DDoS Protection
DDoS Protection
This page covers Azure DDoS Protection — what it is, what it protects against, and when to use it.
Not a hands-on lab
Azure DDoS Protection Standard costs approximately $2,944 per month per protection plan. This is a per-subscription control, not a per-resource cost.
It is not included as a lab exercise. This page covers the concept, architecture, and decision criteria so you can apply it correctly in production.
What is a DDoS attack?
A Distributed Denial of Service (DDoS) attack floods a target with traffic from many sources simultaneously. The goal is to exhaust resources — bandwidth, CPU, memory, or connection tables — so legitimate users cannot reach the service.
Common attack types:
| Type | Description |
|---|---|
| Volumetric | Flood the network with traffic (UDP floods, DNS amplification) |
| Protocol | Exploit protocol weaknesses to exhaust connection state (SYN floods) |
| Application (Layer 7) | Flood with seemingly valid HTTP requests (HTTP floods, slowloris) |
Azure DDoS Protection tiers
Azure offers two tiers:
| Tier | Cost | What it does |
|---|---|---|
| DDoS Network Protection (formerly Basic) | Free, always on | Protects Azure infrastructure. Applied automatically to all public IPs. Mitigates common volumetric attacks. No per-customer telemetry or tuning. |
| DDoS IP Protection / Network Protection (formerly Standard) | ~$2,944/month per plan | Adaptive tuning per resource, real-time telemetry, attack analytics, rapid response support, cost guarantee (Azure credits for DDoS-caused scaling costs). |
DDoS Network Protection (Basic) is enabled automatically for all Azure public IPs. You do not need to configure it.
DDoS IP Protection / Network Protection adds per-resource policies that are tuned to the normal traffic baseline of your specific application.
What DDoS Protection Standard protects
DDoS Protection Standard operates at Layer 3 and Layer 4 (network and transport). It does not inspect HTTP content — that is the role of Application Gateway WAF (Layer 7).
How it is attached
DDoS Protection Standard (Network Protection) is attached to a VNet, not to individual resources.
All public IPs associated with resources in that VNet are then covered by the protection plan.
Steps (Portal):
- Create a DDoS protection plan: search DDoS protection plans → + Create
- Navigate to your VNet → Settings → DDoS protection
- Select Enable and choose your protection plan
Relation to other Day 2 controls
| Control | Layer | Protects against |
|---|---|---|
| NSG | L3/L4 (subnet) | Unauthorized access from specific IPs/ranges |
| App Service access restriction | L7 (app) | Unauthorized callers by IP or subnet |
| Private endpoint | L3 (network) | Public internet access to PaaS resources |
| Application Gateway WAF | L7 | SQL injection, XSS, protocol attacks |
| DDoS Protection Standard | L3/L4 | Volumetric and protocol flood attacks |
DDoS Protection Standard complements WAF — WAF filters malicious content, DDoS Protection absorbs volume attacks before they can saturate bandwidth or exhaust connection state.
When to use DDoS Protection Standard
Use it when:
- You have a public-facing workload with significant traffic or business-critical uptime requirements
- You have already addressed identity, network segmentation, and WAF (DDoS is not a substitute for those controls)
- The cost is justified by the business impact of downtime
Do not use it as a first response to security concerns. Address misconfiguration and access control first — DDoS Protection only helps against availability attacks, not against unauthorized access.
Key takeaway
Summary
Azure DDoS Network Protection (Basic) is always on and free — it protects Azure infrastructure automatically.
Azure DDoS Protection Standard adds per-resource adaptive tuning, telemetry, and SLA guarantees. It is a production control for business-critical public workloads with sufficient budget.
For the Day 2 lab environment, the free tier is sufficient. The concepts and Portal steps here apply directly when you configure it in a production subscription.