This chapter covers two critical network security services in Azure: DDoS Protection and Azure Firewall. For the SC-900 exam, these topics fall under objective 3.4, 'Describe the security capabilities of Azure.' Expect approximately 10-15% of exam questions to touch on these services, often testing your ability to distinguish between them and understand their basic use cases. By the end of this chapter, you will be able to explain how Azure DDoS Protection mitigates volumetric attacks and how Azure Firewall provides stateful network filtering, including key features like NAT rules and threat intelligence integration.
Jump to a section
Imagine a medieval castle with two key defenses: a moat and a gatehouse. The moat is a wide, deep trench filled with water that surrounds the entire castle. It serves as a volumetric defense—any army trying to reach the castle must first cross the moat, which slows them down and forces them into predictable paths. The moat's primary purpose is to absorb and dissipate large-scale attacks by making it difficult for many attackers to approach at once. In contrast, the gatehouse is a heavily fortified structure at the castle's entrance. It has a heavy portcullis that can be lowered, murder holes for dropping rocks or hot oil, and guards who inspect everyone trying to enter. The gatehouse is a stateful defense—it examines each visitor, checks their credentials, and only allows authorized individuals through. It can also block specific threats like a known spy (a malicious IP address). In Azure, DDoS Protection is like the moat: it absorbs massive volumetric attacks (e.g., UDP floods) at the network edge before they reach your application. Azure Firewall is like the gatehouse: it inspects every packet, enforces rules based on source/destination IP, port, and protocol, and maintains state for TCP sessions. The moat doesn't care if a single spy sneaks through—it's designed for scale. The gatehouse doesn't care if a thousand peasants try to rush the gate—it's designed for granular control. Together, they provide layered defense.
What is Azure DDoS Protection?
Azure DDoS Protection (Distributed Denial of Service Protection) is a service that defends Azure resources against network-layer (Layer 3/4) DDoS attacks. It is always-on and integrated into the Azure platform. There are two tiers: Basic (automatic, no cost) and Standard (paid, enhanced features). The SC-900 exam focuses on the Standard tier.
How Azure DDoS Protection Works
Azure DDoS Protection Standard uses adaptive tuning to learn normal traffic patterns for your application. It monitors traffic to public IP addresses associated with Azure resources (e.g., VMs, load balancers, application gateways). When it detects anomalous traffic that exceeds a threshold, it triggers mitigation. Mitigation involves scrubbing traffic at the Azure network edge—legitimate traffic is forwarded to your resource, while malicious traffic is dropped. The service protects against three types of attacks:
Volumetric attacks (e.g., UDP floods, amplification attacks)
Protocol attacks (e.g., SYN floods, fragmented packet attacks)
Resource-layer (L7) attacks (e.g., HTTP floods) – but these are better handled by Web Application Firewall (WAF).
Key Components and Defaults
Always-on traffic monitoring: No configuration required for basic detection.
Adaptive tuning: Machine learning models adjust thresholds based on your traffic patterns over time.
Attack metrics and alerts: You can view attack telemetry via Azure Monitor and set up alerts.
Cost protection: If you enable DDoS Protection Standard, Azure provides cost protection against scaling out during an attack.
Policy enforcement: You can apply DDoS Protection plans to a virtual network (VNet). All resources within that VNet are protected.
SLA: 99.99% uptime for the service.
Default thresholds are automatically set based on baseline traffic. For example, if your application usually sees 1 Gbps of traffic, the threshold might be set at 2 Gbps. When traffic exceeds that, mitigation begins.
How Azure Firewall Works
Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources. It is a stateful firewall as a service (FaaS) with built-in high availability and unlimited scalability. It inspects traffic at Layers 3-7.
Key Features
Stateful filtering: Tracks the state of network connections (TCP, UDP, ICMP). If a packet is part of an established session, it is allowed automatically if the session was initiated from an allowed source.
Application FQDN rules: Allows or denies outbound traffic based on fully qualified domain names (FQDNs) – e.g., allow traffic to *.microsoft.com.
Network rules: Filter traffic based on source/destination IP, port, and protocol.
DNAT (Destination Network Address Translation): Translate inbound public IP traffic to private IP addresses (e.g., for RDP or SSH access to VMs).
Threat intelligence: Built-in feeds from Microsoft Threat Intelligence to block known malicious IPs and domains.
Logging and analytics: Integrates with Azure Monitor, Log Analytics, and Sentinel for full visibility.
How Azure Firewall Works Internally
Azure Firewall is deployed in a dedicated subnet within a VNet. It acts as a centralized control point for all traffic entering and leaving the VNet. You define rules in collections (Network Rule Collection, Application Rule Collection, NAT Rule Collection). Each rule has a priority (100-65000, lower number = higher priority). The firewall evaluates traffic against these rules in order of priority. If a packet matches a rule, the action (allow/deny) is applied. For stateful traffic, the firewall maintains a session table. When a packet is part of an existing session, it is forwarded without re-evaluating all rules.
