Azure landing zone Documentation
Home GitHub Issue Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage
  1. Azure landing zone Documentation
  2. /
  3. IaC accelerator
  4. /
  5. Terraform
  6. /
  7. Options
  8. /
  9. 3 - Turn off DDOS protection plan
Edit page

3 - Turn off DDOS protection plan

You can choose to not deploy a DDOS protection plan. In order to do that, they need to remove the DDOS protection plan configuration and disable the DINE (deploy if not exists) policy. You can either comment out or remove the configuration entirely.

Danger
Security Risk: A DDoS Network Protection Plan is a recommended security control for public-facing services. Disabling it without an alternative may leave your applications and workloads vulnerable to DDoS attacks. You should weigh up the pros and cons of before deciding to disable the DDoS Network Protection Plan and also consider how you will protect your applications and services without it. You may decide the DDoS IP Protection offering per-Public IP is a suitable option, as detailed here, or an alternative solution.

The steps to follow are:

  1. Update the following settings by searching for the keys and updating the value

    Setting TypeParent block(s)KeyActionCountNotes
    linecustom_replacements > namesddos_protection_plan_enabledUpdate setting to false1

  2. Locate the lib folder in your config directory. This folder was created in the initial steps of phase 2.

  3. Open the landing_zones_custom.alz_archetype_override.yaml file and uncomment the AMA policy assignments in the policy_assignments_to_remove list.

    The file should look like this:

    base_archetype: landing_zones
name: landing_zones_custom
policy_assignments_to_add: []
policy_assignments_to_remove: [
# To remove AMA policies, uncomment the following lines:
  # Deploy-MDFC-DefSQL-AMA,
  # Deploy-VM-ChangeTrack,
  # Deploy-VM-Monitoring,
  # Deploy-vmArc-ChangeTrack,
  # Deploy-vmHybr-Monitoring,
  # Deploy-VMSS-ChangeTrack,
  # Deploy-VMSS-Monitoring,
# To remove the DDOS modify policy, uncomment the following line:
  Enable-DDoS-VNET,
]
policy_definitions_to_add: []
policy_definitions_to_remove: []
policy_set_definitions_to_add: []
policy_set_definitions_to_remove: []
role_definitions_to_add: []
role_definitions_to_remove: []

  4. Open the connectivity_custom.alz_archetype_override.yaml file and update it to look like this:

    base_archetype: connectivity
name: connectivity_custom
policy_assignments_to_add: []
policy_assignments_to_remove: [
# To remove the DDOS modify policy, uncomment the following line:
  Enable-DDoS-VNET,
]
policy_definitions_to_add: []
policy_definitions_to_remove: []
policy_set_definitions_to_add: []
policy_set_definitions_to_remove: []
role_definitions_to_add: []
role_definitions_to_remove: []

  5. Make sure to save both files after making the changes.

gdoc_arrow_left_alt 2 - Customize Management Group Names and IDs 4 - Turn off Bastion host gdoc_arrow_right_alt