Merge pull request #301530 from AbdullahBell/ddos-inline-protection-overhaul

AnnaMHuff · web-flow · commit ee3a29758d04 · 2025-06-19T15:18:44.000-06:00
DDoS Protection: Major Update: Inline L7 DDoS Protection with Gateway Load Balancer and Partner NVAs
diff --git a/articles/ddos-protection/inline-protection-glb.md b/articles/ddos-protection/inline-protection-glb.md
@@ -6,42 +6,85 @@ author: AbdullahBell
 ms.service: azure-ddos-protection
 ms.topic: how-to
 ms.author: abell
-ms.date: 03/17/2025
+ms.date: 06/18/2025
 ---
 
 # Inline L7 DDoS Protection with Gateway Load Balancer and Partner NVAs
 
-Azure DDoS Protection is always-on but not inline and takes 30-60 seconds from the time an attack is detected until it's mitigated. Azure DDoS Protection also works at L3/4 (network layer) and doesn't inspect the packet payload that is, application layer (L7).  
+This article describes how to implement inline Layer 7 (L7) DDoS protection for latency-sensitive workloads in Azure by using Gateway Load Balancer and partner network virtual appliances (NVAs). You'll learn about scenarios, architecture, deployment steps, and best practices for comprehensive DDoS mitigation.
 
-Workloads that are highly sensitive to latency and can't tolerate 30-60 seconds of on-ramp time for DDoS protection to kick in requires inline protection. Inline protection entails that all the traffic always goes through the DDoS protection pipeline. Further, for scenarios such as web protection or gaming workload protection (UDP) it becomes crucial to inspect the packet payload to mitigate against extreme low volume attacks, which exploit the vulnerability in the application layer (L7). 
+## Overview
+
+Azure DDoS Protection provides robust, always-on defense at the network layer (L3/4), quickly detecting and mitigating attacks within 30-60 seconds. While it focuses on protecting against volumetric and protocol-based threats, application layer (L7) inspection can be added for even greater security.
+
+Some workloads, such as gaming, web applications, financial services, and streaming services, demand ultra-low latency, and continuous protection. For these scenarios, inline protection ensures that all traffic is proactively routed through the DDoS protection pipeline at all times. This approach not only delivers immediate mitigation but also enables deep inspection of packet payloads, helping to detect and block low-volume attacks that target vulnerabilities at the application layer (L7).
+
+Partner NVAs deployed with Gateway Load Balancer and integrated with Azure DDoS Protection offer comprehensive inline L7 DDoS Protection for high-performance and high-availability scenarios. This combination provides L3-L7 protection against volumetric and low-volume DDoS attacks.
+
+## Scenarios
+
+Inline L7 DDoS protection is valuable for:
+
+- **Web applications:** Protects against HTTP floods and slowloris attacks.
+- **Financial services:** Safeguards transaction systems from targeted application-layer attacks.
+- **Streaming services:** Ensures uninterrupted streaming by mitigating low-volume, targeted attacks.
+- **Gaming workloads:** Prevents short outages and disruptions caused by targeted attacks on game servers.
 
-Partner NVAs deployed with Gateway Load Balancer and integrated with Azure DDoS Protection offers comprehensive inline L7 DDoS Protection for high performance and high availability scenarios. Inline L7 DDoS Protection combined with Azure DDoS Protection provides comprehensive L3-L7 protection against volumetric and low-volume DDoS attacks. 
 
 ## What is a Gateway Load Balancer?
-Gateway Load Balancer is a SKU of Azure Load Balancer catered specifically for high performance and high availability scenarios with third-party Network Virtual Appliances (NVAs).
 
-With the capabilities of Gateway LB, you can deploy, scale, and manage NVAs with ease – chaining a Gateway LB to your public endpoint merely requires one select.  You can insert appliances for various scenarios such as firewalls, advanced packet analytics, intrusion detection and prevention systems, or custom scenarios that suit your needs into the network path with Gateway LB. In scenarios with NVAs, it's especially important that flows are ‘symmetrical’ – this ensures sessions are maintained and symmetrical. Gateway LB maintains flow symmetry to a specific instance in the backend pool.
+Gateway Load Balancer is a SKU of Azure Load Balancer designed for high-performance and high-availability scenarios with third-party NVAs.
+
+With Gateway Load Balancer, you can easily deploy, scale, and manage NVAs. You can connect a Gateway Load Balancer to your public endpoint with a single configuration step. This capability lets you add NVAs to the network path for scenarios such as firewalls, advanced packet analytics, intrusion detection systems, intrusion prevention systems, or other custom solutions. Gateway Load Balancer also maintains flow symmetry to a specific instance in the backend pool, ensuring session consistency.
+
+For more information, see [Gateway Load Balancer](../load-balancer/gateway-overview.md).
+
+## Architecture
+
+DDoS attacks on latency-sensitive workloads like gaming can cause outages lasting 2-10 seconds, disrupting availability. Gateway Load Balancer enables protection of such workloads by ensuring the relevant NVAs are injected into the ingress path of the internet traffic. After you connect the Gateway Load Balancer to a Standard Public Load Balancer frontend or to the IP configuration of a virtual machine, traffic to and from the application endpoint is automatically routed through the Gateway Load Balancer—no additional configuration is required.
+
+Inbound traffic is inspected by the NVAs, and clean traffic returns to the backend infrastructure (such as game servers).
+
+Traffic flows from the consumer virtual network to the provider virtual network and then returns to the consumer virtual network. The consumer and provider virtual networks can be in different subscriptions, tenants, or regions, enabling greater flexibility and ease of management.
 
