This chapter covers Azure DDoS Protection design, a critical topic for the AZ-305 exam under Objective 4.2: Design for security and identity. DDoS protection is a key architectural consideration for high-availability and resilient applications. Approximately 5–10% of exam questions touch on DDoS protection, focusing on SKU selection, integration with Azure Firewall and WAF, and cost implications. You'll learn the differences between DDoS Infrastructure Protection (free, always-on) and DDoS Network Protection (paid, tunable), how to design a layered defense, and common exam traps.
Jump to a section
Imagine a medieval castle under siege. The castle has a main gate, side gates, and a moat. The attackers (DDoS traffic) try to overwhelm the castle by sending thousands of soldiers (packets) to every entrance. The castle's defense has three layers: the outer moat (Azure DDoS Infrastructure Protection) that slows down and filters out the most basic attacks, like throwing rocks or simple battering rams (Layer 3/4 volumetric attacks). Next, the castle wall (Azure DDoS Network Protection) has guards that inspect each soldier for weapons and armor (application-layer checks) and can raise the drawbridge (rate limiting) to block waves of identical soldiers (attack traffic). Inside, the castle commander (Azure Application Gateway WAF) monitors the behavior of soldiers who got through—if a soldier tries to open too many doors (HTTP requests), he's arrested (blocked). This layered defense ensures that only a manageable number of legitimate visitors (normal traffic) ever reach the inner keep (your application). If the moat were missing, the castle walls would be hit by all attacks directly. If the wall guards were too strict, they might block friendly merchants (false positives). The siege defense works because each layer handles a different type of attack, and the layers cooperate—the moat signals when a big wave is coming, so the wall prepares extra guards (adaptive tuning).
What is DDoS Protection and Why Does It Exist?
A Distributed Denial-of-Service (DDoS) attack attempts to overwhelm an application's resources by flooding it with traffic from multiple sources. Azure provides two tiers of DDoS protection: Azure DDoS Infrastructure Protection (Basic) and Azure DDoS Network Protection (Standard). The Basic tier is automatically enabled on all Azure resources at no extra cost, protecting against common network-layer attacks. The Standard tier, which requires a paid plan per virtual network, adds advanced mitigation capabilities, adaptive tuning, and attack analytics.
On the AZ-305 exam, you must understand when to use each tier, how to design a defense-in-depth strategy, and how DDoS Protection integrates with other Azure security services like Azure Firewall, Web Application Firewall (WAF), and Azure Front Door.
How DDoS Protection Works Internally
Azure DDoS Protection operates at the Azure edge network, before traffic reaches your virtual network. When you enable DDoS Network Protection on a virtual network, Azure monitors traffic to all public IP addresses within that VNet. The service uses a combination of always-on traffic monitoring and adaptive threshold tuning based on your application's traffic patterns.
Detection: Azure monitors traffic metrics like packets per second (PPS), bytes per second (BPS), and requests per second (RPS). It establishes baseline thresholds for each metric over time. When traffic exceeds three times the baseline (or a predefined minimum threshold), Azure triggers a mitigation.
Mitigation: Once an attack is detected, Azure DDoS Protection scrubs traffic at the Azure edge. It uses a combination of: - Layer 3/4 mitigation: Drops packets based on source IP, protocol, and port. This includes SYN flood, UDP flood, and ICMP flood protection. - Application-layer mitigation: When used with Azure Application Gateway WAF or Azure Front Door, it can inspect HTTP/HTTPS traffic and block malicious requests. - Adaptive tuning: Automatically adjusts thresholds based on your traffic patterns over time.
Post-mitigation: After an attack subsides, protection returns to monitoring mode. You can view attack reports and diagnostic logs via Azure Monitor and Azure DDoS Protection reports.
Key Components, Values, Defaults, and Timers
DDoS Infrastructure Protection (Basic): Always-on, no configuration required. Protects against common network-layer attacks (SYN floods, UDP floods, amplification attacks). No SLA, no cost.
DDoS Network Protection (Standard): Requires a DDoS protection plan (cost: ~$2,944/month per 100 protected public IPs, plus data processing charges). Provides 99.99% SLA for availability, adaptive tuning, and advanced metrics.
Protected public IPs: Up to 100 per plan. You can protect multiple subscriptions with one plan.
Thresholds: Default minimum thresholds: 2,000 PPS, 100 Mbps, 100 requests/sec. Adaptive thresholds adjust based on 7-day rolling baseline.
