Merge pull request #232399 from MicrosoftDocs/release-ga-ddos-ip

Release ga ddos ip--scheduled release at 8am of 3/29

Author: huypub

articles/api-management/protect-with-ddos-protection.md

@@ -57,7 +57,7 @@ Depending on the DDoS Protection plan you use, enable DDoS protection on the vir
 
 ### Enable DDoS protection on the API Management public IP address
 
-If your plan uses the IP DDoS Protection SKU, see [Enable DDoS IP Protection Preview for a public IP address](../ddos-protection/manage-ddos-protection-powershell-ip.md#disable-ddos-ip-protection-preview-for-an-existing-public-ip-address).
+If your plan uses the IP DDoS Protection SKU, see [Enable DDoS IP Protection for a public IP address](../ddos-protection/manage-ddos-protection-powershell-ip.md#disable-ddos-ip-protection-for-an-existing-public-ip-address).
 
 ## Next steps
 

articles/ddos-protection/TOC.yml

@@ -26,8 +26,15 @@
       expanded: true
   - name: DDoS IP Protection
     items:
+    - name: Portal
+      href: manage-ddos-ip-protection-portal.md
     - name: PowerShell
       href: manage-ddos-protection-powershell-ip.md
+    - name: CLI
+      href: manage-ddos-ip-protection-cli.md
+    - name: ARM template
+      displayName: Resource Manager
+      href: manage-ddos-ip-protection-template.md           
       expanded: true
 
 - name: Tutorials

articles/ddos-protection/alerts.md

@@ -20,7 +20,7 @@ In this article, you'll learn how to configure metrics alerts through Azure Moni
 ## Prerequisites
 
 - An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
-- [DDoS Network Protection](manage-ddos-protection.md) must be enabled on a virtual network or [DDoS IP Protection (Preview)](manage-ddos-protection-powershell-ip.md) must be enabled on a public IP address. 
+- [DDoS Network Protection](manage-ddos-protection.md) must be enabled on a virtual network or [DDoS IP Protection](manage-ddos-protection-powershell-ip.md) must be enabled on a public IP address. 
 - DDoS Protection monitors public IP addresses assigned to resources within a virtual network. If you don't have any resources with public IP addresses in the virtual network, you must first create a resource with a public IP address. You can monitor the public IP address of all resources deployed through Resource Manager (not classic) listed in [Virtual network for Azure services](../virtual-network/virtual-network-for-azure-services.md#services-that-can-be-deployed-into-a-virtual-network) (including Azure Load Balancers where the backend virtual machines are in the virtual network), except for Azure App Service Environments. To continue with this How-To guide, you can quickly create a [Windows](../virtual-machines/windows/quick-create-portal.md?toc=%2fazure%2fvirtual-network%2ftoc.json) or [Linux](../virtual-machines/linux/quick-create-portal.md?toc=%2fazure%2fvirtual-network%2ftoc.json) virtual machine.     
 
 ## Configure metric alerts through portal

articles/ddos-protection/ddos-diagnostic-alert-templates.md

@@ -19,7 +19,7 @@ In this article, you'll learn how to configure diagnostic logging alerts through
 ## Prerequisites
 
 - If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.
-- [DDoS Network Protection](manage-ddos-protection.md) must be enabled on a virtual network or [DDoS IP Protection (Preview)](manage-ddos-protection-powershell-ip.md) must be enabled on a public IP address. 
+- [DDoS Network Protection](manage-ddos-protection.md) must be enabled on a virtual network or [DDoS IP Protection](manage-ddos-protection-powershell-ip.md) must be enabled on a public IP address. 
 - In order to use diagnostic logging, you must first create a [Log Analytics workspace with diagnostic settings enabled](ddos-configure-log-analytics-workspace.md). 
 - DDoS Protection monitors public IP addresses assigned to resources within a virtual network. If you don't have any resources with public IP addresses in the virtual network, you must first create a resource with a public IP address. You can monitor the public IP address of all resources deployed through Resource Manager (not classic) listed in [Virtual network for Azure services](../virtual-network/virtual-network-for-azure-services.md#services-that-can-be-deployed-into-a-virtual-network) (including Azure Load Balancers where the backend virtual machines are in the virtual network), except for Azure App Service Environments. To continue with this guide, you can quickly create a [Windows](../virtual-machines/windows/quick-create-portal.md?toc=%2fazure%2fvirtual-network%2ftoc.json) or [Linux](../virtual-machines/linux/quick-create-portal.md?toc=%2fazure%2fvirtual-network%2ftoc.json) virtual machine. 
 

