Table of Contents

• Overview
• Available DDoS Tiers on MCS PaaS 2.0
• Azure Services
• Protected Resources
• Azure DDoS Implementation Process
• DDoS RACI
• High-Level Azure DDoS Implementation Steps for PaaS 2.0
• PaaS 2.0 Azure DDoS Implementation RACI – Initial Setup
• PaaS 2.0 Azure DDoS Implementation RACI – Ongoing
• Microsoft Documentation
• PaaS 2.0 Reference Architecture with DDoS

 

Overview 

This article describes the scope of services and support when requesting assistance implementing Azure DDoS IP Protection with your Managed Cloud PaaS 2.0 Deployment.

Distributed denial of service (DDoS) attacks are some of the largest availability and security concerns facing customers that are moving their applications to the cloud. A DDoS attack attempts to exhaust application's resources, making the application unavailable to legitimate users. DDoS attacks can be targeted at any endpoint that is publicly reachable through the internet.

Azure DDoS Protection, combined with application design best practices, provides enhanced DDoS mitigation features to defend against DDoS attacks. It's automatically tuned to help protect your specific Azure resources in a virtual network. Protection is simple to enable on any new or existing virtual network, and it requires no application or resource changes.

Azure DDoS Protection protects at layer 3 and layer 4 network layers. For web applications protection at layer 7, you need to add protection at the application layer using a WAF offering.

Refer to the Microsoft Documentation section of this article for further details relating to the underlying Azure DDoS capabilities and frequently asked questions.

Available DDoS Tiers on MCS PaaS 2.0

Sitecore Managed Cloud Standard – PaaS 2.0 includes the optional Azure DDoS IP Protection provision. DDoS IP Protection is a pay-per-protected IP model.

Review the official Microsoft Azure DDoS documentation for a comprehensive Azure DDoS IP Protection feature overview.

Azure Services

Sitecore will deploy the Azure Services required to implement Azure DDoS while provisioning your Hub Environment. If your Hub Environment is already deployed, Azure DDoS can be requested via the Sitecore Managed Cloud ticketing system*.

*Subject to additional purchase

Review the following article for further details on the default Azure Services included in your Hub Environment:
Sitecore Managed Cloud Standard - PaaS 2.0. Topologies and tiers for Sitecore XP 10.3.1 and higher

Protected Resources

Sitecore Managed Cloud Standard – PaaS 2.0 includes the option to enable DDoS Protection for the following Azure resources within your Sitecore Managed Cloud Standard PaaS 2.0 Environments:

• Azure VPN Gateway
• Azure Bastion Host
• Azure Application Gateway

Note: Azure DDoS IP Protection cannot be enabled on a Basic Tier IP. If your VPN Gateway or Bastion Host are configured with Basic Tier IPs, these IPs will need to be upgraded to a Standard Tier (or higher). Changing IP tiers will incur additional Azure hosting fees.

Azure DDoS Implementation Process

1. Enable IP Protection for the VPN Gateway Public IP Address.
2. Enable IP Protection for the Azure Bastion Host Public IP Address.
3. Enable IP Protection for the Azure Application Gateway.
4. Configure the Diagnostic settings of the protected IPs to send all logs and Metrics to the log analytics workspace *.
5. Create a Metric Alert per IP to notify if the IP is under a DDoS attack.
6. Enable the WAF feature on Detection Mode **.

* This will increase the logs sent to the Hub Log Analytics workspace.
** Available to customers who are running the Sitecore Advanced Hub Only. The feature requires a managed rule set, which is only available with Azure Front Door Premium.

DDoS RACI

The charts on the following pages use the coding system outlined below:

• R = Responsible: Those who do the work to achieve the task.
• A = Accountable: The one ultimately answerable for the correct and thorough completion of the deliverable or task and the one who delegates the work to those responsible.
• C = Consulted: Those whose opinions are sought (i.e. subject matter experts) and with whom there is two-way communication.
• I = Informed: Those kept up-to-date on progress, often only on completing the task or deliverable.