Mitigation duration: Typically 1–5 minutes for detection and mitigation. Full attack mitigation may take longer for complex application-layer attacks.
Diagnostic logs: Can be sent to Log Analytics, Storage Account, or Event Hubs. Includes attack metrics, mitigation actions, and top sources.
Configuration and Verification Commands
Using Azure CLI:
# Create a DDoS protection plan
az network ddos-protection create \
--resource-group MyResourceGroup \
--name MyDdosPlan \
--location eastus
# Enable DDoS protection on a virtual network
az network vnet update \
--resource-group MyResourceGroup \
--name MyVNet \
--ddos-protection-plan MyDdosPlan \
--ddos-protection true
# View DDoS protection status
az network vnet show \
--resource-group MyResourceGroup \
--name MyVNet \
--query "ddosProtectionPlan.id"Using Azure Portal: 1. Navigate to the DDoS Protection Plans blade. 2. Create a plan and associate it with a virtual network. 3. In the virtual network, enable DDoS Protection and select the plan.
How It Interacts with Related Technologies
Azure Firewall: Can be placed in the same VNet to provide additional stateful filtering and threat intelligence-based filtering. DDoS Protection scrubs traffic before it reaches the firewall.
Azure Application Gateway WAF: Provides layer 7 protection against SQL injection, XSS, and HTTP floods. DDoS Protection handles layer 3/4 attacks, while WAF handles application-layer attacks.
Azure Front Door: Offers built-in DDoS protection (Microsoft-managed) and WAF. For global applications, Front Door can absorb attacks at edge locations before they reach regional resources.
Azure Load Balancer: DDoS Protection protects the public IPs of load balancers. It does not protect internal load balancer IPs.
Azure Bastion: Does not require DDoS Protection as it is a managed service.
Exam tip: The exam often asks which tier protects against which attacks. Basic protects against common network-layer attacks (e.g., SYN floods, UDP floods). Standard adds adaptive tuning and protection against more sophisticated attacks. Application-layer attacks require WAF.
Identify Application Criticality and Traffic Profile
Determine if your application is internet-facing and requires high availability. For mission-critical applications, you need DDoS Network Protection (Standard). Understand your normal traffic patterns: average PPS, BPS, RPS. This helps set baseline thresholds. If your application uses HTTPS, you may need WAF for application-layer protection. Document your tolerance for false positives and mitigation latency.
Create or Select a DDoS Protection Plan
In Azure, navigate to DDoS Protection Plans. Create a plan in the same region as your virtual network. Each plan can protect up to 100 public IPs across multiple subscriptions. You cannot migrate a plan between regions. The plan cost is fixed per month, plus data processing charges for traffic that exceeds 100 Gbps during an attack.
Enable DDoS Protection on Virtual Networks
For each virtual network that contains public IPs (e.g., VMs, load balancers, Application Gateway), enable DDoS Protection and associate it with the plan. At the packet level, Azure now monitors all traffic to those public IPs. Traffic flows through Azure's edge routers where DDoS Protection inspects headers and drops malicious packets before they reach your VNet.
Configure Diagnostic Logging and Alerts
Enable DDoS Protection diagnostic logs to capture attack metrics. Send logs to Log Analytics for analysis, to Storage Account for archival, or to Event Hubs for real-time processing. Set up alerts for when an attack is detected or when traffic exceeds thresholds. Use Azure Monitor metrics like 'Packets per second' and 'Bytes per second' to create custom alerts.
Integrate with Web Application Firewall (WAF)
Deploy Azure Application Gateway with WAF or Azure Front Door with WAF in front of your application. Configure WAF policies to block SQL injection, XSS, and HTTP floods. DDoS Protection handles layer 3/4 attacks, while WAF handles layer 7 attacks. This layered approach ensures that malicious traffic is filtered at multiple levels. Test the WAF rules in detection mode first to avoid blocking legitimate traffic.
Scenario 1: E-commerce Platform with Seasonal Traffic Spikes
A large e-commerce company runs its website on Azure VMs behind a load balancer. During Black Friday, traffic increases 10x. Without DDoS Protection, a competitor launches a SYN flood attack that overwhelms the load balancer, causing downtime. The company enables DDoS Network Protection on the VNet containing the load balancer. Adaptive thresholds automatically adjust to the higher baseline traffic, so legitimate Black Friday traffic is not blocked. The attack is detected within 2 minutes, and mitigation drops the malicious SYN packets. The site remains available. Common pitfall: Not enabling diagnostic logs—without them, the team cannot differentiate between attack traffic and legitimate spikes, leading to overprovisioning or false alarms.
