You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/ddos-protection/ddos-optimization-guide.md
+3-3Lines changed: 3 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -31,7 +31,7 @@ Cost optimization for DDoS protection requires understanding your risk profile a
31
31
|**Develop a comprehensive asset inventory** that catalogs all public IP addresses and their business criticality levels. | A complete inventory enables risk-based protection decisions and prevents both over-provisioning expensive protection and leaving critical assets unprotected. You can prioritize protection investments based on actual business impact. |
32
32
|**Establish clear accountability** for protection decisions with defined roles for security, operations, and finance teams. | Clear accountability ensures protection decisions consider both security requirements and budget constraints. Collaborative decision-making prevents siloed choices that might compromise security or exceed budgets. |
33
33
|**Create realistic budgets** that account for both immediate protection needs and planned growth in public-facing resources. | Proper budgeting enables predictable protection costs and prevents reactive decisions during security incidents. You can plan protection expansion as your infrastructure grows. |
34
-
|**Implement [risk assessment frameworks](/azure/cloud-adoption-framework/govern/security-baseline/risk-tolerance)** that define minimum protection levels and standardized policies for different asset types. | Risk-based frameworks provide structured approaches to evaluate DDoS attack risks while ensuring consistent protection decisions. They help identify critical assets, assess vulnerabilities, and determine appropriate protection measures based on business impact and risk tolerance, preventing both under-protection of critical assets and over-protection of low-risk resources. |
34
+
|**Implement [risk assessment frameworks](/azure/cloud-adoption-framework/govern/security-baseline/assess-cloud-risks)** that define minimum protection levels and standardized policies for different asset types. | Risk-based frameworks provide structured approaches to evaluate DDoS attack risks while ensuring consistent protection decisions. They help identify critical assets, assess vulnerabilities, and determine appropriate protection measures based on business impact and risk tolerance, preventing both under-protection of critical assets and over-protection of low-risk resources. |
35
35
36
36
## Choose the right protection model
37
37
@@ -51,7 +51,7 @@ Optimize your architecture to reduce the number of public IP addresses requiring
51
51
|---|---|
52
52
|**Consolidate public-facing services** behind [Azure Load Balancer](/azure/load-balancer/) or [Application Gateway](/azure/application-gateway/) to reduce the total number of public IP addresses. | Fewer public IP addresses require protection, directly reducing expenses. Consolidation also improves security by reducing attack surface and simplifies protection management. |
53
53
|**Use network segmentation such as [Azure Private Link](/azure/private-link/) and [virtual network peering](/azure/virtual-network/virtual-network-peering-overview)** to separate public-facing and internal resources. | You can focus protection spending on genuinely public-facing resources while using private connectivity for internal communications. This eliminates DDoS protection needs on internal paths, reducing costs while improving security. |
54
-
|**Design application architecture** to minimize direct public IP exposure through proper use of [reverse proxies](/azure/architecture/patterns/reverse-proxy) and [content delivery networks](/azure/cdn/). | Architectural efficiency reduces the protection scope and associated costs. You can often protect an entire application through a single or few public endpoints rather than exposing multiple services directly. |
54
+
|**Design application architecture** to minimize direct public IP exposure through proper use of [load balancing](/azure/architecture/guide/technology-choices/load-balancing-overview) and [content delivery networks](/azure/cdn/). | Architectural efficiency reduces the protection scope and associated costs. You can often protect an entire application through a single or few public endpoints rather than exposing multiple services directly. |
55
55
56
56
## Optimize resource utilization
57
57
@@ -68,7 +68,7 @@ Protection needs change as your infrastructure evolves. Set up continuous monito
68
68
69
69
| Recommendation | Benefit |
70
70
|---|---|
71
-
|**Set up cost alerts** when DDoS protection spending approaches predefined budget thresholds. | Proactive notifications prevent budget overruns and enable timely adjustments to protection strategy. You can respond to cost increases before they impact other initiatives. To create cost alerts, see [Monitor usage and spending with cost alerts in Cost Management](/azure/cost-management-billing/costs/cost-mgt-alerts-monitor-usage-spending.md). |
71
+
|**Set up cost alerts** when DDoS protection spending approaches predefined budget thresholds. | Proactive notifications prevent budget overruns and enable timely adjustments to protection strategy. You can respond to cost increases before they impact other initiatives. To create cost alerts, see [Monitor usage and spending with cost alerts in Cost Management](/azure/cost-management-billing/costs/cost-mgt-alerts-monitor-usage-spending). |
72
72
|**Conduct quarterly reviews** of protected resources and their business criticality to identify optimization opportunities. | Regular reviews ensure protection investments remain aligned with business priorities. You can identify resources that no longer need protection or require upgraded protection based on changing importance. |
73
73
|**Monitor attack patterns** and protection effectiveness to optimize coverage decisions. [View alerts in Microsoft Defender for Cloud](ddos-view-alerts-defender-for-cloud.md) and utilize [DDoS Protection logs in Log Analytics workspace](ddos-view-diagnostic-logs.md). | Understanding actual threat patterns enables data-driven protection decisions. You can adjust protection levels based on real attack data rather than theoretical risks. |
74
74
|**Track protection ROI and implement lifecycle management** using [cost management best practices](/azure/cost-management-billing/costs/cost-analysis-common-uses) to measure value and decommission unnecessary protection. | ROI measurement demonstrates protection value and guides future investment decisions. Regular cleanup of inactive or non-critical resources prevents spending growth that doesn't align with business value while freeing budget for higher-priority resources. |
0 commit comments