Azure DDoS protection

Protection models: network-level vs per-IP
Operational best practices
Deployment checklist and workflow
Additional resources

Azure DDoS Protection defends applications against distributed denial-of-service (DDoS) attacks by combining always-on monitoring, adaptive mitigation, and integrated telemetry into a single managed service. This article explains the protection models, core features, recommended deployment workflow, and how to attach DDoS protection to Azure networking resources. DDoS Protection continuously monitors incoming traffic to detect anomalous patterns and suspicious activity. The service adapts automatically, tuning thresholds based on the real-time traffic profile of your application. Built-in telemetry, mitigation reports, and alerts provide operational visibility into ongoing or attempted attacks. When required, Microsoft’s rapid response team can assist with mitigation. DDoS Protection integrates with other Azure security services and scales with Azure’s global infrastructure to absorb large volumetric attacks.

A schematic of Azure DDoS protection showing customer traffic flowing through an Azure Portal/Virtual Network to a DDoS Protection Standard and Policy Generation component that maps to public IPs. Below the diagram are feature highlights like always-on monitoring, adaptive tuning, analytics & alerts, rapid response, turnkey multi-layered design, and scalable mitigation.

Protection models: network-level vs per-IP

Azure offers two primary DDoS protection models—each fits different operational needs:

DDoS Network Protection (Plan-level): Attach a protection plan to one or more virtual networks (VNets). Traffic is filtered upstream before reaching resources that rely on public IPs inside the VNet (virtual machines, load balancers, Application Gateway, Azure Firewall, Bastion, etc.).
DDoS IP Protection (Per-IP): Protect individual public IP addresses (standalone public IPs or those associated with a load balancer). Onboarding and billing are per protected IP.

The network-level plan is typically preferable for broad coverage because a single plan can protect many resources in a VNet. The per-IP option is useful when you only need to protect a small number of public IPs or have isolated resources that require standalone protection.

Capability	DDoS Network Protection (Plan-level)	DDoS IP Protection (Per-IP)
Scope	Virtual networks (many resources)	Individual public IP addresses
Billing	Fixed monthly fee (covers a bundle/block of IPs)	Per protected IP
Common use cases	Hub-and-spoke, multi-resource VNets	Single critical public endpoint
Rapid Response & SLA	Priority support often included	Available per-IP, depends on SKU
Mitigation reporting & flow logs	Included (when enabled)	Included (when enabled)

An Azure architecture diagram for DDoS Network Protection showing Internet traffic via a public IP and load balancer into a virtual network/subnet hosting a protected Virtual Machine Scale Set. Managed Disks and a storage account for diagnostic logs are also shown.

Important: pricing and billing models vary by region and SKU. Review current rates and details on the Azure DDoS Protection pricing page: https://azure.microsoft.com/pricing/details/ddos-protection/

A diagram titled "Azure DDoS protection tiers – DDoS IP Protection" showing traffic flow from the Internet through a public IP and load balancer into a Virtual Machine Scale Set inside a virtual network/subnet. The diagram also shows associated resources like a managed disk and a storage account for diagnostic logs.

Operational best practices

Enable diagnostics (flow logs and metrics) and send telemetry to a storage account, Log Analytics workspace, or Event Hub for monitoring and forensic analysis. See:
- Log Analytics workspace: https://learn.microsoft.com/azure/azure-monitor/logs/log-analytics-workspace
- Azure Event Hubs: https://learn.microsoft.com/azure/event-hubs/
Configure Azure Monitor alerts to notify security/on-call teams about mitigation actions, thresholds, or anomalous traffic patterns:
- Azure Monitor alerts overview: https://learn.microsoft.com/azure/azure-monitor/alerts/alerts-overview
For planned attack simulation or testing, coordinate with Microsoft support to avoid unintended service disruption and to ensure tests are performed safely.

A presentation slide titled "Deploying a DDoS protection plan" with five step buttons on the left (Create Protection Plan, Enable on VNets, Configure Telemetry, Set Diagnostic Alerts, Test & Monitor). On the right is an Azure portal screenshot showing a DDoS protection plan's "Protected resources" page and a listed virtual network (VN-HUB).

When a DDoS protection plan is attached to a virtual network, the VNet’s resources that use public IPs (load balancers, Application Gateway, and VMs with public IPs) automatically inherit protection. For per-IP protection, you must onboard each public IP individually.

There are feature and support differences between the models—for example, mitigation reporting, flow logs, rapid response prioritization, and pricing structure. The network protection plan often includes benefits such as bundled pricing for a group of protected IPs and prioritized rapid response. The per-IP model charges per protected address.

A screenshot of a feature-comparison table listing DDoS/WAF mitigation capabilities (e.g., mitigation reports, flow logs, Sentinel connector) with Yes/No entries. The bottom row (highlighted) shows pricing: "Per protected IP" versus "Per 100 protected IP addresses."

Deployment checklist and workflow

Follow these steps to deploy and operate DDoS protection effectively:

Create a DDoS protection plan resource.
Attach the plan to the virtual networks you want to protect.
Enable telemetry/diagnostics (send flow logs and metrics to storage or Log Analytics).
Configure diagnostic alerts in Azure Monitor to notify security teams.
Test and monitor the behavior—coordinate tests with Microsoft if you plan simulated attack traffic.

