Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add clarity around usage of DDoS Standard plan in ESLZ #603

Closed
jtracey93 opened this issue Jun 2, 2021 · 7 comments
Closed

Add clarity around usage of DDoS Standard plan in ESLZ #603

jtracey93 opened this issue Jun 2, 2021 · 7 comments
Assignees
@jtracey93
Labels
documentation Improvements or additions to documentation enhancement New feature or request

Comments

@jtracey93
Copy link
Collaborator

In ESLZ a DDoS Standard plan is shown in the diagrams to be deployed in the connectivity subscriptions.

However, in the Virtual WAN & Hub and Spoke documentation there is no reference to the DDoS Standard plan.

As discussed with @victorar, this issue will track the updating of the documentation to detail the usage and limitations of the DDoS standard plan in the above docs.
@jtracey93 jtracey93 added documentation Improvements or additions to documentation enhancement New feature or request labels Jun 2, 2021
@jtracey93 jtracey93 self-assigned this Jun 2, 2021
@jtracey93
Copy link
Collaborator Author

PR created to update CAF documentation.

@pazdedav
Copy link

pazdedav commented Jun 7, 2021

Considering that DDoS Standard has a flat fee of $2944 / month, I was wondering, why is the related policy enabled by default and not exposed as a configuration option in the UI experience (like Enable Azure Defender or similar).
Any insights @victorar or @jtracey93 ?

@krnese
Copy link
Contributor

krnese commented Jun 8, 2021

Can you elaborate? In AdventureWorks, we allow you to select DDoS for connectivity subscription and we are leading with the recommendation (default set to enable, but you can disable). If enabled, we also provide the option to enforce DDoS on vnets created in the landing zones (also an option)

@victorar
Copy link
Contributor

victorar commented Jun 8, 2021

That is correct, the recommendation is to deploy a DDoS Std plan to protect landing zones VNets with public IPs against DDoS attacks. By default, the UI recommends to deploy this, but it allows to opt-out, if organizations decide not to enable DDoS Std in their environments.

@pazdedav
Copy link

pazdedav commented Jun 8, 2021

Sure. I have been mainly working with Contoso, where this selection is not available in the UX (and I believe the same applies to WingTip). I see the policyDef in policies.json but I can't find any related assignment in nested deployments.

Perhaps it is only a matter of consistency across reference implementations?

@jtracey93
Copy link
Collaborator Author

Thanks for reporting this @pazdedav.

I went through all the reference implementations this morning and confirmed that only Adventure Works has the options for DDoS Std enablement.

We will review as a team and update.

@jtracey93
Copy link
Collaborator Author

Just to provide an update here. We have discussed as a team and will be adding the DDoS Std to Contoso & WingTip in the future (being tracked separately already).

Also the CAF documentation PR has been merged so the docs now provide considerations and recommendations for DDoS Std for ESLZ.

With this I will close this issue 👍

@ghost ghost locked as resolved and limited conversation to collaborators Jan 11, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@jtracey93 jtracey93

Labels
documentation Improvements or additions to documentation enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@pazdedav @krnese @victorar @jtracey93