Azure: Services & Architecture
by Sergey Okinchuk
Web Application FirewallDefender for Cloud
DDoS Protection
Service 37

DDoS Protection

Security

Azure DDoS Protection defends public endpoints against distributed denial-of-service attacks — the volumetric and protocol floods that try to exhaust bandwidth or connection state. Azure applies always-on infrastructure-level defense to all traffic for free; the paid tiers add tuned, resource-specific mitigation, telemetry, and guarantees on top.

The distinction that matters is between the free platform protection everyone gets and the paid Network or IP Protection tiers you opt into for workloads that would actually be targeted. Internet-facing applications with real exposure need the paid tier; assuming the free baseline is enough for a high-value target is the common gap.

Platform vs Paid Tiers

Azure's basic infrastructure protection is always on and free, defending the platform as a whole. DDoS Network Protection covers all protected public IPs in a VNet with tuned mitigation, attack telemetry, and a cost-protection guarantee; DDoS IP Protection prices per protected public IP, for smaller deployments that want the paid capability without the VNet-wide plan. The paid tiers are what give resource-specific tuning and visibility.

Adaptive Tuning

The paid tiers profile each protected resource's normal traffic and set mitigation thresholds adaptively, so legitimate spikes are not mistaken for attacks and genuine floods are caught early. This per-resource baselining is the core advantage over generic platform defense, which cannot know what normal looks like for your specific endpoint.

Telemetry and Alerts

Paid protection emits metrics, attack analytics, and alerts during and after an event, so you can see what was mitigated rather than just experiencing degraded service blindly. Integrating these alerts with Azure Monitor means an attack triggers a notification and a record, not just a mysterious latency spike.

Cost Protection

A DDoS attack can drive autoscaling and bandwidth charges as the platform absorbs the flood. The paid tiers include cost-protection credits for scale-out incurred during a documented attack, so a defended attack does not also become a surprise bill. This turns DDoS from a financial risk into a covered one.

Common Mistakes
  • Assuming the free platform protection is sufficient for a high-value, internet-facing target that warrants the paid tier's tuned mitigation.
  • Leaving protection un-enabled on the public IPs that actually matter, so adaptive tuning never profiles them.
  • Choosing the per-IP IP Protection plan for a large estate where Network Protection would cover the whole VNet more economically, or vice versa.
  • Not integrating attack telemetry with Azure Monitor, so an attack shows up only as unexplained degradation.
  • Forgetting that DDoS protection guards availability, not application-layer exploits — the WAF handles Layer 7 attacks.
  • Ignoring cost-protection terms, then being surprised by autoscale charges during an attack.
Best Practices
  • Enable a paid tier (Network or IP Protection) on genuinely exposed, high-value public endpoints.
  • Let adaptive tuning profile each protected resource so thresholds fit its real traffic.
  • Route DDoS metrics and alerts into Azure Monitor for visibility during and after an attack.
  • Choose Network Protection for VNet-wide coverage and IP Protection for smaller, per-IP needs.
  • Pair DDoS Protection (availability) with a WAF (application-layer attacks) — they cover different threats.
  • Understand the cost-protection terms so defended attacks do not produce surprise scale-out bills.
Comparable servicesAWS ShieldGCP Cloud Armor (DDoS defense)

Knowledge Check

What do the paid DDoS Protection tiers add over Azure's free platform protection?

  • Resource-specific adaptive tuning, attack telemetry, alerts, and cost protection
  • The only mechanism encrypting traffic in transit between the client and the backend server
  • Inline blocking of SQL injection, cross-site scripting, and other Layer 7 application exploits
  • Global DNS-based routing of incoming traffic to the nearest healthy regional endpoint

DDoS Protection and a WAF cover which threats, respectively?

  • DDoS covers availability (volumetric/protocol floods); the WAF covers application-layer exploits
  • Both cover the exact same Layer 7 application-layer attacks, making one of the two redundant
  • DDoS covers SQL injection and cross-site scripting, while the WAF covers volumetric bandwidth-exhaustion floods
  • Both are strictly limited to mitigating DNS-layer query-flood attacks and nothing else

What does cost protection in the paid tiers provide?

  • Credits for autoscale and bandwidth charges incurred during a documented attack
  • A standing percentage discount applied to the base service price on every monthly billing cycle
  • Free Key Vault and storage account operations for the full duration of the incident window
  • Permanently waived egress data-transfer charges for all outbound traffic

You got correct