This chapter covers Azure DDoS Protection, specifically the differences between the Basic and Standard tiers. Understanding DDoS protection is critical for the AZ-500 exam, as network security objectives (Objective 3.2) include implementing network security controls, and DDoS mitigation is a key component. Approximately 5–10% of exam questions touch on DDoS protection, often comparing tiers, configuration, and cost implications. By the end of this chapter, you will know exactly when to use each tier and how to configure Standard protection for your Azure resources.
Jump to a section
Imagine a medieval castle under siege. The Basic tier is like having a single guard at the gate who merely notes incoming attackers and maybe closes the portcullis if too many show up at once—but he has no way to identify which attackers are part of a coordinated assault or to block them without also blocking legitimate traders. The Standard tier, by contrast, is a full defensive system: watchtowers on the walls provide 360-degree monitoring (always-on detection), a dedicated war room with expert tacticians (dedicated mitigation capacity and DDoS Protection Rapid Response Support) analyzes attack patterns in real time using signal flags from allied castles (Azure-wide telemetry), and they have a set of pre-planned countermeasures (adaptive tuning) that can instantly deploy archers to target specific siege towers (blocking attack traffic) while letting supply wagons pass (legitimate traffic). The Standard tier also shares intelligence with neighboring castles (Microsoft’s global network), so if one castle is hit, others are warned and adjust their defenses preemptively. Crucially, the Standard tier provides a service-level agreement (SLA) guaranteeing that the gate will not be overwhelmed—if it is, the castle lord (Microsoft) pays damages (financial backing). The Basic tier offers no such guarantee; you get only the default guard, and if he fails, you bear the cost of the breach.
What is Azure DDoS Protection and Why Does It Exist?
Distributed Denial of Service (DDoS) attacks aim to overwhelm a service by flooding it with traffic from multiple sources, rendering it unavailable to legitimate users. Azure DDoS Protection is a service that safeguards Azure applications by absorbing and scrubbing attack traffic before it reaches the target. It is integrated into the Azure platform and works at the network layer (Layer 3/4) and application layer (Layer 7) for the Standard tier.
Azure provides two tiers: Basic (enabled automatically at no extra cost) and Standard (a paid tier with advanced features). The Basic tier is always on for all Azure resources, but it only protects against common network-layer attacks (like SYN floods or UDP floods) at a limited scale. The Standard tier is designed for larger, more sophisticated attacks and provides adaptive tuning, dedicated mitigation capacity, and a 99.99% uptime SLA for protected resources.
How DDoS Protection Works Internally
Azure DDoS Protection uses a combination of techniques to detect and mitigate attacks:
Always-on traffic monitoring: The Standard tier continuously monitors traffic to Azure resources, looking for anomalies based on baseline traffic patterns. Baselines are established automatically after a few days of running the service.
Adaptive tuning: The service adjusts mitigation thresholds based on the actual traffic patterns of the application. This prevents false positives during legitimate traffic spikes (e.g., Black Friday sales).
Layer 3/4 mitigation: For network-layer attacks, Azure scrubs traffic using techniques like SYN cookies, rate limiting, and connection tracking. The Standard tier can absorb attacks up to several Tbps, leveraging Azure's global network capacity.
Layer 7 mitigation (Standard only): For application-layer attacks (HTTP floods), the Standard tier integrates with Azure Web Application Firewall (WAF) and can inspect HTTP headers, URI patterns, and source IPs to block malicious requests.
Attack analytics and telemetry: The Standard tier provides real-time telemetry via Azure Monitor, including attack metrics, mitigation triggers, and attack details. It also integrates with Azure DDoS Protection Rapid Response Support (DRRS) for expert assistance during active attacks.
Key Components, Defaults, and Timers
Protection plans: A DDoS protection plan is a regional resource (one per region per subscription) that defines the set of virtual networks (VNets) to be protected. You can have multiple plans across regions.
Cost: Basic is free. Standard costs approximately $2,944 per month per plan + data processing charges ($0.10/GB for outbound data from protected resources).
Mitigation thresholds: Standard uses adaptive thresholds based on the application's traffic profile. Default thresholds are set after 7 days of monitoring.
Attack duration: Standard mitigation is triggered within seconds of detection. The service can sustain mitigation for the entire duration of an attack, which can last hours or days.
SLA: Standard provides a 99.99% uptime guarantee for protected resources during an attack. If an attack causes downtime, Microsoft provides service credits.
Supported resources: Standard can protect public IP addresses associated with Azure VMs, load balancers, Application Gateways, and Azure Firewall. It does not protect private IPs or on-premises resources directly.
