|
2 | 2 | title: Azure DDoS Protection reference architectures |
3 | 3 | description: Learn Azure DDoS protection reference architectures. |
4 | 4 | services: ddos-protection |
5 | | -documentationcenter: na |
6 | 5 | author: aletheatoh |
7 | 6 | ms.service: ddos-protection |
8 | 7 | ms.topic: article |
9 | | -ms.tgt_pltfrm: na |
10 | 8 | ms.workload: infrastructure-services |
11 | | -ms.date: 09/08/2020 |
| 9 | +ms.date: 01/19/2022 |
12 | 10 | ms.author: yitoh |
| 11 | +ms.custom: fasttrack-edit |
13 | 12 | --- |
14 | 13 |
|
15 | 14 | # DDoS Protection reference architectures |
@@ -74,6 +73,26 @@ In this architecture, traffic destined to the HDInsight cluster from the interne |
74 | 73 | For more information on this reference architecture, see the [Extend Azure HDInsight using an Azure Virtual Network](../hdinsight/hdinsight-plan-virtual-network-deployment.md?toc=%2fazure%2fvirtual-network%2ftoc.json) |
75 | 74 | documentation. |
76 | 75 |
|
| 76 | + |
| 77 | +> [!NOTE] |
| 78 | +> Azure App Service Environment for PowerApps or API management in a virtual network with a public IP are both not natively supported. |
| 79 | +
|
| 80 | +## Hub-and-spoke network topology with Azure Firewall and Azure Bastion |
| 81 | + |
| 82 | +This reference architecture details a hub-and-spoke topology with Azure Firewall inside the hub as a DMZ for scenarios that require central control over security aspects. Azure Firewall is a managed firewall as a service and is placed in its own subnet. Azure Bastion is deployed and placed in its own subnet. |
| 83 | + |
| 84 | +There are two spokes that are connected to the hub using VNet peering and there is no spoke-to-spoke connectivity. If you require spoke-to-spoke connectivity, then you need to create routes to forward traffic from one spoke to the firewall, which can then route it to the other spoke. |
| 85 | + |
| 86 | +:::image type="content" source="./media/ddos-best-practices/image-14.png" alt-text="Screenshot showing Hub-and-spoke architecture with firewall, bastion, and DDoS Protection Standard" lightbox="./media/ddos-best-practices/image-14.png"::: |
| 87 | + |
| 88 | +Azure DDoS Protection Standard is enabled on the hub virtual network. Therefore, all the Public IPs that are inside the hub are protected by the DDoS Standard plan. In this scenario, the firewall in the hub helps control the ingress traffic from the internet, while the firewall's public IP is being protected. Azure DDoS Protection Standard also protects the public IP of the bastion. |
| 89 | + |
| 90 | +DDoS Protection Standard is designed for services that are deployed in a virtual network. For more information, see [Deploy dedicated Azure service into virtual networks](../virtual-network/virtual-network-for-azure-services.md#services-that-can-be-deployed-into-a-virtual-network). |
| 91 | + |
| 92 | +> [!NOTE] |
| 93 | +> DDoS Protection Standard protects the Public IPs of Azure resource. DDoS Protection Basic, which requires no configuration and is enabled by default, only protects the Azure underlying platform infrastructure (e.g. Azure DNS). For more information, see [Azure DDoS Protection Standard overview](ddos-protection-overview.md). |
| 94 | +For more information about hub-and-spoke topology, see [Hub-spoke network topology](/azure/architecture/reference-architectures/hybrid-networking/hub-spoke?tabs=cli). |
| 95 | + |
77 | 96 | ## Next steps |
78 | 97 |
|
79 | 98 | - Learn how to [create a DDoS protection plan](manage-ddos-protection.md). |
0 commit comments