title | description | author | ms.author | ms.topic | ms.workload | ms.custom | ms.service | ms.date |
---|---|---|---|---|---|---|---|---|
Reliability in Azure DDoS Network Protection |
Learn about reliability in Azure DDoS Network Protection |
AbdullahBell |
abell |
reliability-article |
infrastructure-services |
subject-reliability, references_regions |
ddos-protection |
03/14/2024 |
This article describes reliability support in Azure DDoS Network Protection, and both regional resiliency with availability zones and cross-region recovery and business continuity. For a more detailed overview of reliability in Azure, see Azure reliability.
[!INCLUDE Availability zone description]
Azure DDoS Protection is zone-redundant by default and is managed by the service itself. You don't need to configure or setup zone redundancy yourself.
[!INCLUDE introduction to disaster recovery]
You can choose one of two approaches to managing business continuity for DDoS Protection over your VNets. The first approach is reactive and the second approach is proactive.
- Reactive business continuity plan. Virtual networks are fairly lightweight resources. In the case of a regional outage, you can invoke Azure APIs to create a VNet with the same address space, but in a different region. To recreate the same environment that was present in the affected region, you'll need to make API calls to redeploy primary region VNet resources. If on-premises connectivity is available, such as in a hybrid deployment, you must deploy a new VPN Gateway, and connect to your on-premises network.
Note
A reactive approach to maintaining business continuity always runs the risk that you may not have access to the primary region's resources, due the extent of the disaster. In that case, you'll need to recreate all of the primary region's resources.
- Proactive business continuity plan. You can create two VNets using the same private IP address space and resources in two different regions ahead of time. If you are hosting internet-facing services in the VNet, you could set up Traffic Manager to geo-route traffic to the region that is active. However, you cannot connect two VNets with the same address space to your on-premises network, as it would cause routing issues. At the time of a disaster and loss of a VNet in one region, you can connect the other VNet in the available region, with the matching address space to your on-premises network.
To create a virtual network, see Create a virtual network.
For single region geographies in a disaster scenario, the virtual network and the resources in the affected region remains inaccessible during the time of the service disruption.