This chapter covers Azure DDoS Protection tiers and policies, a critical component of network security in Azure. DDoS attacks are a top threat to cloud workloads, and understanding how Azure mitigates them is essential for the AZ-500 exam. Expect 5-10% of exam questions to touch on DDoS Protection, focusing on tier selection, policy configuration, and integration with other Azure services. We'll dive deep into the Basic and Standard tiers, how they work at the packet level, and how to configure them for optimal protection.
Jump to a section
Imagine a concert venue with a single entrance. Normally, a few hundred fans arrive per minute, and security checks each ticket quickly. But a malicious group sends thousands of fake fans per minute, overwhelming the entrance. Azure DDoS Protection acts like a three-stage sieve and fire hose system. First, a basic mesh filter (Basic tier) catches only the largest, most obvious fake fans (e.g., those with clearly forged tickets). Second, a more sophisticated sieve (Network Protection tier) uses machine learning to identify patterns: it knows that real fans arrive from many locations, while attackers often come from a few IP ranges, and it can dynamically rate-limit or block those. Third, for the most persistent attacks, a fire hose (Application Protection tier) can be turned on to wash away the flood entirely, but it requires careful configuration to avoid washing away real fans. The venue also has security cameras (telemetry) that report the number of fans per minute, and the sieve automatically adjusts based on historical baseline traffic (learned over the past few weeks). If the attack exceeds the sieve's capacity, the venue calls the police (Azure Support) for manual intervention.
What is Azure DDoS Protection and Why Does It Exist?
Azure DDoS Protection is a service that safeguards Azure applications from Distributed Denial-of-Service (DDoS) attacks. These attacks overwhelm a target with traffic from multiple sources, making it unavailable to legitimate users. Azure offers two tiers: Basic (free, automatically enabled for all Azure resources) and Standard (paid, with enhanced features). The Standard tier is the focus of the AZ-500 exam because it provides adaptive tuning, attack mitigation telemetry, and cost protection.
How It Works Internally
Azure DDoS Protection operates at Layer 3 (Network) and Layer 4 (Transport) of the OSI model, with optional Layer 7 (Application) protection via Application Gateway with WAF. The protection is implemented using a combination of always-on traffic monitoring, adaptive thresholding, and real-time mitigation.
- Traffic Monitoring: Azure monitors traffic to public IP addresses in real-time. It uses a baseline of normal traffic patterns learned over the past few weeks. The baseline includes metrics like packets per second, bytes per second, and connections per second. Any deviation beyond the baseline triggers an alert. - Adaptive Thresholding: Unlike static thresholds, Azure DDoS Protection Standard dynamically adjusts thresholds based on your application's traffic patterns. For example, if your application typically receives 10,000 packets per second (pps), the threshold might be set at 20,000 pps (a multiple of the baseline). This reduces false positives. - Mitigation Actions: When traffic exceeds the threshold, Azure applies mitigation policies. These include: - Source IP rate limiting: Blocks traffic from IPs that exceed a certain rate. - Protocol blocking: Blocks non-standard protocol packets (e.g., malformed TCP packets). - TCP SYN cookies: Protects against SYN floods by requiring connection completion. - Connection limiting: Limits the number of connections per source IP. - Attack Telemetry: After an attack is detected, you can view detailed metrics via Azure Monitor, including attack duration, traffic volume, and mitigation actions taken.
Key Components, Values, Defaults, and Timers
- Tiers: - Basic: Always-on, protects against common network-layer attacks (SYN floods, UDP floods). No configuration needed. No cost. - Standard: Enhanced protection for virtual networks (VNets). Requires enabling on a VNet. Costs approximately $2,944 per month (as of 2025) plus data processing charges. - Metrics: - Packets per second (pps): Default threshold is 2x the baseline. - Bytes per second (bps): Default threshold is 2x the baseline. - Connections per second (cps): Default threshold is 2x the baseline. - Timers: - Baseline learning period: 7 days of traffic data to establish baseline. - Mitigation activation: Within 2-3 minutes of exceeding threshold. - Attack report generation: Available after attack ends, typically within 30 minutes. - Policy customization: You can adjust thresholds via Azure Policy or PowerShell. Custom policies can override defaults.
