Protect workloads with inline DDoS protection from Gateway Load Balancer partners

DDoS attacks are rapidly evolving in complexity and frequency. As we highlighted in our 2021 Q1 and Q2 DDoS attack trends review, we see that attacks in Azure have been trending toward shorter durations, mostly short-burst attacks. Workloads that are highly sensitive to latency, such as those in the multiplayer online gaming industry, cannot tolerate such short burst DDoS attacks, which can cause outages ranging from two to 10 seconds that result in availability disruption.

Today, we are announcing the preview of inline DDoS protection which will be offered through partner network virtual appliances (NVAs) that are deployed with Azure Gateway Load Balancer and integrated with Azure DDoS Protection Standard in all Azure regions. Inline DDoS protection mitigates even short-burst low-volume DDoS attacks instantaneously without impacting the availability or performance of highly latency-sensitive applications.

Azure DDoS Protection Standard is the recommended product to protect your resources against L3/4 attacks in Azure. Third-party inline L7 DDoS protection, combined with Azure DDoS Protection Standard, provides comprehensive L3 to L7 protection against volumetric as well as low-volume DDoS attacks. Azure customers using third-party DDoS protection services for inline mitigation now have the option to use the marketplace offering along with Azure DDoS Protection Standard. This solution enables comprehensive inline L7 DDoS protection for high performance and high availability scenarios using different providers.

Gateway Load Balancer enables the protection of such workloads by ensuring the relevant NVAs are injected into the ingress path of the internet traffic. Once chained to a Standard Public Load Balancer frontend or IP configuration on a virtual machine, no additional configuration is needed to ensure traffic to and from the application endpoint is sent to the Gateway Load Balancer.

Easily deploy inline DDoS protection with partner network virtual appliances

Deployment of inline DDoS NVA can be done in a few easy steps:

1. Find your virtual appliance in Azure Marketplace.

2. Deploy the NVA instances.

3. Create a Gateway Load Balancer and place the NVA instances in the backend pool.

4. Chain the Gateway Load Balancer to your public IP or Standard Load Balance frontend.

Gateway Load Balancer provides transparent flow (bump in the wire) using an overlay network with low latency, preserving the health of the host as well as the NVAs during the DDoS attacks.

Inbound traffic is always inspected with the NVAs in the path and the clean traffic is returned to the backend infrastructure (gamer servers).

Traffic flows from the consumer virtual network to the provider virtual network and then returns to the consumer virtual network. The consumer virtual network and provider virtual network can be in different subscriptions, tenants, or regions enabling greater flexibility and ease of management.

Enabling Azure DDoS Protection Standard on the VNET of the Standard Public Gateway Load Balancer frontend or VNET of the virtual machine will offer protection from L3/4 DDoS attacks.

1. Unfiltered game traffic from the internet is directed to the public IP of the game servers Gateway Load Balancer.

2. Unfiltered game traffic is redirected to the chained Gateway Load Balancer private IP.

3. The unfiltered game traffic is inspected for DDoS attacks in real-time through the partner NVAs.

4. Filtered game traffic is sent back to the game servers for final processing.

5. Azure DDoS Protection Standard on the gamer servers Gateway Load Balancer protects from L3/4 DDoS attacks and the DDoS protection policies are automatically tuned for game servers traffic profile and application scale.

Source: microsoft.com