Control: 8.5 Ensure Azure DDoS Network Protection is enabled on virtual networks
Description
Azure DDoS Network Protection defends resources in virtual networks against distributed denial-of-service (DDoS) attacks.
While an automated assessment procedure exists for this recommendation, the assessment status remains manual. Determining the appropriateness of enabling Azure DDoS Network Protection depends on the context and requirements of each organization and environment.
Remediation
Remediate from Azure Portal
- Go to
Virtual networks. - Click the name of a virtual network.
- Under
Settings, clickDDoS protection. - Next to D
DoS Network Protection, clickEnable. - Provide a DDoS protection plan resource ID, or select a DDoS protection plan from the drop-down menu.
- Click
Save. - Repeat steps 1-6 for each virtual network requiring remediation.
Remediate from Azure CLI
For each virtual network requiring remediation, run the following command to enable DDoS protection:
az network vnet update --resource-group <resource-group> --name <virtualnetwork> --ddos-protection true --ddos-protection-plan <ddos-protection-plan>
Default Value
DDoS protection is disabled by default.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v500_8_5Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v500_8_5 --shareSQL
This control uses a named query:
with application_gateway_subnet as ( select distinct (split_part(c -> 'properties' -> 'subnet' ->> 'id', '/', 9)) as vn_name from azure_application_gateway as ag, jsonb_array_elements(gateway_ip_configurations) as c)select a.name as resource, case when b.vn_name is null then 'ok' when b.vn_name is not null and enable_ddos_protection::bool then 'ok' else 'alarm' end as status, case when b.vn_name is null then 'DDoS protection not required.' when b.vn_name is not null and enable_ddos_protection::bool then a.name || ' DDoS protection enabled.' else a.name || ' DDoS protection disabled.' end as reason , a.resource_group as resource_group , sub.display_name as subscriptionfrom azure_virtual_network as a left join application_gateway_subnet as b on a.name = b.vn_name left join azure_subscription sub on sub.subscription_id = a.subscription_id;