Configuration and Verification Commands
To enable Standard DDoS Protection:
Create a DDoS protection plan:
az network ddos-protection create --resource-group MyRG --name MyDdosPlan --location eastusEnable the plan on a virtual network:
az network vnet update --resource-group MyRG --name MyVNet --ddos-protection-plan MyDdosPlanVerify protection status:
az network ddos-protection show --resource-group MyRG --name MyDdosPlanView attack metrics in Azure Monitor or via CLI:
az monitor metrics list --resource /subscriptions/.../... --metric "PacketsInDDoS" --interval PT1MInteraction with Related Technologies
Azure Firewall: DDoS Protection works at the network edge before traffic reaches Azure Firewall. Firewall rules can further filter traffic after DDoS scrubbing.
Azure WAF: For Layer 7 attacks, WAF inspects HTTP traffic after DDoS mitigation, allowing fine-grained control.
Azure Front Door and CDN: These global services have built-in DDoS protection (Basic tier included). For enhanced protection, you can enable Standard on the origin.
Network Security Groups (NSGs): NSGs can block traffic based on IP/port, but they are not a substitute for DDoS protection. DDoS mitigation happens before NSG evaluation.
Trap Patterns on the Exam
Basic vs. Standard: Candidates often think Basic protects against all attacks—it does not. Basic only handles common network-layer attacks at a limited scale; it has no SLA, no adaptive tuning, and no Layer 7 protection.
Cost misconception: Some think Standard is per-resource; it is per-plan per-region, covering all VNets linked to the plan.
SLA coverage: The 99.99% SLA applies only when Standard is enabled and an attack is detected. It does not cover all downtime.
Resource scope: Many believe Standard protects private IPs; it only protects public IPs.
Create a DDoS Protection Plan
Navigate to the Azure portal, search for 'DDoS Protection Plan', and click 'Create'. You must specify a resource group, plan name, and region. The plan is a regional resource—if you have resources in multiple regions, you need a plan per region. The plan does not cost extra beyond the Standard tier charges; it is a grouping mechanism. Once created, you associate virtual networks with the plan. The plan itself is not a firewall; it is a configuration container that enables the DDoS Standard service on linked VNets. Without a plan, Standard protection is not active. Note: You cannot delete a plan if it is associated with any VNet; you must disassociate first.
Associate Virtual Networks to the Plan
For each VNet you want to protect, go to the VNet's 'DDoS Protection' blade in the portal. Select 'Enable' and choose the plan you created. This action updates the VNet's configuration to route traffic through the DDoS mitigation pipeline. All public IPs within that VNet—including those on VMs, load balancers, and gateways—are now protected. The association is immediate and does not cause downtime. You can associate up to 100 VNets per plan. If you need more, create additional plans. The plan's regional scope means VNets in other regions cannot be associated with this plan.
Baseline Establishment and Adaptive Tuning
After enabling Standard protection, the service begins monitoring traffic to all protected public IPs. For the first 7 days, it learns traffic patterns (e.g., average packets per second, bytes per second, number of connections). After this learning period, adaptive tuning sets dynamic thresholds at 60%, 80%, and 90% of the baseline. When traffic exceeds the 60% threshold, alerts are generated. At 80%, more aggressive monitoring starts. At 90%, mitigation actions automatically trigger. These thresholds are per-public-IP and adjust over time as traffic patterns change. You can view the baseline in Azure Monitor under the 'DDoSProtection' metric namespace.
Attack Detection and Mitigation
When traffic to a protected IP exceeds the 90% adaptive threshold, the mitigation engine activates. For Layer 3/4 attacks, Azure's global network scrubs traffic at the edge. SYN floods are handled using SYN cookies—the server responds to SYN requests with a SYN-ACK that includes a cookie; only if the client responds with the correct ACK is the connection established. UDP floods are rate-limited based on source IP. For Layer 7 attacks, the service can integrate with WAF to inspect HTTP requests. During mitigation, legitimate traffic is still allowed; only malicious traffic is dropped. The service can absorb attacks up to multiple Tbps. Mitigation continues until traffic drops below the threshold for 10 consecutive minutes.
Monitor and Respond with Telemetry
During an attack, you can view real-time metrics in Azure Monitor: 'PacketsInDDoS' (total incoming packets), 'DDoSTriggerSYNPackets' (SYN packets triggering mitigation), 'DDoSTriggerUDPPackets', etc. You can also set up alerts based on these metrics (e.g., when 'DDoSMitigationActive' is true). For severe attacks, you can engage DDoS Protection Rapid Response (DRRS) by opening a support ticket with severity A. DRRS engineers work with you to fine-tune mitigation. After the attack, you can download a post-attack report summarizing the attack vector, duration, and traffic volume. This report is useful for compliance and post-mortem analysis.
