This chapter covers Azure DDoS Protection, a critical security service that safeguards your applications from distributed denial-of-service attacks. For the AZ-900 exam, understanding DDoS Protection is part of Objective 2.3 (Describe security solutions and capabilities), which carries approximately 10-15% of the exam weight. You will learn the mechanics of how Azure detects and mitigates attacks, the two service tiers, and how it integrates with other Azure security tools. By the end, you will be able to distinguish DDoS Protection from other security services and answer exam questions confidently.
Jump to a section
Imagine you own a popular nightclub. Your club has a limited number of entrances and staff to handle the crowd. Normally, guests arrive in a steady stream, and your bouncers check IDs and let people in one by one. But one night, a rival club owner hires thousands of people to all show up at your door at the same time, blocking real customers from entering. This is a Distributed Denial of Service (DDoS) attack. Azure DDoS Protection acts like a super-bouncer stationed a block away. Before any person reaches your club, this bouncer scans the entire street. He can tell the difference between a genuine crowd of fans and a paid mob by analyzing patterns—like how fast they walk, whether they're all wearing the same shoes, or if they're shouting the same phrase. Fake crowds are redirected away from your club entirely, so your real customers can enter smoothly. The mechanism is that Azure DDoS Protection monitors traffic at the Azure network edge, scrubs malicious packets using global threat intelligence, and only forwards clean traffic to your application. It scales automatically to absorb attacks up to multiple terabits per second, without you having to hire extra bouncers or move to a bigger venue. The key insight: the bouncer doesn't just stand at your door; he intercepts threats before they reach your street, ensuring your club stays open for real business.
What is Azure DDoS Protection and the Business Problem It Solves
A Distributed Denial of Service (DDoS) attack is a malicious attempt to disrupt normal traffic of a targeted server, service, or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. These attacks can be devastating: they can take an e-commerce site offline during peak shopping season, knock a gaming platform offline during a tournament, or cripple a financial institution's customer portal. The cost of downtime includes lost revenue, brand damage, and potential regulatory fines. Azure DDoS Protection is a cloud-based service that provides always-on traffic monitoring and automatic mitigation of network-layer and application-layer attacks. It is designed to protect Azure resources such as virtual machines, load balancers, and application gateways from the most common and sophisticated DDoS attacks.
How It Works — Step-by-Step Mechanism
Azure DDoS Protection operates at the Azure network edge, meaning it inspects traffic before it reaches your virtual network. The mechanism involves three phases: detection, mitigation, and telemetry.
Detection: Azure continuously monitors traffic patterns for your public IP addresses. It uses a set of baseline thresholds that are automatically learned based on your typical traffic profile. When traffic deviates significantly from this baseline—for example, a sudden spike in packets per second or bandwidth—the service triggers an alert.
Mitigation: Once an attack is detected, Azure DDoS Protection begins scrubbing traffic. It analyzes each packet against global threat intelligence signatures and heuristics. Malicious traffic is dropped, and only legitimate traffic is forwarded to your application. The mitigation happens automatically within minutes of detection, without any manual intervention. The service can absorb attacks up to multiple Tbps (terabits per second) by leveraging Azure's global network capacity.
Telemetry: After mitigation, you can view detailed reports through Azure Monitor and DDoS Protection Metrics. These reports show attack duration, attack type (e.g., SYN flood, UDP flood, DNS amplification), and total attack volume. This information helps you understand the threat landscape and adjust your defenses.
Key Components, Tiers, and Pricing Models
Azure DDoS Protection comes in two tiers:
Basic (Free): Automatically enabled for all Azure resources. It provides always-on traffic monitoring and real-time mitigation of common network-layer attacks. However, it does not provide visibility into attack traffic, and it is limited to protecting against attacks that are less than 1 Gbps. It is suitable for small-scale applications or development environments.
Standard (Paid): Offers enhanced protection for production workloads. Key features include:
Always-on detection and automatic mitigation of network-layer and application-layer attacks.
Access to DDoS Protection reports and metrics.
Integration with Azure Monitor and Azure Security Center.
Protection for multiple public IP addresses within a virtual network.
Service-level agreement (SLA) of 99.99% uptime for the protection service itself.
Cost: approximately $2,944 per month per resource (as of 2024), plus data processing charges. However, you can protect up to 100 public IP addresses under a single DDoS Protection plan.
Important: DDoS Protection Standard is applied at the virtual network level, not per individual VM. You create a DDoS Protection plan and associate it with one or more virtual networks.