Configuration and Verification Commands
To enable DDoS Protection Standard on a VNet using Azure CLI:
# Create a DDoS Protection Plan
az network ddos-protection create --resource-group MyResourceGroup --name MyDDoSPlan --location eastus
# Associate VNet with the plan
az network vnet update --resource-group MyResourceGroup --name MyVNet --ddos-protection-plan MyDDoSPlanTo verify configuration:
# Show DDoS Protection status
az network vnet show --resource-group MyResourceGroup --name MyVNet --query "ddosProtectionPlan"To view attack telemetry:
# List DDoS attacks (requires Standard tier)
az network ddos-protection list-attacks --resource-group MyResourceGroup --ddos-protection-plan MyDDoSPlanInteraction with Related Technologies
Azure Firewall: DDoS Protection works at the network edge, before traffic reaches Azure Firewall. It blocks malicious traffic before it hits the firewall, reducing load.
Application Gateway with WAF: For Layer 7 attacks (HTTP floods), you need Application Gateway's Web Application Firewall (WAF) in addition to DDoS Protection. DDoS Protection handles network-layer attacks, while WAF handles application-layer attacks.
Azure Front Door: Provides global DDoS protection at the edge. Combining Front Door with DDoS Protection Standard offers layered defense.
Network Security Groups (NSGs): DDoS Protection operates independently of NSGs. NSGs can block traffic after DDoS mitigation, but they are not a substitute for DDoS Protection.
Policy Types
DDoS Protection Standard uses two types of policies: - Default policy: Automatically applied when you enable Standard on a VNet. Uses adaptive thresholds. - Custom policy: You can define specific thresholds for pps, bps, and cps. This is useful for applications with predictable traffic patterns. Custom policies are set via Azure Policy or REST API.
Cost Protection
Standard tier includes cost protection: if your Azure resources are scaled out due to a DDoS attack (e.g., auto-scaling), Azure will credit the additional costs incurred. This is a key exam point.
Exam-Relevant Details
DDoS Protection Basic is always enabled and cannot be disabled.
DDoS Protection Standard must be enabled on a per-VNet basis.
Only public IPs associated with resources in the protected VNet are protected.
DDoS Protection Standard does not protect on-premises traffic; it only protects Azure resources.
The service uses machine learning to distinguish between legitimate traffic and attacks.
Alerts can be configured via Azure Monitor to notify when mitigation starts.
Common Misconfigurations
Enabling Standard on a VNet without associating a DDoS Protection Plan: The plan is a regional resource that defines the policy. Without it, Standard is not active.
Assuming DDoS Protection covers all layers: It covers L3/L4 only. For L7, you need WAF.
Not configuring alerts: Without alerts, you won't know an attack occurred.
Summary
Azure DDoS Protection is a critical security control. The exam tests your understanding of tier differences, policy customization, integration with other services, and cost protection. Know the default thresholds, how adaptive thresholds work, and that Standard requires a plan and VNet association.
Enable DDoS Protection Standard
First, you must create a DDoS Protection Plan in the desired Azure region. This plan is a regional resource that defines the policy settings. Then, you associate the plan with a Virtual Network (VNet). Only resources with public IPs in that VNet are protected. This step is done via Azure Portal, CLI, or PowerShell. If you skip creating the plan, Standard protection is not active, even if you enable it on the VNet.
Baseline Traffic Learning
Once enabled, Azure begins monitoring traffic to all public IPs in the protected VNet. Over the next 7 days, it establishes a baseline for normal traffic patterns, including average packets per second (pps), bytes per second (bps), and connections per second (cps). The baseline is updated continuously. During this period, no mitigation actions are taken unless traffic exceeds a multiple of the baseline (default 2x).
Attack Detection
After baseline is established, Azure continuously compares real-time traffic to the baseline. If traffic exceeds the adaptive threshold (e.g., >2x baseline for pps), the service classifies it as a potential DDoS attack. Detection occurs within seconds. The service uses machine learning to differentiate between legitimate traffic spikes (e.g., flash sales) and attacks.
Mitigation Activation
Upon detection, Azure DDoS Protection automatically applies mitigation policies. For example, if a SYN flood is detected, it enables SYN cookies to complete the TCP handshake only for legitimate connections. For UDP floods, it rate-limits traffic from suspicious source IPs. Mitigation begins within 2-3 minutes of detection. During mitigation, traffic is still allowed but throttled. You can view mitigation status via Azure Monitor metrics.
Post-Attack Reporting
After the attack subsides, Azure generates a DDoS Attack Report. This report includes attack vector, duration, volume (pps, bps), and mitigation actions taken. Reports are available for 12 months. You can download them via Azure Portal or CLI. This data is crucial for compliance and post-incident analysis.
