings for DDoS mitigation flow logs and attack analytics |
| Microsoft.Insights/metricAlerts | alert-ddos | Metric alert for DDoS attack notifications on public IP addresses |
Configure DDoS attack metric alerts on all public IP addresses
Severity: Required
Rationale: Immediate notification of DDoS attacks enables rapid response and mitigation tuning
Agents: terraform-agent, bicep-agent, cloud-architect, monitoring-agent
- Microsoft.Network/ddosProtectionPlans
Enable DDoS diagnostic logging for attack analytics and post-incident review
Severity: Recommended
Rationale: Diagnostic logs provide attack vectors, dropped packets, and mitigation reports for forensics
Agents: terraform-agent, bicep-agent, cloud-architect, monitoring-agent
- Microsoft.Network/ddosProtectionPlans
Getting Started
Stages
Interfaces
Configuration
Agent System
Features
- Backlog Generation
- Cost Analysis
- Error Analysis
- Docs & Spec Kit
- MCP Integration
- Knowledge System
- Escalation
Quality
Help
Policies — Azure
AI Services
Compute
Data Services
- Azure SQL
- Backup Vault
- Cosmos Db
- Data Factory
- Databricks
- Event Grid
- Event Hubs
- Fabric
- IoT Hub
- Mysql Flexible
- Postgresql Flexible
- Recovery Services
- Redis Cache
- Service Bus
- Stream Analytics
- Synapse Workspace
Identity
Management
Messaging
Monitoring
Networking
- Application Gateway
- Bastion
- CDN
- DDoS Protection
- DNS Zones
- Expressroute
- Firewall
- Load Balancer
- Nat Gateway
- Network Interface
- Private Endpoints
- Public Ip
- Route Tables
- Traffic Manager
- Virtual Network
- Vpn Gateway
- WAF Policy
Security
Storage
Web & App
Policies — Well-Architected
Reliability
Security
Cost Optimization
Operational Excellence
Performance Efficiency
Integration