|
| 1 | +--- |
| 2 | +title: 'Tutorial: Protect your VPN gateway with Azure DDoS Protection Standard' |
| 3 | +titleSuffix: Azure VPN Gateway |
| 4 | +description: Learn how to set up a VPN gateway and protect it with Azure DDoS protection |
| 5 | +author: asudbring |
| 6 | +ms.author: allensu |
| 7 | +ms.service: vpn-gateway |
| 8 | +ms.topic: tutorial |
| 9 | +ms.date: 01/25/2023 |
| 10 | + |
| 11 | +--- |
| 12 | + |
| 13 | +# Tutorial: Protect your VPN gateway with Azure DDoS Protection Standard |
| 14 | + |
| 15 | +This article helps you create an Azure VPN Gateway with a DDoS protected virtual network. Azure DDoS Protection Standard enables enhanced DDoS mitigation capabilities such as adaptive tuning, attack alert notifications, and monitoring to protect your VPN gateway from large scale DDoS attacks. |
| 16 | + |
| 17 | +> [!IMPORTANT] |
| 18 | +> Azure DDoS Protection incurs a cost when you use the Standard SKU. Overages charges only apply if more than 100 public IPs are protected in the tenant. Ensure you delete the resources in this tutorial if you aren't using the resources in the future. For information about pricing, see [Azure DDoS Protection Pricing]( https://azure.microsoft.com/pricing/details/ddos-protection/). For more information about Azure DDoS protection, see [What is Azure DDoS Protection?](../ddos-protection/ddos-protection-overview.md). |
| 19 | +
|
| 20 | +In this tutorial, you learn how to: |
| 21 | + |
| 22 | +> [!div class="checklist"] |
| 23 | +> * Create a DDoS protection plan |
| 24 | +> * Create a virtual network |
| 25 | +> * Enable DDoS protection on the virtual network |
| 26 | +> * Create a VPN gateway |
| 27 | +> * View the gateway public IP address |
| 28 | +> * Resize a VPN gateway (resize SKU) |
| 29 | +> * Reset a VPN gateway |
| 30 | +
|
| 31 | +The following diagram shows the virtual network and the VPN gateway created as part of this tutorial. |
| 32 | + |
| 33 | +:::image type="content" source="./media/tutorial-create-gateway-portal/gateway-diagram.png" alt-text="Diagram showing VNet and VPN gateway."::: |
| 34 | + |
| 35 | +## Prerequisites |
| 36 | + |
| 37 | +An Azure account with an active subscription. If you don't have one, [create one for free](https://azure.microsoft.com/free/?ref=microsoft.com&utm_source=microsoft.com&utm_medium=docs&utm_campaign=visualstudio). |
| 38 | + |
| 39 | +## <a name="CreatVNet"></a>Create a virtual network |
| 40 | + |
| 41 | +Create a VNet using the following values: |
| 42 | + |
| 43 | +* **Resource group:** TestRG1 |
| 44 | +* **Name:** VNet1 |
| 45 | +* **Region:** (US) East US |
| 46 | +* **IPv4 address space:** 10.1.0.0/16 |
| 47 | +* **Subnet name:** FrontEnd |
| 48 | +* **Subnet address space:** 10.1.0.0/24 |
| 49 | + |
| 50 | +[!INCLUDE [Create a virtual network](../../includes/vpn-gateway-basic-vnet-rm-portal-include.md)] |
| 51 | + |
| 52 | +## Create a DDoS protection plan |
| 53 | + |
| 54 | +1. In the search box at the top of the portal, enter **DDoS protection**. Select **DDoS protection plans** in the search results and then select **+ Create**. |
| 55 | + |
| 56 | +1. In the **Basics** tab of **Create a DDoS protection plan** page, enter or select the following information: |
| 57 | + |
| 58 | + | Setting | Value | |
| 59 | + |--|--| |
| 60 | + | **Project details** | | |
| 61 | + | Subscription | Select your Azure subscription. | |
| 62 | + | Resource group | Select **TestRG1**. | |
| 63 | + | **Instance details** | | |
| 64 | + | Name | Enter **myDDoSProtectionPlan**. | |
| 65 | + | Region | Select **East US**. | |
| 66 | + |
| 67 | +1. Select **Review + create** and then select **Create** to deploy the DDoS protection plan. |
| 68 | + |
| 69 | +## Enable DDoS protection |
| 70 | + |
| 71 | +Azure DDoS protection Standard is enabled at the virtual network where the resource you want to protect reside. |
| 72 | + |
| 73 | +1. In the search box at the top of the portal, enter **Virtual network**. Select **Virtual networks** in the search results. |
