This chapter provides a comprehensive deep dive into Azure DDoS Protection Standard, a critical service for securing Azure resources against distributed denial-of-service attacks. For the AZ-104 exam, understanding DDoS Protection is part of Objective 4.5, which covers implementing and managing network security. While only a few questions may directly test DDoS Protection, the concepts of network security, monitoring, and cost management are frequently interwoven with other topics. Mastering this chapter ensures you can identify when DDoS Protection is needed, how to configure it, and how to interpret attack telemetry—skills that are essential for the exam and real-world administration.
Jump to a section
Imagine a stadium hosting a sold-out concert. The stadium has a single main entrance (your Azure public endpoint). Normally, fans arrive at a steady pace, and security checks tickets efficiently. Suddenly, an organized group buys thousands of fake tickets and sends 100,000 people to the entrance simultaneously, overwhelming the security staff and blocking real fans from entering. This is a DDoS attack. Azure DDoS Protection Standard is like hiring a team of elite bouncers who stand before the main entrance. They don't just check tickets; they analyze every person approaching: Are they a known fan? Do they have a ticket? Are they behaving erratically? They maintain a whitelist of verified ticket holders and a blacklist of known troublemakers. If a surge of fake fans appears, the bouncers instantly recognize the pattern—too many people from the same bus, same fake tickets—and block the entire busload before they even reach the door. The bouncers also have a direct line to the police (Azure Monitor) to log every blocked attempt. Importantly, the bouncers operate at the perimeter, not inside the stadium, so legitimate fans flow in without delay. The stadium's capacity (bandwidth) is never fully consumed by the fake crowd because the bouncers intercept them upstream.
What is Azure DDoS Protection Standard?
Azure DDoS Protection Standard is a managed security service that protects Azure resources from network and application layer DDoS attacks. It is available in two tiers: Basic (free, automatically enabled on all Azure resources) and Standard (paid, with advanced features). The Standard tier provides adaptive tuning, attack analytics, and integration with Azure Monitor and Azure Web Application Firewall (WAF).
Why DDoS Protection Exists
DDoS attacks aim to exhaust a target's resources—bandwidth, CPU, or connection tables—making services unavailable to legitimate users. Without protection, even a moderate attack can overwhelm a virtual machine’s NIC or a load balancer’s frontend. Azure DDoS Protection Standard mitigates this by absorbing and scrubbing malicious traffic before it reaches your resource.
How It Works Internally
Azure DDoS Protection Standard operates at the Azure edge network, not inside your virtual network. When you enable the Standard tier on a virtual network (VNet), traffic to all public IP addresses associated with that VNet is monitored and protected. The service uses a combination of always-on traffic monitoring and adaptive tuning:
Traffic Monitoring: The service continuously monitors traffic for common attack patterns, such as SYN floods, UDP floods, and DNS amplification attacks. It uses machine learning to establish a baseline of normal traffic for each protected resource.
Adaptive Tuning: Over time, the service learns the typical traffic patterns for your resource. This baseline is used to distinguish between legitimate spikes (e.g., a flash sale) and malicious traffic. The adaptive tuning adjusts thresholds automatically, so you don't need to configure them manually.
Attack Mitigation: When traffic exceeds a threshold (e.g., packets per second or bandwidth), mitigation begins. The service scrubs traffic at the Azure edge, dropping malicious packets and forwarding only clean traffic. Mitigation actions include:
Blocking source IP addresses that are part of a botnet.
Rate-limiting traffic from suspicious sources.
Dropping packets with invalid TCP flags.
4. Protocol-Level Protection: The service protects against: - Layer 3 (Network): UDP floods, ICMP floods, IP fragmentation attacks. - Layer 4 (Transport): SYN floods, TCP connection exhaustion, reflection attacks. - Layer 7 (Application): HTTP floods, slow loris attacks (when integrated with WAF).