-For more information on Gateway Load Balancer, see the [Gateway load balancer](../load-balancer/gateway-overview.md) product and documentation. 
+:::image type="content" source="./media/ddos-glb.png" alt-text="Screenshot of DDoS inline protection diagram via gateway load balancer.":::
 
-## Inline DDoS protection with Gateway Load Balancer and Partner NVAs
+**Traffic flow steps:**
 
-DDoS attacks on high latency sensitive workloads (e.g., gaming) can cause outage ranging from 2-10 seconds resulting in availability disruption. Gateway Load Balancer enables protection of such workloads by ensuring the relevant NVAs are injected into the ingress path of the internet traffic. Once chained to a Standard Public Load Balancer frontend or IP configuration on a virtual machine, no additional configuration is needed to ensure traffic to, and from the application endpoint is sent to the Gateway LB. 
+1. Traffic from the internet reaches the public IP of the Standard Load Balancer.
+1. Traffic is redirected to the Gateway Load Balancer, which forwards it to partner NVAs.
+1. NVAs inspect and filter traffic, mitigating L7 attacks.
+1. Clean traffic returns to the backend servers for processing.
+1. Azure DDoS Protection provides additional L3/L4 protection at the Standard Load Balancer.
 
-Inbound traffic is always inspected via the NVAs in the path and the clean traffic is returned to the backend infrastructure (gamer servers). 
+Enabling Azure DDoS Protection on the virtual network of the Standard Public Load Balancer frontend or virtual machine protects against L3/4 DDoS attacks.
 
-Traffic flows from the consumer virtual network to the provider virtual network and then returns to the consumer virtual network. The consumer virtual network and provider virtual network can be in different subscriptions, tenants, or regions enabling greater flexibility and ease of management.
 
-:::image type="content" source="./media/ddos-glb.png" alt-text="Diagram of DDoS inline protection via gateway load balancer." lightbox="./media/ddos-glb.png":::
- 
-Enabling Azure DDoS Protection on the VNet of the Standard Public Load Balancer frontend or VNet of the virtual machine will offer protection from L3/4 DDoS attacks. 
-1.	Unfiltered game traffic from the internet is directed to the public IP of the game servers Load Balancer. 
-1.	Unfiltered game traffic is redirected to the chained Gateway Load Balancer private IP. 
-1.	The unfiltered game traffic is inspected for DDoS attacks in real time via the partner NVAs. 
-1.	Filtered game traffic is sent back to the game servers for final processing.
-1.	Azure DDoS Protection on the gamer servers Load Balancer protects from L3/4 DDoS attacks and the DDoS protection policies are automatically tuned for game servers traffic profile and application scale. 
+For detailed deployment instructions, see [Protect your public load balancer with Azure DDoS Protection](../load-balancer/tutorial-protect-load-balancer-ddos.md).
+
+## Best practices
+
+To ensure effective DDoS protection using Gateway Load Balancer and partner NVAs, follow these best practices. 
+
+- **Scale NVAs appropriately to handle peak traffic volumes:**  
+
+    Ensure that your NVAs are sized and configured to accommodate the highest expected levels of traffic. Under-provisioned NVAs can become a bottleneck, reducing the effectiveness of DDoS mitigation and potentially impacting application performance. Use Azure monitoring tools to track traffic patterns and adjust scaling as needed. for more information, see [Azure Monitor](/azure/azure-monitor/fundamentals/overview) and [Network Watcher](/azure/network-watcher/network-watcher-monitoring-overview).
+
+- **Deploy NVAs in a high-availability configuration to avoid single points of failure:**  
+
+    Configure multiple NVAs in an active-active or active-passive configuration to ensure continuous protection, even if one appliance fails or requires maintenance. Use Azure Load Balancer health probes to monitor NVA health and automatically reroute traffic if an instance becomes unavailable. For more information, see [Azure Load Balancer health probes](../load-balancer/load-balancer-custom-probe-overview.md).
+
+- **Regularly monitor and tune NVAs to maintain optimal performance:** 
+
+    Continuously monitor the performance and health of your NVAs using Azure Monitor, Network Watcher, and NVA-specific dashboards. Review logs and alerts for unusual activity or performance degradation. Update NVA software and signatures regularly to protect against the latest threats and vulnerabilities. 
+
+- **Test your DDoS protection setup to validate end-to-end traffic flow and mitigation:**  
+
+     Periodically simulate DDoS attack scenarios and perform failover tests to ensure your protection setup is working as intended. Validate that traffic flows through the NVAs as expected and that mitigation actions are triggered appropriately. Document your test results and update your configuration or runbooks as needed to address any issues. For more information, see [Testing DDoS Protection](../ddos-protection/test-through-simulations.md).
 
 ## Next steps
+
 - Learn more about our launch partner [A10 Networks](https://www.a10networks.com/blog/introducing-l3-7-ddos-protection-for-microsoft-azure-tenants/)
-- Learn more about [Azure DDoS Protection](./ddos-protection-overview.md)
-- Learn more about [Gateway Load Balancer](../load-balancer/gateway-overview.md)
+- Learn more about [Gateway Load Balancer](../load-balancer/gateway-overview.md).
+- Learn more about [Azure Private Link](../private-link/private-link-overview.md) and how it can be used with Gateway Load Balancer.
+- Learn more about [Azure DDoS Protection architecture](../ddos-protection/fundamental-best-practices.md).