articles/ddos-protection/ddos-protection-overview.md

@@ -35,7 +35,7 @@ Azure DDoS Protection applies three auto-tuned mitigation policies (TCP SYN, TCP
 
 ## SKU
 
-Azure DDoS Protection is offered in two available SKUs, DDoS IP Protection Preview and DDoS Network Protection. For more information about the SKUs, see [SKU comparison](ddos-protection-sku-comparison.md).
+Azure DDoS Protection is offered in two available SKUs, DDoS IP Protection and DDoS Network Protection. For more information about the SKUs, see [SKU comparison](ddos-protection-sku-comparison.md).
 
 
 ### Native platform integration

articles/ddos-protection/ddos-protection-reference-architectures.md

@@ -37,7 +37,7 @@ The load balancer distributes incoming internet requests to the VM instances. Vi
 
  DDoS Network Protection is enabled on the virtual network of the Azure (internet) load balancer that has the public IP associated with it.
 
-#### DDoS IP Protection Preview virtual machine architecture
+#### DDoS IP Protection virtual machine architecture
 
 :::image type="content" source="./media/reference-architectures/ddos-ip-protection-virtual-machine.png" alt-text="Diagram of the DDoS IP Protection reference architecture for an application running on load-balanced virtual machines.":::
 
@@ -53,7 +53,7 @@ There are many ways to implement an N-tier architecture. The following diagrams
 
  In this architecture diagram DDoS Network Protection is enabled on the virtual network. All public IPs in the virtual network get DDoS protection for Layer 3 and 4. For Layer 7 protection, deploy Application Gateway in the WAF SKU. For more information on this reference architecture, see
 [Windows N-tier application on Azure](/azure/architecture/reference-architectures/virtual-machines-windows/n-tier).
-#### DDoS IP Protection Preview Windows N-tier architecture
+#### DDoS IP Protection Windows N-tier architecture
 
 :::image type="content" source="./media/reference-architectures/ddos-ip-protection-n-tier.png" alt-text="Diagram of the DDoS IP Protection reference architecture for an application running on Windows N-tier." lightbox="./media/reference-architectures/ddos-ip-protection-n-tier.png":::
 
@@ -81,7 +81,7 @@ For more information about this reference architecture, see [Highly available mu
 
  In this architecture diagram DDoS Network Protection is enabled on the web app gateway virtual network.
 
-#### DDoS IP Protection Preview with PaaS web application architecture
+#### DDoS IP Protection with PaaS web application architecture
 
 :::image type="content" source="./media/reference-architectures/ddos-ip-protection-paas-web-app.png" alt-text="Diagram of DDoS IP Protection reference architecture for a PaaS web application." lightbox="./media/reference-architectures/ddos-ip-protection-paas-web-app.png":::
 
@@ -116,7 +116,7 @@ DDoS Protection is designed for services that are deployed in a virtual network.
 
  In this architecture diagram Azure DDoS Network Protection is enabled on the hub virtual network.
 