Telemetry and Alerts: During a mitigation event, metrics are sent to Azure Monitor. You can view attack details (e.g., attack type, total packets dropped) in the DDoS Protection reports. Alerts can be configured to trigger when mitigation starts or stops.
Key Components, Values, Defaults, and Timers
Tiers: Basic (free, always on, no configuration) and Standard (paid, requires enabling on a VNet).
Pricing: Standard is charged per protected VNet per month, plus data transfer charges for outbound traffic during mitigation.
Default Limits: Basic tier protects up to 1 Gbps per public IP. Standard tier scales automatically to protect against multi-gbps attacks (up to several hundred Gbps).
Thresholds: Adaptive thresholds are set per resource based on historical traffic. There are no user-configurable thresholds in Standard; the service learns them.
Mitigation Duration: Typically lasts as long as the attack continues. After the attack subsides, mitigation stops automatically.
Integration: Works with Azure Front Door, Azure Application Gateway (with WAF), and Azure Load Balancer.
Configuration and Verification Commands
To enable DDoS Protection Standard on a VNet, you can use the Azure portal, Azure CLI, or PowerShell.
Azure CLI example:
# Create a DDoS protection plan
az network ddos-protection create --resource-group MyResourceGroup --name MyDdosPlan --location eastus
# Enable the plan on a VNet
az network vnet update --resource-group MyResourceGroup --name MyVNet --ddos-protection-plan MyDdosPlanPowerShell example:
# Create a DDoS protection plan
New-AzDdosProtectionPlan -ResourceGroupName MyResourceGroup -Name MyDdosPlan -Location eastus
# Enable the plan on a VNet
$vnet = Get-AzVirtualNetwork -ResourceGroupName MyResourceGroup -Name MyVNet
$vnet.DdosProtectionPlan = (Get-AzDdosProtectionPlan -ResourceGroupName MyResourceGroup -Name MyDdosPlan).Id
Set-AzVirtualNetwork -VirtualNetwork $vnetVerification: To view attack metrics, use Azure Monitor Metrics Explorer:
metrics: DDoSProtectionTriggered (bool), DDoSTotalBytesDropped (bytes), DDoSTotalPacketsDropped (count)Interaction with Related Technologies
Azure Firewall: DDoS Protection operates before traffic reaches Azure Firewall. It is complementary; Firewall provides stateful inspection, while DDoS Protection provides volumetric attack mitigation.
Network Security Groups (NSGs): NSGs filter traffic at the subnet or NIC level. DDoS Protection operates at the network edge, so it is not a substitute for NSGs.
Azure WAF: Application Gateway WAF provides Layer 7 protection against SQL injection, XSS, etc. DDoS Protection Standard can be combined with WAF for comprehensive defense.
Azure Front Door: When using Front Door, DDoS Protection is automatically enabled on the Front Door endpoint. For backend origins, you may still need DDoS Protection on the VNet.
Important Exam Points
DDoS Protection Standard is region-specific and must be enabled per VNet in a region that supports it.
The service does not block legitimate traffic; it uses adaptive thresholds to avoid false positives.
Cost: You are charged for the protection plan itself (per VNet per month) and for outbound data transfer during mitigation. There is no charge for inbound data during mitigation.
Always-on monitoring means no manual intervention is needed to start protection.
The service provides attack analytics via Azure Monitor, including post-attack reports.
Common Misconfigurations
Enabling on a single VM instead of the VNet: The Standard tier must be enabled at the VNet level, not on individual VMs.
Expecting Layer 7 protection without WAF: Standard DDoS Protection only covers layers 3-4. For application layer attacks, you need WAF.
Not configuring alerts: Without alerts, you may not know an attack occurred until you check metrics.
Exam Traps
The exam may ask: "Which tier provides adaptive tuning?" Answer: Standard (not Basic).
A question might describe a scenario where a resource is under a Layer 7 attack and ask which service to use. The correct answer is Azure Application Gateway WAF, not DDoS Protection Standard.
