Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This tutorial shows you how to create an Azure Route Server with DDoS protection enabled. Azure DDoS protection safeguards your publicly accessible Route Server from Distributed Denial of Service attacks, ensuring continuous operation of your network routing infrastructure.
By the end of this tutorial, you have a fully functional Route Server deployment protected by Azure DDoS protection, ready for border gateway protocol (BGP) peering with your network virtual appliances.
Important
Azure DDoS Protection incurs a cost when you use the Network Protection SKU. Overage charges only apply if more than 100 public IPs are protected in the tenant. Ensure you delete the resources in this tutorial if you aren't using the resources in the future. For information about pricing, see Azure DDoS Protection pricing. For more information about Azure DDoS protection, see What is Azure DDoS Protection?
In this tutorial, you learn how to:
- Create a DDoS protection plan
- Create an Azure Route server
- Enable the DDoS protection and plan
- Configure the Route Server
Prerequisites
- An Azure account with an active subscription. Create an account for free.
Create DDoS protection plan
In this section, you create an Azure DDoS protection plan that you associate with the virtual network later in this tutorial.
Sign in to the Azure portal.
In the search box at the top of the portal, enter DDoS protection. Select DDoS protection plans from the search results.
Select + Create.
On the Basics tab of Create a DDoS protection plan, enter, or select the following information:
Setting Value Project details Subscription Select your subscription. Resource group Select Create new.
Enter myResourceGroup.
Select OK.Instance details Name Enter myDDoSProtectionPlan. Region Select East US. Select Review + create.
Select Create.
Create a Route Server
In this section, you create an Azure Route Server along with its virtual network and public IP address. The deployment process creates all necessary networking components.
In the search box at the top of the portal, enter Route Server. Select Route Servers from the search results.
Select + Create.
On the Basics tab of Create a Route Server, enter, or select the following information:
Setting Value Project details Subscription Select your subscription. Resource group Select myResourceGroup. Instance details Name Enter myRouteServer. Region Select East US. Configure virtual networks Virtual network Select Create new.
In Name, enter myVNet.
Leave the prepopulated Address space and Subnets. In the example for this article, the address space is 10.1.0.0/16 with a subnet of 10.1.0.0/24.
In Subnets, for Subnet name, enter RouteServerSubnet.
In Address range, enter 10.1.1.0/27.
Select OK.Subnet Select RouteServerSubnet (10.1.1.0/27). Public IP address Public IP address Select Create new. Public IP address name Enter myPublicIP. Select Review + create.
Select Create.
Note
The deployment of the Route Server can take up to 30 minutes.
Enable DDoS protection
Azure DDoS Network Protection is enabled at the virtual network level where the resource you want to protect resides. In this section, you enable DDoS protection for the virtual network hosting your Route Server.
In the search box at the top of the portal, enter Virtual network. Select Virtual networks from the search results.
Select myVNet.
Select DDoS protection under Settings.
Select Enable.
In the DDoS protection plan dropdown, select myDDoSProtectionPlan.
Select Save.
Note
After you enable DDoS protection, it can take a few minutes for the protection to become fully active.
Set up peering with NVA
In this section, you configure BGP peering between your Route Server and network virtual appliance (NVA). This step establishes the routing relationship that allows dynamic route exchange.
In the search box at the top of the portal, enter Route Server. Select Route Servers from the search results.
Select myRouteServer.
Under Settings, select Peers.
Select + Add.
Enter or select the following information in Add Peer:
Setting Value Name Enter a descriptive name for the peering between your Route Server and the NVA. ASN Enter the Autonomous System Number (ASN) of your NVA. IPv4 Address Enter the IP address of the NVA that you want to peer with the Route Server. Select Add.
Note
Ensure that your NVA is configured with a different ASN than the Route Server (65515) and supports multi-hop eBGP.
Complete the configuration on the NVA
To establish a BGP session with your Route Server, you need the Azure Route Server's peer IPs and ASN. This information is required to complete the configuration on your network virtual appliance.
In the search box at the top of the portal, enter Route Server. Select Route Servers from the search results.
Select myRouteServer.
On the Overview page of myRouteServer, note the ASN and Peer IPs values.
Use these values to configure BGP peering on your NVA:
- Configure two BGP sessions (one for each peer IP)
- Use the Route Server's ASN as the remote ASN
- Ensure your NVA's ASN is different from 65515
Tip
For optimal redundancy, establish BGP sessions with both peer IPs provided by the Route Server.
Clean up resources
If you're not going to continue using these resources, delete the resource group to remove the virtual network, DDoS protection plan, Route Server, and all associated resources to avoid ongoing charges.
In the search box at the top of the portal, enter myResourceGroup. Select myResourceGroup from the search results.
Select Delete resource group.
In Delete a resource group, enter myResourceGroup, and then select Delete.
Select Delete to confirm the deletion of the resource group and all its resources.
Warning
This action permanently deletes all resources in the resource group. Make sure you no longer need these resources before proceeding.
Next step
Now that you have a DDoS-protected Route Server deployment, learn how to configure and manage it effectively: