Prevent Azure DDOS protection deployment
Prevent Azure DDOS protection deployment
Azure DDoS Protection can be useful, but in many environments it is simply an unnecessary extra cost. If nobody should enable it, then the simplest solution is Azure Policy with ‘deny’.
In this case I want to block two things:
- creation of DDoS Protection plans
- enabling DDoS Protection on VNets
Policy 1: Deny Azure DDoS Protection plan creation
This policy blocks creation of Microsoft.Network/ddosProtectionPlans resources.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
{
"properties": {
"displayName": "Deny Azure DDoS Protection Plan Creation",
"policyType": "Custom",
"mode": "All",
"description": "Prevents creation of expensive Azure DDoS Protection plans to keep costs under control.",
"policyRule": {
"if": {
"field": "type",
"equals": "Microsoft.Network/ddosProtectionPlans"
},
"then": {
"effect": "deny"
}
}
}
}
Policy 2: Deny DDoS Protection on virtual networks
The second policy blocks enabling DDoS Network Protection on a VNet.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
{
"properties": {
"displayName": "Deny DDoS Protection on Virtual Networks",
"policyType": "Custom",
"mode": "All",
"description": "Prevents enabling DDoS Network Protection on virtual networks.",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/virtualNetworks"
},
{
"field": "Microsoft.Network/virtualNetworks/enableDdosProtection",
"equals": true
}
]
},
"then": {
"effect": "deny"
}
}
}
}
Conclusion
This is a small control, but useful if you want to avoid accidental extra cost. If DDoS Protection is not part of the approved design, then it is better to block it centrally instead of relying on documentation or manual review.
This post is licensed under CC BY 4.0 by the author.
The information on this site is provided as-is, without warranty of any kind. Use it at your own risk.