Merge pull request #241711 from AbdullahBell/ddos-architecture-update

prmerger-automator[bot] · web-flow · commit 755542397c17 · 2023-06-15T20:16:38.000Z
DDoS Protection: Update: Azure DDoS Protection reference architectures
diff --git a/articles/ddos-protection/ddos-protection-reference-architectures.md b/articles/ddos-protection/ddos-protection-reference-architectures.md
@@ -6,7 +6,7 @@ author: AbdullahBell
 ms.service: ddos-protection
 ms.topic: conceptual
 ms.workload: infrastructure-services
-ms.date: 10/12/2022
+ms.date: 06/15/2023
 ms.author: abell
 ms.custom: fasttrack-edit, ignite-2022
 ---
@@ -15,12 +15,33 @@ ms.custom: fasttrack-edit, ignite-2022
 
 Azure DDoS Protection is designed [for services that are deployed in a virtual network](../virtual-network/virtual-network-for-azure-services.md). The following reference architectures are arranged by scenarios, with architecture patterns grouped together.
 
-> [!NOTE]
-> Protected resources include public IPs attached to an IaaS VM (except for single VM running behind a public IP), Load Balancer (Classic & Standard Load Balancers), Application Gateway (including WAF) cluster, Firewall, Bastion, VPN Gateway, Service Fabric, IaaS based Network Virtual Appliance (NVA) or Azure API Management (Premium tier only), connected to a virtual network (VNet) in the external mode. Protection also covers public IP ranges brought to Azure via Custom IP Prefixes (BYOIPs). PaaS services (multi-tenant), which includes Azure App Service Environment for Power Apps, Azure API Management in deployment modes other than those supported above, or Azure Virtual WAN are not supported at present.
+## Protected Resources
+
+Supported resources include:
+* Public IPs attached to:
+    * An IaaS virtual machine.
+    * Application Gateway (including WAF) cluster.
+    * Azure API Management (Premium tier only).
+    * Bastion.
+    * Connected to a virtual network (VNet) in the external mode. 
+    * Firewall.
+    * IaaS based Network Virtual Appliance (NVA). 
+    * Load Balancer (Classic & Standard Load Balancers).
+    * Service Fabric.
+    * VPN Gateway.
+* Protection also covers public IP ranges brought to Azure via Custom IP Prefixes (BYOIPs). 
+
+    
+Unsupported resources include:
+
+* Azure Virtual WAN.
+* Azure API Management in deployment modes other than the supported modes.
+* PaaS services (multi-tenant) including Azure App Service Environment for Power Apps.
+* Protected resources that include public IPs created from public IP address prefix.
+
 
 > [!NOTE]
-> * Protected resources that include public IPs created from public IP address prefix are not supported at present.
-> * For web workloads, we highly recommend utilizing [**Azure DDoS protection**](../ddos-protection/ddos-protection-overview.md) and a [**web application firewall**](../web-application-firewall/overview.md) to safeguard against emerging DDoS attacks. Another option is to deploy [**Azure Front Door**](../frontdoor/web-application-firewall.md) along with a web application firewall. Azure Front Door offers platform-level [**protection against network-level DDoS attacks**](../frontdoor/front-door-ddos.md).
+> For web workloads, we highly recommend utilizing [**Azure DDoS protection**](../ddos-protection/ddos-protection-overview.md) and a [**web application firewall**](../web-application-firewall/overview.md) to safeguard against emerging DDoS attacks. Another option is to deploy [**Azure Front Door**](../frontdoor/web-application-firewall.md) along with a web application firewall. Azure Front Door offers platform-level [**protection against network-level DDoS attacks**](../frontdoor/front-door-ddos.md).
 
 ## Virtual machine (Windows/Linux) workloads
 