-#### DDoS IP Protection Preview hub-and-spoke network
+#### DDoS IP Protection hub-and-spoke network
 
 :::image type="content" source="./media/reference-architectures/ddos-ip-protection-azure-firewall-bastion.png" alt-text="Diagram showing DDoS IP Protection Hub-and-spoke architecture with firewall, bastion, and DDoS Protection." lightbox="./media/reference-architectures/ddos-ip-protection-azure-firewall-bastion.png":::
 

articles/ddos-protection/ddos-protection-sku-comparison.md

@@ -19,13 +19,10 @@ The sections in this article discuss the resources and settings of Azure DDoS Pr
 
 Azure DDoS Network Protection, combined with application design best practices, provides enhanced DDoS mitigation features to defend against DDoS attacks. It's automatically tuned to help protect your specific Azure resources in a virtual network. For more information about enabling DDoS Network Protection, see [Quickstart: Create and configure Azure DDoS Network Protection using the Azure portal](manage-ddos-protection.md).
 
-## DDoS IP Protection Preview
+## DDoS IP Protection 
 
  DDoS IP Protection is a pay-per-protected IP model. DDoS IP Protection contains the same core engineering features as DDoS Network Protection, but will differ in the following value-added services: DDoS rapid response support, cost protection, and discounts on WAF. For more information about enabling DDoS IP Protection, see [Quickstart: Create and configure Azure DDoS IP Protection using Azure PowerShell](manage-ddos-protection-powershell-ip.md).
 
-> [!NOTE]
-> DDoS IP Protection is currently only available in Azure Preview PowerShell.
-
 ## SKUs
 
 Azure DDoS Protection supports two SKU Types, DDoS IP Protection and DDoS Network Protection. The SKU is configured in the Azure portal during the workflow when you configure Azure DDoS Protection.
@@ -57,6 +54,22 @@ The following table shows features and corresponding SKUs.
 >[!Note]
 >At no additional cost, Azure DDoS infrastructure protection protects every Azure service that uses public IPv4 and IPv6 addresses. This DDoS protection service helps to protect all Azure services, including platform as a service (PaaS) services such as Azure DNS. For more information on supported PaaS services, see [DDoS Protection reference architectures](ddos-protection-reference-architectures.md). Azure DDoS infrastructure protection requires no user configuration or application changes. Azure provides continuous protection against DDoS attacks. DDoS protection does not store customer data.
 
+## Limitations
+
+DDoS Network Protection and DDoS IP Protection have the following limitations:
+
+- PaaS services (multi-tenant), which includes Azure App Service Environment for Power Apps, Azure API Management in deployment modes other than those supported above, or Azure Virtual WAN aren't currently supported. 
+- Protecting a public IP resource attached to a Virtual Network Gateway or NAT Gateway isn't supported.
+- Virtual machines in Classic/RDFE deployments aren't supported.
+- Scenarios in which a single VM is running behind a public IP isn't supported. 
+- Protected resources that include public IP address prefix, or public IP created from public IP address prefix aren't supported. Azure Load Balancer with a public IP created from a public IP prefix is supported.
+
+DDoS IP Protection is similar to Network Protection, but has the following additional limitation:
+
+- Public IP Basic SKU protection isn't supported. 
+
+
+For more information, see [Azure DDoS Protection reference architectures](./ddos-protection-reference-architectures.md).
 
 ## Next steps
 

articles/ddos-protection/ddos-view-alerts-defender-for-cloud.md

@@ -24,7 +24,7 @@ To view the alerts, open **Defender for Cloud** in the Azure portal and select *
 ## Prerequisites
 
 - An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
-- [DDoS Network Protection](manage-ddos-protection.md) must be enabled on a virtual network or [DDoS IP Protection (Preview)](manage-ddos-protection-powershell-ip.md) must be enabled on a public IP address. 
+- [DDoS Network Protection](manage-ddos-protection.md) must be enabled on a virtual network or [DDoS IP Protection](manage-ddos-protection-powershell-ip.md) must be enabled on a public IP address. 
 