How It Compares to On-Premises Equivalent
On-premises DDoS mitigation typically requires dedicated hardware appliances (e.g., from Arbor Networks, Radware, or F5). These appliances have fixed capacity, require manual configuration, and need to be scaled by purchasing and installing additional hardware. They also represent a single point of failure if the attack overwhelms the appliance itself. In contrast, Azure DDoS Protection is elastic—it can absorb massive attacks by leveraging Azure's global network capacity. It requires no hardware procurement, no maintenance, and scales automatically. The on-premises approach also lacks the benefit of global threat intelligence that Azure collects from its massive network footprint.
Azure Portal and CLI Touchpoints
Azure Portal: - Navigate to "DDoS Protection Plans" under Security in the Azure Portal. - Create a new plan, specifying a name, subscription, resource group, and location. - Associate the plan with a virtual network by going to the virtual network's "DDoS Protection" blade and selecting the plan. - View metrics and alerts under "Monitor" > "Metrics" for the virtual network.
Azure CLI:
# Create a DDoS Protection plan
az network ddos-protection create \
--resource-group MyResourceGroup \
--name MyDdosPlan \
--location eastus
# Associate with a virtual network
az network vnet update \
--resource-group MyResourceGroup \
--name MyVNet \
--ddos-protection true \
--ddos-protection-plan MyDdosPlan
# List DDoS Protection plans
az network ddos-protection list
# Show metrics (example: packets per second)
az monitor metrics list \
--resource /subscriptions/.../resourceGroups/.../providers/Microsoft.Network/virtualNetworks/MyVNet \
--metric PacketsInDDoSPowerShell:
# Create a DDoS Protection plan
New-AzDdosProtectionPlan -ResourceGroupName MyResourceGroup -Name MyDdosPlan -Location eastus
# Associate with a virtual network
$vnet = Get-AzVirtualNetwork -Name MyVNet -ResourceGroupName MyResourceGroup
$vnet.DdosProtectionPlan = (Get-AzDdosProtectionPlan -ResourceGroupName MyResourceGroup -Name MyDdosPlan).Id
$vnet.EnableDdosProtection = $true
Set-AzVirtualNetwork -VirtualNetwork $vnetARM Template (Bicep snippet):
resource ddosPlan 'Microsoft.Network/ddosProtectionPlans@2023-02-01' = {
name: 'MyDdosPlan'
location: resourceGroup().location
}
resource vnet 'Microsoft.Network/virtualNetworks@2023-02-01' = {
name: 'MyVNet'
location: resourceGroup().location
properties: {
ddosProtectionPlan: {
id: ddosPlan.id
}
enableDdosProtection: true
// other properties...
}
}Identify Resources to Protect
Begin by identifying which Azure resources need DDoS protection. Common candidates include public-facing applications hosted on virtual machines, load balancers, application gateways, and Azure App Service environments. For production workloads, you should enable DDoS Protection Standard. Note that the protection is applied at the virtual network level—all resources within that VNet benefit. However, you must ensure that the resources have public IP addresses assigned; private IPs are not directly exposed to the internet.
Create a DDoS Protection Plan
In the Azure Portal, navigate to 'DDoS Protection Plans' and click 'Create'. Provide a name, select the subscription and resource group, and choose the Azure region. The plan is a regional resource, so it must be in the same region as the virtual networks you want to protect. You can create one plan per region per subscription, and each plan can protect up to 100 public IP addresses across multiple VNets. There is no additional cost for the plan itself—you pay for the Standard tier per protected public IP.
Associate the Plan with Virtual Networks
After creating the plan, you need to associate it with one or more virtual networks. In the virtual network's 'DDoS Protection' blade, set 'DDoS Protection Standard' to 'Enabled' and select the plan you created. You can associate the same plan with multiple VNets, but all VNets must be in the same region as the plan. Once associated, all public IPs within that VNet are automatically protected. This association can also be done via CLI or PowerShell as shown earlier.
Configure Alerts and Metrics
To be notified of attacks, configure alerts in Azure Monitor. For example, you can create an alert that triggers when the 'Under DDoS attack or not' metric changes to 1 (indicating an attack). You can also set alerts on 'Packets per second' or 'Bytes per second' thresholds. These metrics are available in the DDoS Protection plan's monitoring blade. The alerts can send emails, SMS, or trigger automated responses via Azure Logic Apps.
Test and Validate Protection
Before going live, you can test your DDoS protection by simulating an attack using Azure's DDoS Simulation partner tools (e.g., BreakingPoint Cloud). Azure also provides a 'DDoS Protection Test' feature (currently in preview) that allows you to generate test traffic. Ensure that the mitigation kicks in as expected and that legitimate traffic is not impacted. Review the post-attack report to understand the attack vector and volume. Regularly review the DDoS Protection reports to fine-tune your baseline thresholds if needed.
