🛡️ Azure Virtual Network has DDoS Network Protection disabled🟢

• Contextual name: 🛡️ Virtual Network has DDoS Network Protection disabled🟢
• ID: /ce/ca/azure/virtual-network/ddos-protection
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: RELIABILITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 Azure Virtual Network
  • 🔌 Azure Virtual Network - object.extracts.yaml
  • 🧪 test-data.json

Description

Open File

Description

This policy identifies Azure Virtual Network that have DDoS Network Protection disabled. Azure DDoS Network Protection defends resources in virtual networks against distributed denial-of-service (DDoS) attacks.

While an automated assessment procedure exists for this recommendation, the assessment status remains manual. Determining the appropriateness of enabling Azure DDoS Network Protection depends on the context and requirements of each organization and environment.

Rationale

Virtual networks and resources are protected against attacks, helping to ensure reliability and availability for critical workloads.

Impact

Azure DDoS Network Protection incurs a significant fixed monthly charge, with additional charges if more than 100 public IP resources are protected. Careful consideration and analysis should be applied before enabling DDoS protection. Refer to https://azure.microsoft.com/en-us/pricing/details/ddos-protection for detailed pricing information.

Audit

This policy marks an Azure Virtual Network as INCOMPLIANT if it has disabled DDoS Network Protection.

... see more

Remediation

Open File

Remediation

Azure Portal

1. Go to Virtual networks.
2. Click the name of a virtual network.
3. Under Settings, click DDoS protection.
4. Next to DDoS Network Protection, click Enable.
5. Provide a DDoS protection plan resource ID, or select a DDoS protection plan from the drop-down menu.
6. Click Save.
7. Repeat steps 1-6 for each virtual network requiring remediation.

Azure CLI

For each virtual network requiring remediation, run the following command to enable DDoS protection:

```sh
az network vnet update --resource-group <resource-group> --name <virtual-network> --ddos-protection true --ddos-protection-plan <ddos-protection-plan>
```

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 CIS Azure v5.0.0 → 💼 8.5 Ensure Azure DDoS Network Protection is enabled on virtual networks (Automated)			1		no data
💼 Cloudaware Framework → 💼 System Configuration			46		no data