 

High-Level Azure DDoS Implementation Steps for PaaS 2.0

RACI Description	Customer/Partner	Sitecore
Creation of the Azure DDoS IP Protection Pipeline	-	R, A
Azure DDoS IP Protection Pricing and Packaging	C, I	R, A
Determination of the applicability of the Azure DDoS IP Protection Services	R, A	C, I
Deploying Azure DDoS IP Protection  (see the Initial Setup Table below)	C, I	R, A
Customization of the initial DDoS Protection capabilities	R, A	C, I

* All Virtual Networks will be created by Sitecore during the initial Sitecore Environment provisioning process (spoke)

 

PaaS 2.0 Azure DDoS Implementation RACI – Initial Setup

Sitecore Hub Environment – Azure Bastion DDoS Protection	Customer/Partner	Sitecore
Request for Azure DDoS IP Protection	R, A	C, I
Initial Deployment of Azure DDoS IP Protection	C, I	R, A

 

Sitecore Hub Environment – VPN Gateway DDoS Protection	Customer/Partner	Sitecore
Creation of the Azure DDoS IP Protection Pipeline	R, A	C, I
Initial Deployment of Azure DDoS IP Protection	C, I	R, A

 

Sitecore Production Spoke Environment – Application Gateway	Customer/Partner	Sitecore
Request for Azure DDoS IP Protection	R, A	C, I
Initial Deployment of Azure DDoS IP Protection	C, I	R, A

 

Sitecore Hub Environment – Configuration of Diagnostic Settings	Customer/Partner	Sitecore
Configure the Diagnostic settings of the protected IPs to send all logs and Metrics to the log analytics workspace	C, I	R, A
Create a Metric Alert per IP to notify if the IP is under a DDoS attack	C, I	R, A
Enable the WAF feature on Detection Mode **	C, I	R, A

** Basic Hub = WAF with empty Rule Set / Advanced Hub = WAF with Managed Rule Set

 

PaaS 2.0 Azure DDoS Implementation RACI – Ongoing

Sitecore Hub Environment – Provisioning	Customer/Partner	Sitecore	Microsoft
Customizations of the initial DDoS Protection capabilities	R, A	C, I	-
Always on traffic monitoring [1]	I	I	R, A
Adaptive real-time tuning [1]	I	I	R, A
DDoS Protection analytics, metric and alerting [1]	I	I	R, A
Azure DDoS Rapid Response [2]	Not Available	-	-
Multi-Layered protection	I	C, I	R, A
Troubleshooting Sitecore application challenges related to DDoS Protection [3]	R, A	C, I	-
Assistance with production incidents related to DDoS Protection [4]	R, A	C, I	-

 

• [1] Delivered by Microsoft – Details can be found here.
• [2] Azure DDoS Rapid Response is only available with Azure DDoS Network Protection – Feature comparison can be found here.
• [3] In Sitecore Managed Cloud Standard, the customer is responsible for how the Sitecore application functions, and adding a DDoS Protection can impact the customer's implementation. It is the customer's responsibility to troubleshoot such challenges. The Sitecore Managed Cloud team is available to assist and might be able to help identify problem areas, but ultimately this lies with customers who have full access to their implementation source code and full context on how their Sitecore CD role operates.
• [4] The monitoring and evaluation of potential DDoS Protection security incidents are the responsibility of the customer. Sitecore recommends that the customer engage with security professionals with the understanding of their business and security protocols to interpret such events. The Sitecore Managed Cloud team is available to assist and might, by leveraging our relationship with Microsoft, be in a position to contribute to resolutions. The primary responsibility, however, lies with the customer.

 

Microsoft Documentation

Refer to the following links provided by Microsoft for a definitive guide to implementing Microsoft Azure DDoS:

• What is Azure DDoS Protection
• Azure DDoS Protection Tier Comparison
• Azure DDoS Protection Limitations
• Configure Azure DDoS Protection metric alerts through portal
• Azure DDoS Rapid Response
• Azure DDoS Frequently Asked Questions

 

PaaS 2.0 Reference Architecture with DDoS