Scenario 1: E-commerce Platform During Black Friday
A large online retailer runs its website on Azure VMs behind a load balancer. During Black Friday sales, the site experiences a massive influx of legitimate traffic. However, a competitor launches a DDoS attack using a botnet, flooding the site with SYN packets. Without Azure DDoS Protection Standard, the load balancer's CPU spikes, and the site becomes unresponsive to real customers. With DDoS Protection Standard enabled, Azure detects the abnormal traffic pattern within minutes. The service scrubs the malicious SYN flood at the network edge, allowing legitimate shopping traffic to pass through. The retailer sees no downtime and continues to process orders. The cost of the DDoS Protection plan (~$3,000/month) is negligible compared to the revenue loss of even an hour of downtime. The team configures alerts to notify the security operations center (SOC) during the attack, and after the event, they use the DDoS Protection report to analyze the attack and adjust their WAF rules for future protection.
Scenario 2: Gaming Company Launching a New Title
A gaming company deploys its multiplayer game servers on Azure virtual machines with public IPs. During the launch week, the game attracts millions of players, but also becomes a target for DDoS attacks aimed at disrupting the game experience. The company enables DDoS Protection Standard on the virtual network hosting the game servers. During an attack, Azure's global network absorbs the traffic, and the game remains playable. The company also uses Azure Application Gateway with WAF to protect against application-layer attacks like HTTP floods. The DDoS Protection plan costs $2,944 per month plus data processing, but the company considers it a necessary insurance policy. Without it, a successful attack could ruin the launch and drive players to competitors.
Scenario 3: Financial Services Firm with Compliance Requirements
A bank processes transactions through an Azure-hosted API. Regulatory requirements mandate that the bank must have DDoS protection in place. The bank enables Azure DDoS Protection Standard and integrates it with Azure Security Center for continuous compliance monitoring. During a volumetric attack, the bank's security team receives automated alerts and can view real-time metrics in Azure Monitor. The attack is mitigated without impacting transaction processing. The bank also uses DDoS Protection reports for audit evidence. A common mistake is failing to associate the DDoS Protection plan with all VNets that host critical resources, leaving some endpoints unprotected. The bank mitigates this by using Azure Policy to enforce DDoS Protection Standard on all VNets.
AZ-900 Objective: 2.3 Describe security solutions and capabilities
This objective includes Azure DDoS Protection. On the exam, you will need to:
Understand the difference between Basic and Standard tiers.
Know what resources can be protected (public IPs, VNets).
Recognize key features: always-on monitoring, automatic mitigation, integration with Azure Monitor.
Identify that DDoS Protection Standard is a paid service with a 99.99% SLA.
Common Wrong Answers and Why Candidates Choose Them
1. Wrong answer: 'DDoS Protection can be applied to individual virtual machines.' - Why: Candidates think of traditional on-premises solutions where each server has its own appliance. Reality: Azure DDoS Protection is applied at the virtual network level, not per VM.
2. Wrong answer: 'DDoS Protection Basic provides attack reports.' - Why: Basic is free, so candidates assume it includes all features. Reality: Basic does not provide visibility; only Standard offers reports and metrics.
3. Wrong answer: 'DDoS Protection can prevent all types of attacks.' - Why: Candidates overestimate the service. Reality: DDoS Protection mitigates network-layer and some application-layer attacks, but it does not replace a Web Application Firewall (WAF) for application-layer threats like SQL injection or cross-site scripting.
4. Wrong answer: 'DDoS Protection is enabled by default for all Azure subscriptions at the Standard tier.' - Why: Candidates confuse the free Basic tier with Standard. Reality: Basic is automatic and free; Standard must be explicitly enabled and paid for.
Specific Terms and Values That Appear Verbatim
Tiers: Basic (free) and Standard (paid).
Cost: ~$2,944/month per plan (protects up to 100 public IPs).
SLA: 99.99% for the protection service itself.
Mitigation time: Within minutes of detection.
Attack types: SYN flood, UDP flood, DNS amplification, etc.
Integration: Azure Monitor, Azure Security Center, Azure Sentinel.
Edge Cases and Tricky Distinctions
DDoS Protection vs. WAF: DDoS Protection handles volumetric attacks; WAF handles application-layer attacks. They are complementary.
DDoS Protection Standard vs. Azure Firewall: Azure Firewall is a stateful firewall; it does not provide DDoS mitigation.
DDoS Protection is regional: You must create a plan in the same region as your VNet.
Free Basic tier: It protects only against attacks less than 1 Gbps; larger attacks may not be mitigated.