Enterprise Scenario 1: E-commerce Platform During Black Friday
A large online retailer runs its e-commerce platform on Azure VMs behind a Standard Load Balancer, with public IPs exposed to the internet. During Black Friday, they expect a massive spike in legitimate traffic, but they also face a high risk of DDoS attacks from competitors or hacktivists. They enable Azure DDoS Protection Standard on the VNet containing their application tier. The adaptive tuning feature learns the normal traffic profile over the preceding weeks. On Black Friday, the legitimate spike triggers the 90% threshold, but because the baseline has adjusted to include high traffic, the mitigation does not kick in prematurely—false positives are avoided. However, a coordinated SYN flood attack also hits. The Standard tier's SYN cookie mechanism kicks in, absorbing the attack while allowing genuine customers to connect. The retailer monitors the attack via Azure Monitor dashboards and engages DRRS for additional support. The SLA guarantees 99.99% uptime, so even if the attack is massive, the retailer is financially covered if downtime occurs. In production, the retailer also uses Azure WAF to block application-layer attacks (e.g., HTTP floods targeting the checkout page). Without Standard, the Basic tier would likely drop both legitimate and malicious traffic during the spike, causing revenue loss.
Enterprise Scenario 2: Gaming Company with Multiplayer Servers
A gaming company hosts multiplayer game servers on Azure VMs with public IPs. Gamers need low-latency connections, but DDoS attacks are common in the gaming industry. The company deploys Azure DDoS Protection Standard on all VNets hosting game servers. They also use Azure Front Door with integrated DDoS Protection for global distribution. A common misconfiguration is forgetting to enable Standard on the origin VNet—Front Door's Basic protection is insufficient for large volumetric attacks. In one incident, a UDP amplification attack hit 500 Gbps. Standard mitigation automatically engaged, dropping the attack traffic while allowing game UDP packets to pass. The company set up alerts to notify the operations team when mitigation is active. They also use the post-attack report to understand the attack vector and adjust firewall rules. A mistake they made initially was not associating all VNets to the plan—one region was left unprotected, causing an outage. After fixing that, they now use Azure Policy to enforce Standard protection on all VNets with public IPs.
Common Misconfigurations
Not enabling Standard on all VNets that contain public IPs, leaving some resources vulnerable.
Assuming Basic tier protects against all attacks; Basic only handles common attacks at small scale.
Not setting up monitoring alerts, so the team is unaware of an attack until customers complain.
Overlooking the cost: Standard costs ~$3,000/month per plan, which can surprise budget-conscious teams. However, the cost of an outage is often higher.
AZ-500 Exam Focus: Objective 3.2 – Implement Network Security
The AZ-500 exam tests your ability to implement network security controls, including DDoS protection. Specifically, you must know:
Objective 3.2: Implement network security controls (e.g., network security groups, Azure Firewall, DDoS protection).
Sub-objectives: Configure DDoS protection plans, understand the differences between Basic and Standard tiers, and know when to use each.
Common Wrong Answers and Why
'Basic tier provides an SLA for uptime.' This is false. Only Standard tier has a 99.99% SLA. Candidates confuse the automatic nature of Basic with a guarantee.
'Standard protection is applied per public IP address.' Actually, it is applied per virtual network via a protection plan. You enable it on a VNet, and all public IPs in that VNet are protected. Candidates think it's per-IP because other Azure services (like NSGs) are per-subnet or per-NIC.
'Basic tier protects against Layer 7 attacks.' No, Basic only covers Layer 3/4. Layer 7 protection requires Standard + WAF.
'You can enable Standard protection without a protection plan.' Incorrect. A plan is mandatory. The plan defines the region and groups VNets. Without a plan, Standard is not available.
Specific Numbers and Terms
Standard cost: ~$2,944/month per plan (as of 2025).
SLA: 99.99% uptime for protected resources during an attack.
Adaptive tuning baseline period: 7 days.
Mitigation thresholds: 60% (alert), 80% (intensified monitoring), 90% (mitigation triggered).
Maximum attack scale: multiple Tbps.
Supported resources: public IPs on VMs, load balancers, Application Gateways, Azure Firewall.
Edge Cases and Exceptions
IPv6: Standard DDoS Protection supports IPv6 public IPs as of 2024. The exam may test this.
Azure Front Door: Front Door includes Basic DDoS protection by default. If you need Standard, you must enable it on the origin (backend) VNet. This is a common exam scenario.
Cross-region protection: A protection plan is regional. You cannot protect a VNet in East US with a plan in West Europe.
Cost optimization: If you have multiple VNets in the same region, use one plan to cover them all. The exam may ask about cost-effective configurations.