Another trap: DDoS Protection Basic is always enabled, but it only protects against infrastructure-level attacks and does not provide telemetry. Standard provides telemetry and adaptive tuning.
Enable DDoS Protection Plan
First, create a DDoS Protection Plan in the Azure region where your VNet resides. The plan is a regional resource that defines the scope of protection. You can have multiple plans per subscription, but each VNet can only be associated with one plan. The plan itself does not contain any configuration; it is a logical container that enables billing and management. Use the Azure portal, CLI, or PowerShell to create the plan. Example CLI: `az network ddos-protection create --resource-group MyRG --name MyPlan --location eastus`.
Associate VNet with the Plan
After creating the plan, associate it with the virtual network you want to protect. This association can be done during VNet creation or on an existing VNet. Once associated, all public IP addresses within that VNet (including those on VMs, load balancers, and application gateways) are automatically protected. The association is a one-to-many relationship: one plan can be associated with multiple VNets, but each VNet can only be associated with one plan. Use CLI: `az network vnet update --resource-group MyRG --name MyVNet --ddos-protection-plan MyPlan`.
Monitor Traffic Baseline
Once enabled, the service begins monitoring traffic to all protected public IPs. It establishes a baseline of normal traffic over a period of time (usually a few days). The baseline includes metrics like packets per second, bytes per second, and number of concurrent connections. This baseline is continuously updated to adapt to changing traffic patterns. No user action is required. The service uses machine learning to detect anomalies.
Detect and Mitigate Attack
When traffic exceeds the adaptive threshold (e.g., a sudden spike in SYN packets), the service triggers mitigation. The mitigation process involves analyzing traffic flows and dropping malicious packets. The service can block traffic from specific source IPs, rate-limit traffic, or drop packets with invalid TCP flags. The mitigation is applied at the Azure edge, so the protected resource never receives the attack traffic. During mitigation, metrics like `DDoSProtectionTriggered` become true, and counters for dropped packets/bytes increase.
Review Attack Telemetry
After or during an attack, you can view detailed telemetry in Azure Monitor. Metrics include total packets dropped, total bytes dropped, and attack type (e.g., SYN flood, UDP flood). You can also generate a post-attack report that summarizes the attack duration, top source IPs, and mitigation actions. This telemetry is essential for compliance and post-incident analysis. Alerts can be configured to notify you when mitigation starts or stops.
Scenario 1: E-commerce Platform During Holiday Season
A large e-commerce company runs its web application on Azure VMs behind a load balancer. During Black Friday, they expect high traffic but also face the risk of DDoS attacks from competitors. They enable DDoS Protection Standard on the VNet containing the load balancer. The adaptive tuning learns the normal traffic patterns over the preceding weeks. When a SYN flood attack hits during the sale, the service automatically mitigates it, dropping malicious packets while allowing legitimate customers through. The company configures alerts to notify the security team when mitigation starts. Post-attack, they use the attack analytics report to identify the source IPs and update their firewall rules. Without Standard tier, the Basic tier might have allowed some attack traffic to reach the VMs, causing performance degradation.
Scenario 2: Gaming Company with UDP Floods
An online gaming company hosts game servers on Azure VMs. They are frequently targeted by UDP floods that attempt to saturate the server’s bandwidth. They enable DDoS Protection Standard on the VNet. The service quickly identifies the UDP flood pattern and blocks traffic from the attacking IP ranges. The company also integrates Azure WAF on their application gateway to protect against HTTP-based attacks like slow loris. One common misconfiguration: they initially enabled DDoS Protection on individual VMs’ NICs, which is not supported—the service must be enabled at the VNet level. After correcting this, protection works as expected.