Enterprise Scenario 1: E-commerce Platform During Holiday Sales
A large e-commerce company runs its web application on Azure VMs behind a load balancer. During Black Friday, traffic spikes are expected. However, they also face DDoS attacks from competitors. They enable DDoS Protection Standard on the VNet hosting their web tier. The adaptive thresholds automatically adjust to the high baseline traffic, preventing false positives during legitimate surges. During an actual attack, Azure mitigates the flood, and the platform remains available. The company also uses Azure Front Door for global distribution and WAF for HTTP flood protection. Misconfiguration: They initially set custom thresholds too low, causing false positives during flash sales. They later switched to default adaptive thresholds.
Enterprise Scenario 2: Financial Services with Compliance Requirements
A bank hosts its customer-facing portal on Azure. Compliance requires DDoS protection and attack reporting. They enable DDoS Protection Standard and configure alerts to notify the security team when mitigation starts. During a SYN flood attack, Azure automatically enables SYN cookies. The attack report is used for regulatory audit. They also use Azure Policy to enforce that all VNets in production have DDoS Protection Standard enabled. Common mistake: They forget to enable Standard on a spoke VNet, leaving it vulnerable. After an attack on that spoke, they implement Azure Policy to auto-enable protection.
Enterprise Scenario 3: Gaming Company with Real-Time Traffic
A gaming company uses Azure for its multiplayer game servers. Traffic is highly variable, with sudden spikes when new games launch. They use DDoS Protection Standard with custom policies to allow higher pps thresholds during launch events. They also integrate with Azure Monitor to track attack metrics. During a UDP amplification attack, Azure rate-limits the offending source IPs. Performance consideration: DDoS Protection adds minimal latency (sub-millisecond) because it operates inline at the network edge. Misconfiguration: They initially set the custom policy too permissive, allowing some attack traffic through. They later adjusted to use adaptive thresholds with a higher multiplier.
AZ-500 Exam Focus on Azure DDoS Protection
The AZ-500 exam tests DDoS Protection under domain 'Network Security' (objective 3.2: Implement network security). Expect 2-3 questions on this topic. Key areas:
Tier Differences: You must know that Basic is free, always-on, and protects only against common L3/L4 attacks. Standard is paid, requires a plan, provides adaptive thresholds, cost protection, and attack telemetry. A common wrong answer is that Basic protects against all DDoS attacks — it only covers common network-layer attacks.
Cost Protection: This is a unique feature of Standard. The exam may ask: 'What happens if your resource scales out due to a DDoS attack?' The correct answer is that Azure credits the additional costs. Many candidates confuse this with automatic scaling or SLA credits.
Adaptive Thresholds: The exam tests that thresholds are based on traffic baselines learned over 7 days. A trap is that thresholds are static or based on a fixed value. Another trap: the baseline is learned over 30 days — it's 7 days.
Policy Customization: You can create custom policies for specific thresholds (pps, bps, cps). The exam may ask when to use custom vs. default. Custom is for predictable traffic; default is for variable traffic.
Integration with WAF: DDoS Protection covers L3/L4. For L7 (HTTP floods), you need Application Gateway with WAF. A common wrong answer is that DDoS Protection Standard covers L7 — it does not.
Attack Telemetry: You can view attack metrics via Azure Monitor. The exam may ask about report availability (12 months).
Enabling Standard: Must be done per VNet, not per resource. A trap: 'Enable DDoS Protection Standard on a VM' — it's not possible; it's per VNet.
Alerts: Configure via Azure Monitor. The exam may ask how to receive notifications when an attack is detected.
Edge Cases: DDoS Protection does not protect on-premises traffic. It only protects Azure public IPs. Also, Standard is not available in all regions (check documentation).
Exam Tips: Eliminate wrong answers by remembering that Basic is free and automatic, while Standard requires explicit configuration. If a question mentions 'cost protection' or 'adaptive thresholds,' it's Standard. If it mentions 'always-on' without cost, it's Basic. Always check if the scenario involves L7 attacks — if so, WAF is needed.
DDoS Protection Basic is free and always-on, but only covers common L3/L4 attacks.
DDoS Protection Standard requires a DDoS Protection Plan per VNet and costs ~$2,944/month.
Adaptive thresholds are based on a 7-day traffic baseline, default multiplier is 2x.
Standard provides cost protection if your resources auto-scale due to an attack.
DDoS Protection covers L3/L4 only; for L7 attacks, use Application Gateway with WAF.
Attack telemetry is available via Azure Monitor, with reports retained for 12 months.
