Tutorial: Configure Azure DDoS Protection diagnostic logging alerts

In this tutorial, you learn how to:

  • Configure diagnostic logging alerts through Azure Monitor and Logic App.

DDoS Protection diagnostic logging alerts provide visibility into DDoS attacks and mitigation actions. You can configure alerts for all DDoS protected public IP addresses that you have enabled diagnostic logging on.

Prerequisites

Configure diagnostic logging alerts through Azure Monitor

With these templates, you are able to configure alerts for all public IP addresses that you have enabled diagnostic logging on.

Create Azure Monitor alert rule

The Azure Monitor alert rule template runs a query against the diagnostic logs to detect when an active DDoS mitigation is occurring. The alert indicates a potential attack. Action groups can be used to invoke actions as a result of the alert.

Deploy the template

  1. Select Deploy to Azure to sign in to Azure and open the template.

    Button to deploy the Resource Manager template to Azure.

  2. On the Custom deployment page, under Project details, enter the following information.

    Screenshot of Azure Monitor alert rule template.

    Setting Value
    Subscription Select your Azure subscription.
    Resource Group Select your Resource group.
    Region Select your Region.
    Workspace Name Enter your workspace name. In this example, the Workspace name is myLogAnalyticsWorkspace.
    Location Enter China East.

    Note

    Location must match the location of the workspace.

  3. Select Review + create and then select Create after validation passes.

Create Azure Monitor diagnostic logging alert rule with Logic App

This DDoS Mitigation Alert Enrichment template deploys the necessary components of an enriched DDoS mitigation alert: Azure Monitor alert rule, action group, and Logic App. The result of the process is an email alert with details about the IP address under attack, including information about the resource associated with the IP. The owner of the resource is added as a recipient of the email, along with the security team. A basic application availability test is also performed and the results are included in the email alert.

Deploy the template

  1. Select Deploy to Azure to sign in to Azure and open the template.

    Button to deploy the Resource Manager template to Azure.

  2. On the Custom deployment page, under Project details, enter the following information.

    Screenshot of DDoS Mitigation Alert Enrichment template.

    Setting Value
    Subscription Select your Azure subscription.
    Resource Group Select your Resource group.
    Region Select your Region.
    Alert Name Leave as default.
    Security Team Email Enter the required email address.
    Company Domain Enter the required domain.
    Workspace Name Enter your workspace name. In this example, the Workspace name is myLogAnalyticsWorkspace.
  3. Select Review + create and then select Create after validation passes.

Clean up resources

You can keep your resources for the next guide. If no longer needed, delete the alerts.

  1. In the search box at the top of the portal, enter Alerts. Select Alerts in the search results.

    Screenshot of Alerts page.

  2. Select Alert rules, then in the Alert rules page, select your subscription.

    Screenshot of Alert rules page.

  3. Select the alerts created in this guide, then select Delete.

Next steps

In this tutorial you learned how to configure diagnostic alerts through Azure portal.

To test DDoS Protection through simulations, continue to the next guide.