Scenario 3: Financial Services with Compliance Requirements
A bank uses Azure for its customer-facing portal. They must comply with regulatory requirements that mandate DDoS protection. They enable DDoS Protection Standard and configure diagnostic settings to send logs to a Log Analytics workspace for auditing. During a multi-vector attack (SYN flood + DNS amplification), the service mitigates both layers. The bank’s security team uses the post-attack report to demonstrate compliance to auditors. A common pitfall: they initially forgot to enable alerts, so they only discovered the attack hours later when reviewing metrics. They now have alerts configured for when mitigation starts and stops.
Performance Considerations
DDoS Protection Standard can handle attacks up to hundreds of Gbps. There is no need to scale your infrastructure for attack traffic; the service absorbs it.
The service introduces minimal latency (microseconds) because it operates at the edge.
During mitigation, outbound data transfer charges apply for traffic that is dropped. This can be costly if you are not monitoring.
What Goes Wrong When Misconfigured
Not enabling at VNet level: Protection does not apply, leaving resources vulnerable.
Expecting Layer 7 protection: The service does not protect against application-layer attacks without WAF.
Ignoring alerts: You may not know an attack occurred, leading to prolonged downtime.
Incorrect region: The plan must be in the same region as the VNet. Cross-region association is not supported.
Exam Objectives and Common Traps
The AZ-104 exam covers DDoS Protection under Objective 4.5: "Implement and manage network security." Specifically, you should be able to:
Distinguish between Basic and Standard tiers.
Understand how to enable DDoS Protection on a VNet.
Know the integration points (WAF, Front Door, Load Balancer).
Interpret attack metrics.
Most Common Wrong Answers
Choosing Basic when Standard is required: Questions often describe a need for adaptive tuning or telemetry. Basic does not provide these; Standard does. Candidates pick Basic because it's free, but the question explicitly asks for features only Standard provides.
Enabling on a VM instead of a VNet: The exam may present a scenario where a single VM needs protection. The incorrect answer is to enable DDoS Protection on the VM's NIC. The correct answer is to enable it on the VNet that contains the VM.
Confusing DDoS Protection with WAF: A question about Layer 7 attacks (e.g., SQL injection) might have an answer choice of DDoS Protection Standard. The correct answer is Azure WAF. Candidates mix up the layers.
Assuming DDoS Protection is always available in all regions: While most regions support it, some older or newer regions may not. The exam may test that you need to check regional availability.
Specific Numbers and Values
Default threshold: Not user-configurable; adaptive.
Mitigation scale: Up to hundreds of Gbps.
Billing: Per VNet per month (Standard).
Metrics: DDoSProtectionTriggered (boolean), DDoSTotalBytesDropped, DDoSTotalPacketsDropped.
Edge Cases
Multiple VNets in one plan: One plan can protect multiple VNets, but each VNet can only belong to one plan.
Cross-region: The plan and VNet must be in the same region.
Classic resources: DDoS Protection Standard does not support classic (ASM) resources. Only ARM resources.
How to Eliminate Wrong Answers
If the question mentions "adaptive tuning" or "attack analytics," eliminate Basic.
If the question is about application-layer attacks, eliminate DDoS Protection (unless combined with WAF).
If the question asks for protection for a single VM, look for the answer that involves enabling protection on the VNet, not the VM.
If the question mentions "cost" and "free," Basic is free; Standard is paid.
Exam Tips
Memorize the layers: DDoS Protection Standard handles L3-L4; WAF handles L7.
Remember that DDoS Protection Basic is always on, but it doesn't provide reports or adaptive tuning.
Know that you enable DDoS Protection on a VNet, not on individual resources.
Be familiar with the metrics names and what they indicate.
Understand that DDoS Protection Standard is a regional service.
DDoS Protection Standard must be enabled at the virtual network level, not on individual resources.
Adaptive tuning automatically adjusts thresholds based on traffic patterns; no manual configuration needed.
Standard tier provides attack telemetry via Azure Monitor metrics: DDoSProtectionTriggered, DDoSTotalBytesDropped, DDoSTotalPacketsDropped.
For Layer 7 protection, combine DDoS Protection Standard with Azure Application Gateway WAF or Azure Front Door WAF.
