Skip to content

Azure DDoS protection #107 #114

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
hosungsmsft merged 4 commits into from
May 18, 2018
Merged

Azure DDoS protection #107 #114

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
b399a1e
Add ddosSwitch parameter to enable the deployment of a Azure DDoS pro…
May 17, 2018
73fc171
Relocate the property (type) at the top of resource definition
May 18, 2018
25d6d68
Add documentation about ddosSwith parameter in Parameters.md.
May 18, 2018
eaa6e08
Add more information about how to activate the Azure DDoS protection …
May 18, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -113,4 +113,5 @@ node_modules
.project

# Specific azuredeploy.parameters.json files for dev testing (ignored not to expose ssh pub keys)
.params/
.params/
.vs/
9 changes: 9 additions & 0 deletions azuredeploy.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,13 @@
},
"type": "bool"
},
"ddosSwitch": {
"defaultValue": false,
"metadata": {
"description": "Switch to create a DDoS protection plan"
},
"type": "bool"
},
"httpsTermination": {
"allowedValues": [
"VMSS",
Expand Down Expand Up @@ -901,6 +908,8 @@
"dbLoginPassword": "[concat(substring(uniqueString(resourceGroup().id, deployment().name), 2, 11), '*7', toUpper('pfiwb'))]",
"dbServerType": "[parameters('dbServerType')]",
"dbUsername": "[concat(parameters('dbLogin'), '@', parameters('dbServerType'), '-', variables('resourceprefix'))]",
"ddosPlanName": "[concat('ddos-plan-',variables('resourceprefix'))]",
"ddosSwitch": "[parameters('ddosSwitch')]",
"elasticVmSku": "[parameters('elasticVmSku')]",
"elasticAvailabilitySetName": "[concat('elastic-avset-',variables('resourceprefix'))]",
"elasticClusterName": "[concat('es-cluster-',variables('resourceprefix'))]",
Expand Down
18 changes: 18 additions & 0 deletions docs/Manage.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -173,6 +173,24 @@ files to be ready immediately:
- /moodle/certs/nginx.key: Your certificate's private key
- /moodle/certs/nginx.crt: Your combined signed certificate and trust chain certificate(s).

## Managing Azure DDoS protection

By default, every plublic IP is protected by Azure DDoS protection Basic SKU.
You can find more information about Azure DDoS protection Basic SKU [here](https://docs.microsoft.com/en-us/azure/virtual-network/ddos-protection-overview).

If you want more protection, you can activate Azure DDoS protection Standard SKU by setting
the ddosSwith to true. You can find how to work with Azure DDoS
protection plan [here](https://docs.microsoft.com/en-us/azure/virtual-network/manage-ddos-protection#work-with-ddos-protection-plans).

If you want to disable the Azure DDoS protection, you can follow the instruction
[here](https://docs.microsoft.com/en-us/azure/virtual-network/manage-ddos-protection#disable-ddos-for-a-virtual-network).

Be careful, disabling the Azure DDoS protection on your vnet will not stop the fee.
You have to delete the Azure DDoS protection plan if you want to stop the fee.

If you have deployed your cluster without Azure DDoS protection plan, you still can activate the
Azure DDoS protection plan thanks to the instruction [here](https://docs.microsoft.com/en-us/azure/virtual-network/manage-ddos-protection#enable-ddos-for-an-existing-virtual-network).

## Next Steps

1. [Retrieve configuration details using CLI](./Get-Install-Data.md)
9 changes: 9 additions & 0 deletions docs/Parameters.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -187,6 +187,15 @@ Possible Values: ["postgres","mysql","mssql"]

Default: mysql

### ddosSwitch

Switch to create an Azure DDoS protection plan and link it to the vnet

Type: bool

Possible Values: [true, false]