How to Eliminate Wrong Answers
If a question mentions 'SLA' or 'guarantee', the answer must involve Standard tier.
If a question mentions 'adaptive tuning', 'rapid response', or 'Layer 7', it is Standard.
If a question mentions 'always-on' or 'default', it is likely Basic.
For configuration questions, remember: create plan -> associate VNet -> done. No per-IP steps.
Azure DDoS Protection Basic is free and always-on, but only protects against common network-layer attacks at limited scale; it has no SLA.
Standard tier requires a DDoS protection plan (regional) associated with a virtual network; all public IPs in the VNet are protected.
Standard tier provides adaptive tuning, 99.99% SLA, Layer 7 protection (with WAF), and DDoS Rapid Response Support.
The cost of Standard is approximately $2,944/month per plan plus data processing charges ($0.10/GB outbound).
Adaptive tuning baselines are established over 7 days; mitigation triggers at 90% of the baseline.
Standard does not protect private IPs or on-premises resources; only Azure public IPs.
Azure Front Door includes Basic DDoS protection; to get Standard, enable it on the origin VNet.
Common exam trap: Basic tier does not provide an SLA or Layer 7 protection.
These come up on the exam all the time. Here's how to tell them apart.
Basic Tier
Free, automatically enabled for all Azure resources.
Protects only common Layer 3/4 attacks (SYN floods, UDP floods).
No SLA for uptime during attacks.
No adaptive tuning; uses static thresholds.
No dedicated support or post-attack reporting.
Standard Tier
Paid tier (~$2,944/month per plan + data processing).
Protects against Layer 3/4 and Layer 7 attacks (with WAF).
99.99% SLA for protected resources during attacks.
Adaptive tuning based on traffic baselines (7-day learning).
Includes DDoS Rapid Response Support and attack analytics.
Mistake
Azure DDoS Protection Basic tier protects against all DDoS attacks.
Correct
Basic only protects against common network-layer attacks (SYN floods, UDP floods) at a limited scale. It does not protect against application-layer attacks (HTTP floods) or large volumetric attacks. Standard tier is needed for comprehensive protection.
Mistake
Standard DDoS Protection is applied per public IP address.
Correct
Standard protection is applied per virtual network via a DDoS protection plan. All public IPs within a protected VNet are automatically covered. You do not enable it individually on each IP.
Mistake
Basic tier provides a 99.99% uptime SLA.
Correct
Only Standard tier provides a 99.99% SLA during an attack. Basic tier has no SLA and no financial backing.
Mistake
DDoS Protection Standard protects private IP addresses and on-premises traffic.
Correct
Standard only protects Azure public IP addresses. Private IPs and on-premises resources are not directly protected. For on-premises, you need third-party DDoS protection or route traffic through Azure.
Mistake
You can enable Standard DDoS Protection without creating a protection plan.
Correct
A DDoS protection plan is mandatory for Standard. The plan is a regional resource that defines the scope of protection. Without a plan, you cannot enable Standard on any VNet.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Basic is free and automatically enabled for all Azure resources, protecting against common network-layer attacks at limited scale with no SLA. Standard is a paid tier that requires a protection plan and provides adaptive tuning, 99.99% SLA, Layer 7 protection (via WAF), and DDoS Rapid Response Support. Standard protects all public IPs within a protected VNet.
First, create a DDoS protection plan in the same region as your VNet using the portal, CLI, or PowerShell. Then, associate the plan with your VNet via the VNet's DDoS Protection blade. All public IPs in that VNet are now protected. Example CLI: az network ddos-protection create ... then az network vnet update --ddos-protection-plan ...
Yes, but only when combined with Azure Web Application Firewall (WAF). Standard tier can detect and mitigate HTTP floods by inspecting traffic patterns, but WAF provides deeper inspection (e.g., SQL injection, XSS). The two services are complementary.
No, Standard only protects Azure public IPs. For on-premises, you can route traffic through Azure via Azure Front Door or Azure DDoS Protection for on-premises (a separate service) or use third-party DDoS protection.
As of 2025, the cost is approximately $2,944 per month per DDoS protection plan (regional), plus data processing charges of $0.10 per GB for outbound data from protected resources. There is no cost for inbound data.
DRRS is a service included with Standard tier that provides access to DDoS experts during an attack. You can open a severity A support ticket to get real-time assistance with mitigation tuning and attack analysis.
No, Basic only protects against common network-layer attacks (e.g., SYN floods, UDP floods) at a limited scale. It does not protect against application-layer attacks or large volumetric attacks. For comprehensive protection, use Standard.
You've just covered Azure DDoS Protection: Basic vs Standard Tiers — now see how well it sticks with free AZ-500 practice questions. Full explanations included, no account needed.
Done with this chapter?