Scenario 2: Financial Services with Strict Compliance
A bank deploys a web application using Azure Front Door with WAF and DDoS Network Protection. The bank must meet regulatory requirements for availability. They configure Front Door's WAF to block known attack signatures and rate-limit requests. DDoS Protection is enabled on the backend VNet. During a DDoS attack that combines a volumetric flood with an HTTP flood, Front Door absorbs the volumetric part at the edge, while WAF blocks application-layer attacks. The backend VNet sees only clean traffic. Common misconfiguration: Placing DDoS Protection only on the backend VNet without using Front Door—the backend still receives attack traffic that passes through Front Door's edge, but Front Door's own DDoS protection (included) handles it. However, if the backend has a public IP directly exposed, it needs its own DDoS Protection.
Scenario 3: Gaming Company with Global User Base
A gaming company uses Azure Load Balancer for its game servers across multiple regions. They enable DDoS Network Protection on each region's VNet. During a UDP amplification attack, DDoS Protection detects the high PPS and drops the malicious UDP traffic. The game servers remain responsive. Performance consideration: DDoS Protection adds minimal latency (under 1ms) because it operates at the Azure edge. The company also uses Azure DDoS Protection reports to analyze attack sources and adjust their security posture.
The AZ-305 exam (Objective 4.2: Design for security and identity) tests DDoS Protection design in the context of high availability and security architecture. Specific objectives include:
Design a DDoS protection strategy (AZ-305: 4.2.3)
Recommend a DDoS protection tier (Basic vs. Standard)
Integrate DDoS Protection with Azure Firewall, WAF, and Front Door
Common wrong answers and why candidates choose them:
"DDoS Basic protects against all attacks" – Candidates think free means full protection. Reality: Basic only protects against common network-layer attacks (SYN floods, UDP floods, etc.). It does not provide adaptive tuning or application-layer protection.
"DDoS Standard is per-resource" – Candidates think you enable it on each VM. Reality: Standard is enabled per virtual network, protecting all public IPs in that VNet. The plan is per-region, not per-resource.
"WAF alone is sufficient for DDoS" – Candidates think WAF handles all attacks. Reality: WAF protects layer 7 (HTTP/HTTPS), but volumetric layer 3/4 attacks (e.g., UDP floods) bypass WAF. You need DDoS Protection for network-layer attacks.
"DDoS Protection works on internal IPs" – Candidates think it protects all IPs in a VNet. Reality: It only protects public IPs. Internal IPs are not exposed to the internet.
Specific numbers/values that appear on the exam: - Default minimum thresholds: 2,000 PPS, 100 Mbps, 100 requests/sec. - DDoS Network Protection cost: ~$2,944/month per 100 protected public IPs. - SLA: 99.99% availability with Standard. - Adaptive tuning uses a 7-day rolling baseline.
Edge cases the exam loves: - What if you have multiple VNets in different regions? You need a separate DDoS Protection plan per region. - Can you protect an Application Gateway with DDoS Protection? Yes, if its public IP is in a protected VNet. - Does DDoS Protection protect against application-layer attacks? Only in conjunction with WAF.
How to eliminate wrong answers: - If the question mentions 'cost-effective' and 'basic attacks', choose Basic. - If the question mentions 'adaptive tuning' or 'SLA', choose Standard. - If the question mentions 'HTTP flood' or 'SQL injection', you need WAF, not just DDoS Protection.
Azure DDoS Infrastructure Protection (Basic) is free and always-on, protecting against common network-layer attacks.
Azure DDoS Network Protection (Standard) is a paid, per-virtual-network service that provides adaptive tuning, 99.99% SLA, and attack analytics.
DDoS Standard requires a protection plan per region, protecting up to 100 public IPs per plan.
Adaptive thresholds are based on a 7-day rolling baseline; default minimums are 2,000 PPS, 100 Mbps, 100 requests/sec.
DDoS Protection only protects public IPs, not internal IPs.
For application-layer attacks (HTTP floods, SQL injection), combine DDoS Protection with Azure Application Gateway WAF or Azure Front Door WAF.
Diagnostic logs can be sent to Log Analytics, Storage, or Event Hubs for post-attack analysis.
The exam often asks about tier selection: Basic for cost-sensitive, low-risk apps; Standard for mission-critical apps needing SLA and monitoring.