Memory Trick / Decision Tree
Decision Tree for DDoS Protection Questions: 1. Is the question about protecting against volumetric attacks? → DDoS Protection. 2. Is it about application-layer attacks (SQL injection, XSS)? → WAF. 3. Is it about filtering traffic based on IP/port? → Azure Firewall or NSG. 4. Is it about free vs. paid? → Basic (free, no reports) vs. Standard (paid, reports).
Memory Trick: "DDoS = Big Flood; WAF = Tiny Sniper" — DDoS handles large-scale floods; WAF handles precise application attacks.
Azure DDoS Protection has two tiers: Basic (free, no reports) and Standard (paid, with reports and SLA).
DDoS Protection Standard costs approximately $2,944 per month per plan and protects up to 100 public IPs.
DDoS Protection is applied at the virtual network level, not per individual VM.
The service provides a 99.99% SLA for the protection service itself.
Detection and mitigation happen automatically within minutes of an attack.
DDoS Protection integrates with Azure Monitor, Azure Security Center, and Azure Sentinel.
DDoS Protection is complementary to Azure WAF — use both for layered defense.
These come up on the exam all the time. Here's how to tell them apart.
Azure DDoS Protection
Protects against volumetric DDoS attacks (network layer).
Applied at the virtual network level.
Always-on monitoring, automatic mitigation.
Two tiers: Basic (free) and Standard (paid).
Integrates with Azure Monitor for metrics.
Azure Web Application Firewall (WAF)
Protects against application-layer attacks (SQL injection, XSS).
Applied at the application gateway or Azure Front Door.
Inspects HTTP/HTTPS traffic against rule sets.
Comes with Azure Application Gateway or Azure Front Door (additional cost).
Provides custom rules and managed rule sets.
Mistake
Azure DDoS Protection can protect on-premises resources.
Correct
No, DDoS Protection only protects Azure resources. On-premises resources need separate solutions or Azure DDoS Protection via Azure ExpressRoute with Microsoft peering (limited).
Mistake
DDoS Protection Standard is automatically enabled for all Azure subscriptions.
Correct
Only the Basic tier is automatic and free. Standard must be manually enabled and is a paid service.
Mistake
DDoS Protection can mitigate all types of cyberattacks.
Correct
It specifically mitigates DDoS attacks (volumetric, protocol, and some application-layer). It does not protect against other threats like SQL injection, malware, or phishing.
Mistake
You need to configure DDoS Protection on each virtual machine individually.
Correct
DDoS Protection is applied at the virtual network level. All resources within the VNet are automatically protected once the plan is associated.
Mistake
DDoS Protection Basic provides detailed attack reports.
Correct
Basic does not provide any visibility or reports. Only Standard offers metrics, alerts, and post-attack reports.
Basic is free and automatically enabled for all Azure resources, but it only provides monitoring and mitigation for attacks under 1 Gbps, with no reports or visibility. Standard is a paid service that offers enhanced protection, attack reports, metrics, alerts, and a 99.99% SLA. Standard is recommended for production workloads.
A DDoS Protection plan is regional. You can create one plan per region per subscription. To protect resources in multiple regions, you need separate plans for each region. However, you can associate multiple virtual networks within the same region to a single plan.
Yes, DDoS Protection Standard can mitigate some application-layer attacks (e.g., HTTP floods) by analyzing traffic patterns. However, for comprehensive application-layer protection (SQL injection, cross-site scripting), you should use Azure Web Application Firewall (WAF) in conjunction with DDoS Protection.
With DDoS Protection Standard, you can configure alerts in Azure Monitor based on the 'Under DDoS attack or not' metric. You can also view real-time metrics like packets per second or bytes per second. An attack will show a spike in these metrics. The DDoS Protection report provides a summary after the attack.
It depends on the risk. If your application is critical and you cannot afford downtime, the cost (~$2,944/month) may be justified. For small, non-critical apps, the free Basic tier may suffice. However, Basic does not protect against attacks larger than 1 Gbps, which are common today.
Yes, if your App Service uses a public IP and is within a virtual network (via regional VNet integration), you can protect it with DDoS Protection Standard. However, App Service itself has some built-in DDoS protection at the platform level.
Azure DDoS Protection Standard leverages Azure's global network capacity, which is massive. It can absorb attacks up to multiple Tbps. In the unlikely event that an attack exceeds capacity, Azure will still attempt to mitigate as much as possible, but some traffic may reach your application. Microsoft continuously expands capacity.
You've just covered Azure DDoS Protection — now see how well it sticks with free AZ-900 practice questions. Full explanations included, no account needed.
Done with this chapter?