DDOS protection

[bencoombs]

Assess current state of DDOS protection. Suggest improvements.

https://learn.microsoft.com/en-us/azure/ddos-protection/ https://learn.microsoft.com/en-us/azure/azure-functions/security-concepts

[bencoombs]

Azure provides L3/L4 protection as part of it's infrastructure/networking in general.

L7 application protection needs to be managed by us.

• CORS? Check and restrict in production.
• Account spend limits? Provides a cost ceiling to the pay-as-you-go plans in the event than an endpoint is called many times.
• Restrict the API to the web client only? Can be done in Azure using a special key.
• Setup app functions on a dedicated host using Azure App Service Environment which then allows Web Application Firewall to be setup. Azure Front Door (CDN).
• Monitoring? Azure Sentinel?
• Recovery? Terraform?
• Software - debounce buttons, error handle all requests, rate limiting?

[bencoombs]

API should be open.

Short term:

• CORS/certificates check.
• Account spend limits.
• Software error handling review + fix

Mid term:

• Deploy app to new environment and setup Web Application Firewall

Long term:

• Monitoring and Terraform