Introducing L3-7 DDoS Protection for Microsoft Azure Tenants

Introducing L3-7 DDoS Protection for Microsoft Azure Tenants

DDoS attacks continue to grow in intensity, breadth and complexity as new threat vectors expand the options available to malicious attackers. Established solutions, which rely on ineffective, signature-based intrusion prevention or traffic rate-limiting, are no longer adequate. Moreover, the completely independent trend of enterprise workloads migrating to the cloud is also on the rise, exposing businesses to a wider attack surface. These two trends have amplified the need for advanced DDoS protection solutions to protect cloud workloads.

Cloud providers currently offer DDoS mitigation services directly to their tenants. However, while many tenants benefit from such services, others find they require additional DDoS protection options, particularly when they are targeted directly by complex attacks.

The reason for this is three-fold:

  1. Cloud provider DDoS mitigations aim to primarily protect their tenants against L3/L4 DDoS attacks, leaving them susceptible to L7 DDoS attacks.
  2. These L3/L4 countermeasures are generally deployed on a reactive, as-needed basis, which can typically delay the DDoS protection from kicking in by 1 – 2 minutes and are not inline.
  3. Cloud providers generally offer a one-size-fits-all DDoS mitigation option that applies to every business vertical, therefore lacking application-specific DDoS countermeasures.

As a result, various businesses (e.g., gaming, finance etc.) need additional customized DDoS mitigation solutions that provide more comprehensive and efficient coverage.

Microsoft Azure is closing this gap by providing customers with the option of adding inline DDoS protection through network virtual appliances (NVAs) available in the Azure marketplace. This is made possible by using Azure’s Gateway Load Balancer (LB) feature. The Gateway LB ensures that relevant NVAs are injected into the ingress path of the internet traffic as it heads towards Azure-hosted applications and services.

Introducing L3-7 DDoS Protection for Microsoft Azure Tenants Diagram

A10 Networks has collaborated with Microsoft Azure to ensure that its Thunder TPS VA in the Azure marketplace, a DDoS mitigation solution, supports Azure’s new gateway LB so that Azure customers can take advantage of A10’s advanced DDoS protection offerings, complementing Azure DDoS Protection Standard.

A10’s Thunder TPS scales to defend against the DDoS of Things and traditional zombie botnets. This Azure marketplace solution is focused on high-resolution, packet-based DDoS detection via inline deployment in front of your protected Azure Virtual Networks. This deployment also achieves the fastest time-to-mitigation against Layer 3 to 7 attacks with minimal latency.

Using A10’s Thunder TPS VA in your production network provides unique advantages, including:

  1. Unique L3 – L7 DDoS mitigation capabilities

    When combined with Azure DDoS Protection Standard (valuable against volumetric L3 – L4 DDoS attacks), the solution provides comprehensive protection against attacks ranging from L3 to L7.

  2. Inline or “always on” DDoS mitigation enabled by integration with Azure Gateway LB

    The solution provides real-time mitigation against DDoS attacks. Additionally, due to A10’s industry-leading adaptive DDoS mitigation, legitimate users experience zero disruption even while the TPS actively mitigates attacks.

  3. Extensively customizable DDoS Mitigation policies

    Through A10’s Thunder TPS VA, Azure tenants can take advantage of customized DDoS mitigations that are best suited for their specific workloads. For example, gaming customers can benefit from A10’s unique packet watermarking mitigation (already used by some of the leading names in the gaming industry).

  4. Access to state-of-the-art DDoS mitigation capabilities

    Customers can take advantage of other unique features that A10 offers with the Thunder TPS solution, including protection against modern zero-day DDoS attacks (like Mirai and its successors) using A10’s Zero-day Automated Protection (ZAP) artificial intelligence/machine-learning-powered DDoS mitigation algorithms.

Combined with Azure DDoS Protection Standard, A10’s Thunder TPS VA provides comprehensive L3-L7 protection against all DDoS attacks.

“With A10 Networks’ Thunder TPS VA, and its integration with the Azure Gateway LB, even short-burst L3-7 DDoS attacks can be mitigated instantaneously, without impacting the availability or performance of applications, complementing Azure DDoS Protection Standard. Moreover, latency sensitive customers (e.g., gaming, finance etc.) can protect their networks and users against complex attacks and disruptions using A10’s unique and purpose-built DDoS mitigation features like packet watermarking and Zero-day Automated Protection (ZAP).”

Anupam Vij, Principal PM Manager
Microsoft Azure Networking

Capabilities of the A10 Thunder TPS include:

We understand that DDoS attacks can be challenging to mitigate. The A10 support team provides 24x7x365 services, which includes the A10 DDoS Security Incident Response Team (DSIRT), to help you understand and mitigate the most advanced DDoS attacks.

To learn more about the solution, please visit:

Thunder TPS Product Page
Thunder TPS VA on the Azure Marketplace
Microsoft Blog – Inline DDoS protection with Gateway LB and Partner NVAs now available in Public Preview


Tarun Aggrawal
November 2, 2021

About Tarun Aggrawal

Tarun Aggrawal is Lead Security Solutions Architect for A10 Networks in North America. Tarun has been at A10 Networks for 8 years, where he has worked extensively on global Service Provider solutions for A10’s customers, with particular focus on DDoS mitigation and Carrier-Grade NAT solutions. Tarun has often been engaged in speaking events and webinars for A10 on his topics of expertise. READ MORE