Alerts can be configured via Azure Monitor to notify when mitigation starts.
DDoS Protection Standard does not protect on-premises traffic or resources outside Azure.
Custom policies can override adaptive thresholds for predictable traffic patterns.
Enable DDoS Protection Standard on all production VNets using Azure Policy.
These come up on the exam all the time. Here's how to tell them apart.
DDoS Protection Basic
Free and automatically enabled for all Azure resources.
Protects against common network-layer attacks (SYN floods, UDP floods).
No configuration or management required.
No cost protection or attack telemetry.
Static thresholds based on Azure-wide baseline.
DDoS Protection Standard
Paid service ($2,944/month + data processing charges).
Protects against all network-layer attacks with adaptive thresholds.
Requires creating a DDoS Protection Plan and associating it with a VNet.
Includes cost protection (credits for scale-out due to attacks) and attack telemetry via Azure Monitor.
Customizable thresholds and integration with Azure Policy.
Mistake
Azure DDoS Protection Basic protects against all types of DDoS attacks.
Correct
Basic only protects against common network-layer attacks like SYN floods, UDP floods, and amplification attacks. It does not protect against application-layer (L7) attacks like HTTP floods. For L7, you need Application Gateway with WAF.
Mistake
DDoS Protection Standard automatically protects all resources in a subscription.
Correct
Standard must be enabled on a per-VNet basis by associating a DDoS Protection Plan. Only public IPs in that VNet are protected. It does not automatically cover all VNets in the subscription.
Mistake
Custom thresholds are always better than adaptive thresholds.
Correct
Custom thresholds can cause false positives if set too low, or allow attack traffic if set too high. Adaptive thresholds are recommended for most scenarios because they adjust to traffic patterns automatically.
Mistake
DDoS Protection Standard provides a 100% uptime SLA during an attack.
Correct
DDoS Protection does not provide an SLA for uptime during attacks. It provides cost protection for additional resources scaled out due to an attack, but does not guarantee availability.
Mistake
DDoS Protection can be enabled on a per-VM basis.
Correct
DDoS Protection is enabled at the VNet level, not per VM. All VMs in the VNet with public IPs are protected. You cannot protect a single VM without protecting the entire VNet.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Basic is free, automatically enabled, and protects against common network-layer attacks (SYN floods, UDP floods). Standard is a paid tier ($2,944/month) that provides adaptive thresholds, cost protection, attack telemetry, and custom policies. Standard must be explicitly enabled on a per-VNet basis via a DDoS Protection Plan. For the exam, remember that Basic is always-on but limited, while Standard offers advanced features.
First, create a DDoS Protection Plan in the same region as the VNet using Azure Portal, CLI, or PowerShell. Then, associate the VNet with the plan. For example, using CLI: `az network ddos-protection create` followed by `az network vnet update --ddos-protection-plan`. You can also enable it during VNet creation. Remember, Standard is per VNet, not per resource.
No. DDoS Protection Standard operates at Layers 3 and 4 (network and transport). For application-layer (Layer 7) attacks like HTTP floods, you need Azure Application Gateway with Web Application Firewall (WAF). The exam often tests this distinction: DDoS Protection is for network-layer, WAF is for application-layer.
Cost protection means that if your Azure resources are scaled out (e.g., auto-scaling) due to a DDoS attack, Azure will credit the additional costs incurred. This is a key benefit of the Standard tier. It does not cover SLA credits for downtime, only the extra resource costs. The exam may ask: 'What happens if an attack causes auto-scaling?' The answer is cost protection credits.
Thresholds are adaptive, based on a baseline of normal traffic learned over the past 7 days. The default threshold is 2x the baseline for packets per second, bytes per second, and connections per second. You can override these with custom policies if your traffic is predictable. The exam may test that the learning period is 7 days, not 30 or 90.
Yes, with DDoS Protection Standard, you can view attack telemetry in Azure Monitor during the attack and download a detailed DDoS Attack Report after the attack ends. Reports are available for 12 months. The exam may ask about the retention period (12 months) or how to access reports (via Azure Portal or CLI).
DDoS Protection Standard is available in most Azure regions, but not all. Always check the latest documentation for region availability. The exam may include a scenario where a region is not supported, and you need to choose an alternative like Azure Front Door with DDoS Protection.
You've just covered Azure DDoS Protection Tiers and Policies — now see how well it sticks with free AZ-500 practice questions. Full explanations included, no account needed.
Done with this chapter?