Azure Landing Zones Documentation
Home GitHub Issue Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage

3 - Turn off DDOS protection plan

You can choose to not deploy a DDOS protection plan. In order to do that, they need to remove the DDOS protection plan configuration and disable the DINE (deploy if not exists) policy. You can either comment out or remove the configuration entirely.

DDOS Protection plan is a critical security protection for public facing services. Carefully consider this and be sure to put in place an alternative solution, such as per IP protection.

The steps to follow are:

  1. Update the following settings by searching for the keys and updating the value

    Setting TypeParent block(s)KeyActionCountNotes
    linecustom_replacements > namesddos_protection_plan_enabledUpdate setting to false1
  2. Copy and paste the following inside the management_group_settings > policy_assignments_to_modify

    If you have updated the connectivity or landingzones management group ID, then you need to update the management group ID in this block setting to match. For example, replace connectivity with contoso-connectivity.
    connectivity = {
      policy_assignments = {
        Enable-DDoS-VNET = {
          enforcement_mode = "DoNotEnforce"
        }
      }
    }
    landingzones = {
      policy_assignments = {
        Enable-DDoS-VNET = {
          enforcement_mode = "DoNotEnforce"
        }
      }
    }