Configuration Example
To create a simple network rule allowing SSH from the internet to a specific VM:
az network firewall network-rule create \
--resource-group MyResourceGroup \
--firewall-name MyFirewall \
--collection-name MyRuleCollection \
--priority 100 \
--action Allow \
--name AllowSSH \
--source-addresses '*' \
--destination-addresses 10.0.0.4 \
--destination-ports 22 \
--protocols TCPInteraction Between DDoS Protection and Azure Firewall
DDoS Protection operates at the network edge, before traffic reaches the firewall. It filters out volumetric attacks. Azure Firewall then inspects the remaining traffic. This layered approach ensures that only clean traffic reaches your application.
Default Values and Limits
DDoS Protection Standard costs about $2,944/month per protected VNet (as of 2025).
Azure Firewall Standard costs $1.25/hour + $0.016/GB processed.
Maximum rule collections: 200 per firewall.
Maximum rules per collection: 100.
SNAT ports: 2,496 per public IP per backend instance.
Verification Commands
To check DDoS Protection status:
az network ddos-protection show --resource-group MyGroup --name MyDdosPlanTo check Azure Firewall rules:
az network firewall list --resource-group MyGroup --query "[].{Name:name, Rules:firewallRules}"Summary of Exam-Relevant Points
Azure DDoS Protection Basic is always-on and free; Standard requires a plan and costs.
DDoS Protection Standard protects against L3/L4 attacks; for L7, use WAF.
Azure Firewall is stateful; it can filter based on FQDN (application rules).
Azure Firewall supports DNAT for inbound traffic.
Both services integrate with Azure Monitor for logging.
DDoS Protection is applied at the VNet level; Firewall is deployed in a VNet.
Enable DDoS Protection Plan
First, create a DDoS Protection Plan in your Azure subscription. This plan defines the protection tier (Standard) and is associated with a virtual network. You can create the plan using the Azure portal, CLI, or PowerShell. The plan is regional and can protect multiple VNets within the same region. Once created, you attach it to a VNet. After attachment, all public IP addresses within that VNet are automatically monitored. The adaptive tuning begins immediately, learning baseline traffic patterns over the next 24-48 hours.
Traffic Monitoring and Threshold Detection
Azure DDoS Protection continuously monitors traffic to all public IPs in the protected VNet. It uses machine learning models to establish a baseline of normal traffic. When traffic deviates significantly—e.g., a sudden spike in UDP packets from many sources—it triggers an alert. The detection is based on several metrics: packets per second, bytes per second, and number of source IPs. If any metric exceeds the adaptive threshold, mitigation begins. The threshold is not static; it adjusts over time as traffic patterns change.
Mitigation Activation
Once an attack is detected, Azure DDoS Protection automatically starts mitigation. Traffic is redirected to Azure's global network of scrubbing centers. There, the service analyzes packets and drops those identified as malicious based on signature analysis, rate limiting, and protocol validation. Legitimate traffic is forwarded to the original destination. During mitigation, you can view attack telemetry in Azure Monitor. The mitigation typically starts within 2-5 minutes of detection. The service also provides cost protection: if your application scales out due to the attack, Azure waives the scaling charges.
Configure Azure Firewall Rules
To use Azure Firewall, you first deploy it into a dedicated subnet (AzureFirewallSubnet) within your VNet. After deployment, you define network and application rules. Network rules filter based on IP, port, and protocol. Application rules allow or deny outbound HTTP/S traffic based on FQDN. You also configure DNAT rules to map inbound public IPs to private IPs. Each rule belongs to a collection with a priority. The firewall evaluates rules from highest priority (lowest number) to lowest. If no rule matches, the default action is to deny traffic. You can also enable threat intelligence to automatically block traffic from known malicious IPs.
Traffic Flow Through Firewall
When a packet arrives at the firewall's public IP (via DNAT) or is sent from a VM in the VNet to the internet, the firewall checks its state table. If the packet belongs to an existing session, it is forwarded without re-evaluating rules. If it is a new session, the firewall evaluates the packet against network rules first, then application rules (if applicable). If a rule allows the traffic, the firewall creates a state entry and forwards the packet. For outbound traffic, the firewall performs SNAT (Source Network Address Translation) using its public IP(s). The firewall logs allowed and denied traffic to Azure Monitor if diagnostic settings are configured.