 ## View alerts in Microsoft Defender for Cloud
 

articles/ddos-protection/manage-ddos-ip-protection-cli.md

@@ -0,0 +1,115 @@
+---
+title: 'Quickstart: Create and configure Azure DDoS IP Protection using Azure CLI'
+description: Learn how to create Azure DDoS IP Protection using Azure CLI
+author: AbdullahBell
+ms.author: abell
+ms.service: ddos-protection
+ms.topic: quickstart 
+ms.date: 03/09/2023
+ms.workload: infrastructure-services
+ms.custom: template-quickstart 
+# Customer intent As an IT admin, I want to learn how to enable DDoS IP Protection on my public IP address.
+---
+
+# Quickstart: Create and configure Azure DDoS IP Protection using Azure CLI
+
+Get started with Azure DDoS IP Protection by using Azure CLI.
+In this quickstart, you'll enable DDoS IP protection and link it to a public IP address.
+
+## Prerequisites
+
+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
+- Azure CLI installed locally or Azure Cloud Shell
+
+[!INCLUDE [cloud-shell-try-it.md](../../includes/cloud-shell-try-it.md)]
+
+If you choose to install and use the CLI locally, this quickstart requires Azure CLI version 2.0.56 or later. To find the version, run `az --version`. If you need to install or upgrade, see [Install the Azure CLI]( /cli/azure/install-azure-cli).
+
+
+## Create a resource group
+
+In Azure, you allocate related resources to a resource group. You can either use an existing resource group or create a new one.
+
+To create a resource group, use [az group create](/cli/azure/group#az-group-create). In this example, we'll name our resource group _MyResourceGroup_ and use the _East US_ location:
+
+```azurecli-interactive
+    az group create \
+        --name MyResourceGroup \
+        --location eastus
+```
+
+## Enable DDoS IP Protection on a public IP address
+
+### New public IP address
+
+You can enable DDoS IP Protection when creating a public IP address. In this example, we'll name our public IP address _myStandardPublicIP_: 
+
+```azurecli-interactive
+    az network public-ip create \
+        --resource-group MyResourceGroup \
+        --name myStandardPublicIP \
+        --location eastus \
+        --allocation-method Static \
+        --sku Standard \
+        --ddos-protection-mode Enabled
+```
+
+### Existing public IP address
+
+You can enable DDoS IP Protection on an existing public IP address.
+
+```azurecli-interactive
+    az network public-ip update \
+        --resource-group MyResourceGroup \
+        --name myStandardPublicIP \
+        --ddos-protection-mode Enabled
+```
+
+### Disable DDoS IP Protection:
+
+You can disable DDoS IP Protection on an existing public IP address.
+
+```azurecli-interactive
+    az network public-ip update \
+        --resource-group MyResourceGroup \
+        --name myStandardPublicIP \
+        --ddos-protection-mode Disabled 
+    
+```
+>[!Note]
+>When changing DDoS IP protection from **Enabled** to **Disabled**, telemetry for the public IP resource will not be available.
+
+## Validate and test
+
+Check the details of your DDoS IP Protection:
+
+```azurecli-interactive
+    az network public-ip show \
+        --resource-group MyResourceGroup \
+        --name myStandardPublicIP
+```
+
+Under **ddosSettings**, Verify **protectionMode** as **Enabled**.
+
+## Clean up resources
+
+You can keep your resources for the next guide. If no longer needed, delete the _MyResourceGroup_ resource group. When you delete the resource group, you also delete all its related resources.
+
+When deleting the resource group, use [az group delete](/cli/azure/group#az-group-delete):
+
+```azurecli-interactive
+    az group delete \
+        --name MyResourceGroup 
+```
+
+## Next steps
+
+In this quickstart, you created:
+* A resource group 
+* A public IP address 
+* Enabled DDoS IP Protection using Azure CLI.
+
+To learn how to configure telemetry for DDoS Protection, continue to the how-to guides.
+
+> [!div class="nextstepaction"]
+> [Configure diagnostic logging alerts](ddos-diagnostic-alert-templates.md)