Azure DDOS for web role?

Question

Can Azure DDOS Standard protect a cloud service web role?

My understanding is that Azure DDOS protection is on a Virtual Network basis, and Cloud Services can only be deployed to a Virtual Network "Classic", rather than the newer Resource-group types (unless that has changed?). There is no information I could find on whether DDOS standard could apply to the classic Virtual Networks.

We could also migrate the site to an App Service.. but there is also little information out there as to whether these are supported either. Any enlightenment would be welcomed.

(This is not an enterprise application, so enterprise-scale solutions are a non-starter...)

Answer 1

DDOS Standard SKU is not available for the classic Virtual networks. Unfortunately, Policies are applied to public IP addresses associated to resources deployed in virtual networks, such as Azure Load Balancer, Azure Application Gateway, and Azure Service Fabric instances, but this protection does not apply to App Service Environments.

For web based attacks, you can consider using Application Gateway WAF which has OWASP module to protect your Web Application from top web attacks.

Answer 2

Standard DDoS protection is an ARM offering and unfortunately can't be carried on to ASM.

Rest assured, all VNets deployed in Azure will natively possess a basic DDoS protection. Over which you can further add to the protection via the Standard SKU.

I would recommend that you switch over to the ARM from classic. Giving you greater control over your deployments. Cause there are a host of metrics that are available along with the Standard SKU that you can consume and would not be available on ASM/Classic.

But, I would recommend that you also factor the cost. It's quite a hefty price tag on the standard DDoS protection. If you think otherwise, you can think of WAF as suggested by @Msrini else deploy your own firewall and do the filtering by configuring the routes.