Enterprise Scenario 1: E-commerce Platform Under DDoS Attack
A large e-commerce company runs its web application on Azure VMs behind a load balancer. During a sales event, they are hit by a UDP amplification attack exceeding 100 Gbps. With Azure DDoS Protection Standard enabled on the VNet, the attack is detected within minutes. The scrubbing centers drop the malicious UDP traffic, and the web application remains available. Without DDoS Protection, the load balancer would be overwhelmed, causing downtime. The company also uses Azure Firewall to restrict outbound traffic from the web servers to only necessary endpoints (e.g., database, payment gateway), preventing data exfiltration in case of compromise.
Enterprise Scenario 2: Secure Remote Access with Azure Firewall
A financial services firm has a hybrid network with Azure VMs that need to be accessed by remote employees. They deploy Azure Firewall with DNAT rules to map the firewall's public IP to an internal jump box (Windows VM). Employees RDP to the firewall's public IP, and the firewall translates the destination to the jump box's private IP. Additionally, they configure network rules to allow only RDP traffic from specific corporate IP ranges. They also enable threat intelligence to block known malicious IPs. This setup provides a secure, managed entry point without exposing the jump box directly to the internet.
Scenario 3: Compliance and Logging
A healthcare company must log all network traffic for compliance. They enable diagnostic logs on Azure Firewall and stream them to a Log Analytics workspace. They also set up alerts for denied traffic. The logs include source/destination IP, port, protocol, and action. They use Azure Sentinel to detect anomalies. The firewall's stateful nature ensures that only the first packet of a session is logged for new connections, reducing log volume. This setup meets regulatory requirements without overwhelming the security team.
Common Misconfigurations
Not attaching the DDoS Protection plan to the correct VNet.
Forgetting to create a default route (0.0.0.0/0) to the firewall for outbound traffic.
Using Azure Firewall without enabling threat intelligence.
Setting rule priorities incorrectly, causing unintended denies.
Not scaling the firewall for high throughput; Azure Firewall automatically scales, but you must ensure enough public IPs for SNAT.
What SC-900 Tests
Objective 3.4: Describe the security capabilities of Azure. Specifically, you need to know:
The difference between Azure DDoS Protection Basic and Standard.
That DDoS Protection protects against L3/L4 attacks.
That Azure Firewall is a stateful firewall as a service.
That Azure Firewall supports application FQDN rules and DNAT.
That both services integrate with Azure Monitor.
Common Wrong Answers
'Azure DDoS Protection can protect against application-layer attacks.' This is false; DDoS Protection works at L3/L4. For L7, you need Web Application Firewall (WAF). Candidates often confuse DDoS with WAF.
'Azure Firewall is stateless.' This is false; Azure Firewall is stateful. Many candidates think of basic NSGs (which are also stateful) but assume firewall is stateless. Remember: Azure Firewall tracks session state.
'Azure Firewall can be used to filter traffic between VNets without routing.' Actually, you must configure user-defined routes (UDRs) to direct traffic through the firewall. The exam may test that Azure Firewall requires routing.
'DDoS Protection Standard is free.' Only Basic is free; Standard has a cost. The exam often asks about pricing tiers.
Specific Numbers and Terms
DDoS Protection Standard cost: ~$2,944/month per VNet.
Azure Firewall cost: $1.25/hour + $0.016/GB.
Rule priority range: 100-65000.
Application rules use FQDNs, not IP addresses.
DNAT = Destination Network Address Translation.
Threat intelligence is built-in and can be enabled at no extra cost.
Edge Cases
If you have multiple VNets, each must have its own DDoS Protection plan or share one plan if in the same region.
Azure Firewall can be deployed in a hub VNet to inspect traffic between spoke VNets (hub-and-spoke topology).
DDoS Protection does not protect against attacks targeting on-premises resources; it only protects Azure public IPs.
How to Eliminate Wrong Answers
If the question mentions 'volumetric attack' or 'SYN flood', the answer is DDoS Protection.
If the question mentions 'stateful inspection', 'FQDN filtering', or 'DNAT', the answer is Azure Firewall.
If the question mentions 'application layer' or 'SQL injection', it's WAF, not DDoS or Firewall.
Always check if the service is 'always-on' (DDoS Basic) or 'requires configuration' (DDoS Standard, Firewall).
Azure DDoS Protection Basic is free and always-on; Standard costs ~$2,944/month per VNet.
DDoS Protection Standard protects against L3/L4 attacks only; L7 attacks require WAF.
Azure Firewall is a stateful, managed firewall as a service with built-in HA and scalability.
Azure Firewall supports network rules (IP/port/protocol) and application rules (FQDN for HTTP/S).
DNAT in Azure Firewall allows mapping public IPs to private IPs for inbound access.
Both DDoS Protection and Azure Firewall integrate with Azure Monitor for logging and alerts.
Traffic must be routed through Azure Firewall using user-defined routes (UDRs).
DDoS Protection Standard uses adaptive tuning to learn normal traffic patterns over 24-48 hours.
These come up on the exam all the time. Here's how to tell them apart.