| 74 | + |
| 75 | +2. Select **VNet1**. |
| 76 | + |
| 77 | +3. Select **DDoS protection** in **Settings**. |
| 78 | + |
| 79 | +4. Select **Enable**. |
| 80 | + |
| 81 | +5. In the pull-down box in DDoS protection plan, select **myDDoSProtectionPlan**. |
| 82 | + |
| 83 | +6. Select **Save**. |
| 84 | + |
| 85 | +## <a name="VNetGateway"></a>Create a VPN gateway |
| 86 | + |
| 87 | +In this step, you create the virtual network gateway (VPN gateway) for your VNet. Creating a gateway can often take 45 minutes or more, depending on the selected gateway SKU. |
| 88 | + |
| 89 | +Create a virtual network gateway using the following values: |
| 90 | + |
| 91 | +* **Name:** VNet1GW |
| 92 | +* **Region:** East US |
| 93 | +* **Gateway type:** VPN |
| 94 | +* **VPN type:** Route-based |
| 95 | +* **SKU:** VpnGw2 |
| 96 | +* **Generation:** Generation 2 |
| 97 | +* **Virtual network:** VNet1 |
| 98 | +* **Gateway subnet address range:** 10.1.255.0/27 |
| 99 | +* **Public IP address:** Create new |
| 100 | +* **Public IP address name:** VNet1GWpip |
| 101 | + |
| 102 | +[!INCLUDE [Create a vpn gateway](../../includes/vpn-gateway-add-gw-portal-include.md)] |
| 103 | + |
| 104 | +[!INCLUDE [Configure PIP settings](../../includes/vpn-gateway-add-gw-pip-portal-include.md)] |
| 105 | + |
| 106 | +A gateway can take 45 minutes or more to fully create and deploy. You can see the deployment status on the Overview page for your gateway. After the gateway is created, you can view the IP address that has been assigned to it by looking at the virtual network in the portal. The gateway appears as a connected device. |
| 107 | + |
| 108 | +[!INCLUDE [NSG warning](../../includes/vpn-gateway-no-nsg-include.md)] |
| 109 | + |
| 110 | +## <a name="view"></a>View the public IP address |
| 111 | + |
| 112 | +You can view the gateway public IP address on the **Overview** page for your gateway. |
| 113 | + |
| 114 | +:::image type="content" source="./media/tutorial-create-gateway-portal/address.png" alt-text="Screenshot of Overview page used to view the Public IP address field." lightbox="./media/tutorial-create-gateway-portal/address.png"::: |
| 115 | + |
| 116 | +To see additional information about the public IP address object, select the name/IP address link next to **Public IP address**. |
| 117 | + |
| 118 | +## <a name="resize"></a>Resize a gateway SKU |
| 119 | + |
| 120 | +There are specific rules regarding resizing vs. changing a gateway SKU. In this section, we'll resize the SKU. For more information, see [Gateway settings - resizing and changing SKUs](vpn-gateway-about-vpn-gateway-settings.md#resizechange). |
| 121 | + |
| 122 | +[!INCLUDE [resize a gateway](../../includes/vpn-gateway-resize-gw-portal-include.md)] |
| 123 | + |
| 124 | +## <a name="reset"></a>Reset a gateway |
| 125 | + |
| 126 | +[!INCLUDE [reset a gateway](../../includes/vpn-gateway-reset-gw-portal-include.md)] |
| 127 | + |
| 128 | +## Clean up resources |
| 129 | + |
| 130 | +If you're not going to continue to use this application or go to the next tutorial, delete |
| 131 | +these resources using the following steps: |
| 132 | + |
| 133 | +1. Enter the name of your resource group in the **Search** box at the top of the portal and select it from the search results. |
| 134 | + |
| 135 | +1. Select **Delete resource group**. |
| 136 | + |
| 137 | +1. Enter your resource group for **TYPE THE RESOURCE GROUP NAME** and select **Delete**. |
| 138 | + |
| 139 | +## Next steps |
| 140 | + |
| 141 | +Once you have a VPN gateway, you can configure connections. The following articles will help you create a few of the most common configurations: |
| 142 | + |
| 143 | +> [!div class="nextstepaction"] |
| 144 | +> [Site-to-Site VPN connections](./tutorial-site-to-site-portal.md) |
| 145 | +
|
| 146 | +> [!div class="nextstepaction"] |
| 147 | +> [Point-to-Site VPN connections](vpn-gateway-howto-point-to-site-resource-manager-portal.md) |
0 commit comments