Default: false

### elasticVmSku

Expand Down
56 changes: 56 additions & 0 deletions nested/network-vnet-ddos.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"moodleCommon": {
"metadata": {
"description": "Common Moodle values"
},
"type": "object"
},
"vnetName": {
"metadata": {
"description": "The name of the vnet to which the DDoS protection plan shoud be associated"
},
"type": "string"
},
"vNetAddressSpace": {
"metadata": {
"description": "The vNet Address Space to which the DDoS protection plan shoud be associated"
},
"type": "string"
}
},
"resources": [
{
"type": "Microsoft.Network/ddosProtectionPlans",
"apiVersion": "2018-02-01",
"condition": "[parameters('moodleCommon').ddosSwitch]",
"location": "[resourceGroup().location]",
"name": "[parameters('moodleCommon').ddosPlanName]"
},
{
"type": "Microsoft.Network/virtualNetworks",
"apiVersion": "2018-02-01",
"dependsOn": [
"[resourceId('Microsoft.Network/ddosProtectionPlans', parameters('moodleCommon').ddosPlanName)]"
],
"location": "[resourceGroup().location]",
"name": "[parameters('vnetName')]",
Copy link
Copy Markdown

@hosungsmsft hosungsmsft May 18, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is great. So you did confirm that this works regardless of whether this vnet already exists or is to be created, right?

Copy link
Copy Markdown
Author

@fbouteruche fbouteruche May 18, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, I've ran 4 tests

  1. existing vNet and ddosSwitch equal to true
  2. existing vNet and ddosSwitch equal to false
  3. no existing vNet and ddosSwitch equal to true
  4. no existing vNet and ddosSwitch equal to false
    Each one of these 4 deployment succeed and I can browse the homepage.

Copy link
Copy Markdown

@hosungsmsft hosungsmsft May 18, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💯

Copy link
Copy Markdown
Author

@fbouteruche fbouteruche May 18, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have added documentation in the Parameters.md file and the Manage.md file.

Copy link
Copy Markdown

@hosungsmsft hosungsmsft May 18, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you so much for your quick follow-up. This is super! I'm merging this PR right after. Thanks again!

Copy link
Copy Markdown
Author

@fbouteruche fbouteruche May 18, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You're welcome. Thanks for the great work you're doing !

Copy link
Copy Markdown

@joseluisrc joseluisrc Aug 5, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is DDoS protection included with all deployments automatically?

"properties": {
"addressSpace": {
"addressPrefixes": [
"[parameters('vNetAddressSpace')]"
]
},
"ddosProtectionPlan": {
"id": "[resourceId('Microsoft.Network/ddosProtectionPlans', parameters('moodleCommon').ddosPlanName)]"
},
"enableDdosProtection": "[parameters('moodleCommon').ddosSwitch]"
}
}
],
"variables": {
"documentation01": "This sub-template creates a Azure DDoS protection plan and link it to a vnet"
}
}
31 changes: 30 additions & 1 deletion nested/network.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,11 +27,40 @@
}
}
},
{
"apiVersion": "2018-02-01",
"condition": "[parameters('moodleCommon').ddosSwitch]",
"dependsOn": [
"Microsoft.Resources/deployments/vnetTemplate"
],
"name": "ddosTemplate",
"subscriptionId": "[variables('vnetSub')]",
"resourceGroup": "[variables('vnetRg')]",
"properties": {
"mode": "Incremental",
"parameters": {
"moodleCommon": {
"value": "[parameters('moodleCommon')]"
},
"vnetName": {
"value": "[variables('vnetName')]"
},
"vNetAddressSpace": {
"value": "[if(equals(parameters('moodleCommon').customVnetId, ''), concat(parameters('moodleCommon').vNetAddressSpace,'/16'), reference(parameters('moodleCommon').customVnetId, '2017-10-01').addressSpace.addressPrefixes[0])]"
}
},
"templateLink": {
"uri": "[concat(parameters('moodleCommon').baseTemplateUrl,'network-vnet-ddos.json',parameters('moodleCommon').artifactsSasToken)]"
}
},
"type": "Microsoft.Resources/deployments"
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2017-05-10",
"dependsOn": [
"Microsoft.Resources/deployments/vnetTemplate"
"Microsoft.Resources/deployments/vnetTemplate",
"Microsoft.Resources/deployments/ddosTemplate"
],
"name": "subnetTemplate",
"subscriptionId": "[variables('vnetSub')]",
Expand Down