Azure DDoS Protection
Protects against volumetric and protocol attacks (L3/L4).
Always-on monitoring with adaptive tuning (Standard).
Applied at the VNet level via a DDoS Protection plan.
No configuration of rules required; automatic mitigation.
Provides cost protection during an attack (Standard).
Azure Firewall
Provides stateful network filtering and application inspection (L3-L7).
Requires explicit rule configuration (network, application, NAT).
Deployed as a service in a dedicated subnet within a VNet.
Can perform DNAT for inbound traffic and SNAT for outbound.
Integrates with threat intelligence to block malicious IPs.
Mistake
Azure DDoS Protection protects against all types of attacks including application-layer attacks.
Correct
Azure DDoS Protection Standard protects against volumetric and protocol attacks at Layers 3 and 4. For application-layer (Layer 7) attacks like HTTP floods or SQL injection, you need Azure Web Application Firewall (WAF) or Azure Application Gateway with WAF.
Mistake
Azure Firewall is a stateless firewall like a basic packet filter.
Correct
Azure Firewall is stateful. It tracks the state of TCP, UDP, and ICMP sessions. When a packet is part of an established session, it is allowed automatically without re-evaluating all rules. This is different from stateless firewalls that evaluate every packet independently.
Mistake
Azure Firewall can automatically filter traffic between VNets without additional configuration.
Correct
Azure Firewall must be explicitly deployed and traffic must be routed through it using user-defined routes (UDRs). Simply deploying the firewall does not automatically inspect traffic between VNets. You need to create routes in the subnet route tables pointing to the firewall's private IP as the next hop.
Mistake
DDoS Protection Standard is free for all Azure customers.
Correct
DDoS Protection Basic is free and automatically enabled for all Azure resources. DDoS Protection Standard is a paid tier that provides enhanced features like adaptive tuning, attack metrics, and cost protection. The cost is approximately $2,944 per month per protected VNet.
Mistake
Azure Firewall can filter traffic based on domain names for any protocol.
Correct
Azure Firewall's application rules support FQDN filtering only for HTTP/HTTPS (port 80/443) and some other protocols like SQL (1433) and Azure Kubernetes Service. For other protocols, you must use network rules based on IP addresses and ports.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Azure DDoS Protection Basic is automatically enabled for all Azure resources at no additional cost. It provides always-on traffic monitoring and mitigation of common network-layer attacks. Standard is a paid tier that offers enhanced features such as adaptive tuning (machine learning to learn your traffic patterns), attack metrics and alerts through Azure Monitor, and cost protection (Azure waives scaling charges during an attack). Standard costs approximately $2,944 per month per protected VNet.
Azure Firewall and NSGs serve different purposes and are often used together. NSGs provide distributed, stateless (or stateful with flow logs) filtering at the subnet or NIC level. Azure Firewall is a centralized, stateful firewall with advanced features like application FQDN filtering, DNAT, and threat intelligence. In a hub-and-spoke topology, you might use NSGs for micro-segmentation within a VNet and Azure Firewall for perimeter security between VNets and the internet.
Azure Firewall automatically performs Source Network Address Translation (SNAT) for outbound traffic to the internet. It uses the firewall's public IP address (or a pool of public IPs if multiple are assigned) as the source IP. This hides the private IPs of your VMs. The firewall tracks the SNAT state so that return traffic is correctly forwarded to the originating VM. The default SNAT port allocation is 2,496 ports per public IP per backend instance.
Adaptive tuning is a feature of Azure DDoS Protection Standard that uses machine learning to learn your application's typical traffic patterns over time. It establishes a baseline for metrics like packets per second, bytes per second, and number of source IPs. When traffic deviates from this baseline (e.g., a sudden spike), the service adjusts its mitigation thresholds accordingly. This reduces false positives and ensures that legitimate traffic is not dropped during an attack.
Yes, you can use Azure Firewall to inspect traffic between VNets by deploying the firewall in a hub VNet and peering spoke VNets to the hub. You must configure user-defined routes (UDRs) in each spoke subnet to route traffic destined to other VNets through the firewall's private IP. The firewall will then apply its rules to inter-VNet traffic, allowing you to enforce security policies centrally.
No, Azure DDoS Protection only protects Azure resources that have public IP addresses associated with them, such as VMs, load balancers, and application gateways. It does not protect on-premises infrastructure. For on-premises, you would need a third-party DDoS protection service or an Azure-based reverse proxy like Azure Front Door with DDoS protection.
The default action is to deny traffic. If a packet does not match any network or application rule, the firewall drops it. This is a security best practice. You cannot change the default action to allow; you must explicitly create allow rules for traffic you want to permit.
You've just covered Azure DDoS Protection and Firewall — now see how well it sticks with free SC-900 practice questions. Full explanations included, no account needed.
Done with this chapter?