DDoS Protection Basic is free and always on, but lacks telemetry and adaptive tuning.
DDoS Protection Standard is regional; the plan and VNet must be in the same region.
Cost is per VNet per month, plus outbound data transfer during mitigation.
The service operates at the Azure edge, so legitimate traffic is not affected by mitigation.
These come up on the exam all the time. Here's how to tell them apart.
DDoS Protection Basic
Free and automatically enabled on all Azure resources.
Protects only against infrastructure-level (L3/L4) attacks.
No adaptive tuning; uses fixed thresholds.
No attack telemetry or alerts.
Up to 1 Gbps protection per public IP.
DDoS Protection Standard
Paid service; requires enabling on a VNet.
Protects against L3/L4 attacks with higher capacity (hundreds of Gbps).
Adaptive tuning based on machine learning.
Provides attack telemetry, metrics, and post-attack reports.
Integrates with Azure Monitor for alerts and diagnostics.
Mistake
DDoS Protection Standard protects against all types of attacks including application-layer attacks.
Correct
Standard tier protects up to Layer 4 (transport). For Layer 7 (application) attacks, you need Azure Application Gateway WAF or Azure Front Door WAF.
Mistake
You must configure thresholds manually for DDoS Protection Standard.
Correct
Thresholds are adaptive and automatically learned from traffic patterns. No manual configuration is needed.
Mistake
DDoS Protection Standard can be enabled on individual virtual machines.
Correct
It must be enabled at the virtual network level. All public IPs in the VNet are then protected.
Mistake
Basic tier provides attack telemetry and alerts.
Correct
Basic tier only provides infrastructure-level protection with no telemetry or alerting. Standard tier provides these features.
Mistake
DDoS Protection Standard is available in all Azure regions.
Correct
It is available in most regions, but you should verify regional availability. Some newer or older regions may not support it.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Basic is free and automatically enabled on all Azure resources, but it only protects against common infrastructure-level attacks up to 1 Gbps per public IP, with no telemetry or adaptive tuning. Standard is a paid service that you enable on a VNet; it provides adaptive tuning, attack analytics, alerts, and can handle attacks up to hundreds of Gbps. For the exam, remember that Basic is for basic protection without reporting, while Standard is for production environments requiring visibility and higher capacity.
No, DDoS Protection Standard must be enabled at the virtual network level. Once enabled on a VNet, all public IP addresses associated with resources in that VNet are protected. If you need to protect only one VM, you still enable it on the VNet containing that VM. There is no option to protect a single VM without a VNet.
No, DDoS Protection Standard operates at Layers 3 and 4 (network and transport). For application-layer (Layer 7) attacks, you need a Web Application Firewall (WAF) such as Azure Application Gateway WAF or Azure Front Door WAF. However, you can use both together for comprehensive protection.
Attack metrics are available in Azure Monitor Metrics Explorer. Key metrics include DDoSProtectionTriggered (boolean indicating if mitigation is active), DDoSTotalBytesDropped, and DDoSTotalPacketsDropped. You can also generate a post-attack report from the DDoS Protection plan blade in the portal. These metrics help you understand attack magnitude and duration.
It is available in most regions, but not all. You should check regional availability on the Azure Products by Region page. For the exam, be aware that you must verify that your desired region supports DDoS Protection Standard before deploying.
No, a DDoS Protection Plan is regional. It can be associated with multiple VNets, but only those in the same region as the plan. To protect VNets in different regions, you need separate plans in each region.
When an attack is detected, the service automatically starts scrubbing traffic at the Azure edge. Malicious packets are dropped, and only clean traffic is forwarded to your resource. The mitigation continues as long as the attack is ongoing. Metrics show the number of dropped packets/bytes. After the attack subsides, mitigation stops automatically.
You've just covered Azure DDoS Protection Standard — now see how well it sticks with free AZ-104 practice questions. Full explanations included, no account needed.
Done with this chapter?