Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Get started with Azure DDoS Network Protection by using Azure CLI.
A DDoS protection plan defines a set of virtual networks that have DDoS Network Protection enabled, across subscriptions. You can configure one DDoS protection plan for your organization and link virtual networks from multiple subscriptions to the same plan.
In this QuickStart, you'll create a DDoS protection plan and link it to a virtual network.
Prerequisites
- An Azure account with an active subscription. Create a trial subscription.
- Azure CLI installed locally or Azure local Shell
If you choose to install and use the CLI locally, this quickstart requires Azure CLI version 2.0.56 or later. To find the version, run az --version. If you need to install or upgrade, see Install the Azure CLI.
Create a DDoS Protection plan
In Azure, you allocate related resources to a resource group. You can either use an existing resource group or create a new one.
To create a resource group, use az group create. In this example, we'll name our resource group MyResourceGroup and use the China East location:
az group create \
--name MyResourceGroup \
--location chinaeast
Now create a DDoS protection plan named MyDdosProtectionPlan:
az network ddos-protection create \
--resource-group MyResourceGroup \
--name MyDdosProtectionPlan
Enable DDoS protection for a virtual network
Enable DDoS protection for a new virtual network
You can enable DDoS protection when creating a virtual network. In this example, we'll name our virtual network MyVnet:
az network vnet create \
--resource-group MyResourceGroup \
--name MyVnet \
--location chinaeast \
--ddos-protection-plan MyDdosProtectionPlan \
--ddos-protection true
Note
You cannot move a virtual network to another resource group or subscription when DDoS Protection is enabled for the virtual network. If you need to move a virtual network with DDoS Protection enabled, disable DDoS Protection first, move the virtual network, and then enable DDoS Protection. After the move, the auto-tuned policy thresholds for all the protected public IP addresses in the virtual network are reset.
Enable DDoS protection for an existing virtual network
When creating a DDoS protection plan, you can associate one or more virtual networks to the plan. To add more than one virtual network, list the names or IDs, space-separated. In this example, we'll add MyVnet:
az group create \
--name MyResourceGroup \
--location chinaeast
az network ddos-protection create \
--resource-group MyResourceGroup \
--name MyDdosProtectionPlan
--vnets MyVnet
Alternatively, you can enable DDoS protection for a given virtual network:
az network vnet update \
--resource-group MyResourceGroup \
--name MyVnet \
--ddos-protection-plan MyDdosProtectionPlan \
--ddos-protection true
Disable DDoS protection for a virtual network
Update a given virtual network to disable DDoS protection:
az network vnet update \
--resource-group MyResourceGroup \
--name MyVnet \
--ddos-protection-plan MyDdosProtectionPlan \
--ddos-protection false
Validate and test
First, check the details of your DDoS protection plan:
az network ddos-protection show \
--resource-group MyResourceGroup \
--name MyDdosProtectionPlan
Verify that the command returns the correct details of your DDoS protection plan.
Clean up resources
You can keep your resources for the next tutorial. If no longer needed, delete the MyResourceGroup resource group. When you delete the resource group, you also delete the DDoS protection plan and all its related resources.
To delete the resource group, use az group delete:
az group delete \
--name MyResourceGroup
Note
To delete a DDoS protection plan, first dissociate all virtual networks from it.
Next steps
To learn how to view and configure telemetry for your DDoS protection plan, continue to the tutorials.