These come up on the exam all the time. Here's how to tell them apart.
DDoS Infrastructure Protection (Basic)
Free, always-on for all Azure resources
Protects against common network-layer attacks (SYN floods, UDP floods, ICMP floods)
No adaptive tuning—static thresholds
No SLA or attack analytics
Cannot be disabled or configured
DDoS Network Protection (Standard)
Paid plan (~$2,944/month per 100 public IPs)
Protects against network-layer attacks with adaptive tuning
99.99% availability SLA
Provides attack reports, diagnostic logs, and metrics
Requires enabling on virtual networks and associating a plan
Mistake
DDoS Basic protects against all DDoS attacks.
Correct
DDoS Basic only protects against common network-layer attacks (SYN floods, UDP floods, etc.). It does not protect against application-layer attacks (HTTP floods) or provide adaptive tuning. For comprehensive protection, you need DDoS Standard plus WAF.
Mistake
DDoS Standard is applied per virtual machine.
Correct
DDoS Standard is enabled at the virtual network level. All public IPs within that VNet are protected. You do not apply it to individual VMs.
Mistake
DDoS Protection works on internal load balancer IPs.
Correct
DDoS Protection only protects public IP addresses. Internal load balancers have private IPs that are not directly accessible from the internet, so they do not need DDoS Protection.
Mistake
Web Application Firewall (WAF) alone protects against DDoS attacks.
Correct
WAF protects against layer 7 attacks (HTTP floods, SQL injection, XSS). However, it does not protect against layer 3/4 volumetric attacks (e.g., UDP floods). You need Azure DDoS Protection for network-layer attacks.
Mistake
DDoS Standard protects against all types of DDoS attacks automatically.
Correct
DDoS Standard protects against network-layer attacks and provides adaptive tuning, but it does not protect against application-layer attacks. You must combine it with WAF for full protection. Also, it requires proper configuration of diagnostic logs and alerts.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Azure DDoS Basic is free and automatically enabled on all Azure resources. It protects against common network-layer attacks (SYN floods, UDP floods, ICMP floods) but does not provide adaptive tuning, SLA, or attack analytics. Azure DDoS Standard is a paid service that you enable on virtual networks. It offers adaptive tuning based on your traffic patterns, a 99.99% availability SLA, and detailed attack reports and diagnostics. Standard also allows you to configure alerts and integrate with Azure Monitor.
For DDoS Basic, no action is needed—it is always-on. For DDoS Standard, you create a DDoS Protection Plan in the Azure Portal (or via CLI/PowerShell) and then associate it with your virtual network. All public IPs within that VNet are then protected. You must enable DDoS Protection on each VNet that contains public IPs you want to protect.
Azure DDoS Protection (Basic and Standard) primarily protects against network-layer (Layer 3/4) attacks. For application-layer (Layer 7) attacks like HTTP floods, you need to use Web Application Firewall (WAF) with Azure Application Gateway or Azure Front Door. DDoS Protection can work together with WAF to provide layered defense.
Adaptive tuning automatically adjusts the DDoS mitigation thresholds based on your application's normal traffic patterns. Azure monitors traffic metrics (PPS, BPS, RPS) over a 7-day rolling baseline. When traffic exceeds three times the baseline (or the minimum threshold), mitigation is triggered. This reduces false positives during legitimate traffic spikes.
Yes. Azure Front Door includes built-in DDoS protection (Microsoft-managed) at its edge. You can also enable DDoS Network Protection on the backend VNet where your origin servers reside. This provides defense in depth: Front Door absorbs volumetric attacks at the edge, while DDoS Protection on the backend protects against any residual attack traffic.
The cost is approximately $2,944 per month per DDoS Protection Plan, which covers up to 100 public IP addresses. There is also a data processing charge for traffic that exceeds 100 Gbps during an attack. You pay for the plan regardless of whether an attack occurs. For exact pricing, refer to the Azure Pricing Calculator.
Azure DDoS Standard provides diagnostic logs including: DDoSProtectionNotifications (attack start/stop), DDoSMitigationFlowLogs (mitigation actions), DDoSMitigationReports (attack statistics), and DDoSMitigationReports (post-attack summary). These can be sent to Log Analytics, Storage Account, or Event Hubs for analysis.
You've just covered DDoS Protection Design — now see how well it sticks with free AZ-305 practice questions. Full explanations included, no account needed.
Done with this chapter?