Deployment commands (examples):

Create a DDoS protection plan via Azure CLI (example):

CLI

az network ddos-protection create \
  --name ddos-az700-01 \
  --resource-group rg-az700-ddos-01 \
  --location eastus

Attach a VNet to the plan:

CLI

az network vnet update \
  --resource-group rg-az700-ddos-01 \
  --name myVnet \
  --ddos-protection-plan /subscriptions/<sub>/resourceGroups/rg-az700-ddos-01/providers/Microsoft.Network/ddosProtectionPlans/ddos-az700-01

A Microsoft Azure portal screenshot of the "Create a DDoS protection plan" review page showing "Validation passed." It displays basics like subscription "Kodekloud Labs", resource group "(new) rg-az700-ddos-01", plan name "ddos-az700-01", and region "East US."

If you prefer per-IP protection, you can enable DDoS protection on a public IP resource directly when creating or editing that Public IP in the portal. Choose the DDoS Protection setting and select the desired mode (Network, IP, or Disable) depending on whether the IP should inherit protection from a network-level plan or use IP-based protection.

A screenshot of the Microsoft Azure portal showing the "Create public IP address" workflow on the "DDoS Protection" tab, with radio options for Network, IP (selected), and Disable. The page includes navigation breadcrumbs, a search bar, and buttons for Previous/Next/Review + create.

DDoS protection plans and per-IP protection incur charges. Review the pricing page (https://azure.microsoft.com/pricing/details/ddos-protection/) and confirm billing impact before provisioning resources in production.

Additional resources

Azure DDoS Protection documentation: https://learn.microsoft.com/azure/ddos-protection/
Azure Monitor and diagnostics: https://learn.microsoft.com/azure/azure-monitor/
Azure pricing: https://azure.microsoft.com/pricing/

Note: This article explains deployment patterns and configuration practices. The screenshots and CLI examples are illustrative. Because DDoS protection plans may incur charges, this lesson does not provision resources in the portal for you—ensure you understand pricing and billing implications before creating DDoS resources in your environment.

Watch Video

Introduction

Distributed Denial of Service DDoS

Introduction

Configure Internet Access with Azure Virtual NAT

Configure Peering for an Express Route Deployment

Configure Public IP Addresses

Connect Devices to Networks with Point to Site VPN Connections

Connect Networks with Site to Site VPN Connections

Connect Remote Resources by using Azure Virtual WA Ns

Create a Network Virtual Appliance NVA in a Virtual Hub

Deploy Azure D Do S Protection

Deploy and configure Network Security Groups

Design Azure Application Gateway

Design Azure Front Door

Design Name Resolution for Azure Virtual Network

Design an Express Route deployment

Design and Implement Azure Firewall

Design and Implement Azure Load Balancer

Design and Implement Azure VPN Gateway

Design and implement Azure Bastion

Enable Cross V Net Connectivity

Explain Virtual Network Service Endpoints

Explore Azure Express Route

Explore Azure Traffic Manager

Explore Azure Virtual Networks

Explore Load Balancing Options in the Azure

Express Route Advanced Features

Get Network Security Recommendations with Microsoft Defender for Cloud

Implement Virtual Network Traffic Routing

Implement a Web Application Firewall

Monitor your networks using Azure Monitor

Monitor your networks using Azure Network Watcher

Private Link Services and Private Endpoints

Troubleshooting Express Route Connections

Working with Azure Firewall Manager

Azure DDoS protection

Protection models: network-level vs per-IP

Operational best practices

Deployment checklist and workflow

Additional resources

Watch Video

Introduction

Configure Internet Access with Azure Virtual NAT

Configure Peering for an Express Route Deployment

Configure Public IP Addresses

Connect Devices to Networks with Point to Site VPN Connections

Connect Networks with Site to Site VPN Connections

Connect Remote Resources by using Azure Virtual WA Ns

Create a Network Virtual Appliance NVA in a Virtual Hub

Deploy Azure D Do S Protection

Deploy and configure Network Security Groups

Design Azure Application Gateway

Design Azure Front Door

Design Name Resolution for Azure Virtual Network

Design an Express Route deployment

Design and Implement Azure Firewall

Design and Implement Azure Load Balancer

Design and Implement Azure VPN Gateway

Design and implement Azure Bastion

Enable Cross V Net Connectivity

Explain Virtual Network Service Endpoints

Explore Azure Express Route

Explore Azure Traffic Manager

Explore Azure Virtual Networks

Explore Load Balancing Options in the Azure

Express Route Advanced Features

Get Network Security Recommendations with Microsoft Defender for Cloud

Implement Virtual Network Traffic Routing

Implement a Web Application Firewall

Monitor your networks using Azure Monitor

Monitor your networks using Azure Network Watcher

Private Link Services and Private Endpoints

Troubleshooting Express Route Connections

Working with Azure Firewall Manager

​Protection models: network-level vs per-IP

​Operational best practices

​Deployment checklist and workflow

​Additional resources

Watch Video

Protection models: network-level vs per-IP

Operational best practices

Deployment checklist and workflow

Additional resources