Azure Networking

Azure DDoS Protection Explained: Network vs IP Tiers, Mitigation, and Cost Tradeoffs

Every public IP you expose in Azure is already being scanned, probed, and occasionally flooded — by botnets that don’t know or care what your service does. A distributed denial-of-service (DDoS) attack is the bluntest of these: thousands of compromised hosts send more traffic than your front door can absorb, so legitimate users get timeouts and your bill (or your error rate) spikes. The good news is that you are not starting from zero. Azure runs an always-on platform DDoS defence on every public IP, for free — but it protects the fabric, not specifically you, and it doesn’t tell you when it acted. The decision you actually face is whether to layer a paid DDoS Protection tier on top, and if so, which one — and that single choice (Network vs IP) quietly drives both your resilience and a fixed monthly line on the invoice.

This article gives you the mental model first, then the two paid tiers side by side. The confusion to clear up immediately: there is Network Protection (priced per plan, covering up to 100 public IPs across all linked VNets) and IP Protection (priced per protected public IP). They run the same mitigation engine — same tuning, same Layer 3/4 scrubbing, same telemetry — but are billed and scoped completely differently, and picking the wrong one either leaves resources unprotected or burns money on IPs you should have bundled. We will also draw the hard line that trips people up: Azure DDoS Protection is Layer 3/4 only (volumetric and protocol floods). It does not inspect HTTP, so an application-layer (L7) flood — a slow-loris or a request flood against /search — is a job for Azure Web Application Firewall (WAF), a separate product with separate billing.

By the end you’ll explain what the free tier really covers, choose Network vs IP with a decision table, enable either with az and Bicep, read DDoS telemetry to prove an attack was mitigated, and size the cost. This is foundational knowledge that maps directly to the AZ-700 (Networking) and AZ-500 (Security) exams — and to the first awkward question in any incident review: “were we even protected?”

What problem this solves

A DDoS attack doesn’t try to breach you — it tries to exhaust you. The attacker overwhelms a finite resource: bandwidth into your region, the connection table on a load balancer, the SYN backlog on a host, the CPU of whatever terminates connections. When it saturates, legitimate requests are dropped indistinguishably from attack traffic. Dashboards show a flood of timeouts, autoscale may thrash (turning an availability problem into a cost problem), and your on-call engineer stares at “the site is slow” with no culprit because nothing in your code is broken.

Without a deliberate DDoS posture you hit three failure modes. First, you assume the free protection is “good enough” without knowing it guarantees only the Azure infrastructure — no SLA, tuning, alerting, or auditor-ready report. Second, you over-buy: someone enables a plan on every subscription “to be safe,” and charges accrue on dev/test resources that never needed it. Third, you protect the wrong layer — you buy DDoS Protection, get flooded at the application layer anyway, and discover too late that L3/4 scrubbing never looked at the HTTP request that took you down.

Who hits this: anyone with an internet-facing public IP — a VM, a Standard Load Balancer or Application Gateway front end, Azure Firewall, a VPN gateway, an API. It bites hardest on regulated or revenue-critical workloads where “we had no mitigation enabled” is an unacceptable post-incident line. The fix is rarely “throw bandwidth at it” — it’s “enable the right tier on the IPs that matter, alert on it, and keep WAF in the same conversation.”

Learning objectives

By the end of this article you can:

Prerequisites & where this fits

You should be comfortable with Azure networking basics: a virtual network (VNet) is your private IP space; a public IP (Standard SKU here) makes a resource reachable from the internet; and front ends like Standard Load Balancer, Application Gateway, Azure Firewall, and VPN Gateway sit on those public IPs. If those are fuzzy, the Azure Virtual Network: Subnets and NSGs primer and Azure Regions and Availability Zones Explained give you the ground floor. You should also run az in Cloud Shell and read JSON.

This sits in the Networking & Security track, at the edge — the outermost layer traffic crosses before reaching anything you built. It pairs with two neighbours. Below it, Network Security Groups filter by 5-tuple but cannot absorb a volumetric flood — see Azure NSGs: Rules and Priorities Explained. Beside it, WAF on Application Gateway handles the application-layer attacks DDoS Protection ignores — see Application Gateway with WAF and end-to-end TLS and Load Balancer vs Application Gateway for which front end terminates your traffic. Think of DDoS as the moat, NSGs as the gatehouse rules, and WAF as the guard who reads what each visitor carries.

A one-screen map of who defends what, so you stop expecting the wrong tool to save you:

Defence layer OSI layers What it stops What it cannot stop Covered by
Azure DDoS Protection L3 / L4 Volumetric floods, protocol abuse (SYN/UDP/reflection) HTTP request floods, app logic abuse This article
Web Application Firewall L7 HTTP floods, OWASP attacks, bots Pure bandwidth saturation WAF on Front Door / App Gateway
Network Security Group L3 / L4 (filter) Unwanted ports/sources by rule Anything that matches an allow rule at volume NSG rules
Azure Firewall L3–L7 (stateful) Egress/ingress policy, FQDN filtering Volumetric saturation of its own public IP Firewall policy

Core concepts

Five mental models make every later decision obvious.

DDoS protection absorbs volume; it doesn’t inspect content. Azure DDoS sits at the network edge at Layer 3 (IP) and Layer 4 (TCP/UDP). It counts packets, bytes, connections, and flow rates per protected public IP against a learned baseline, and when traffic crosses the tuned threshold diverts that IP through a scrubbing pipeline that drops the attack and forwards the clean remainder. It never parses an HTTP header, URL, or body — that’s WAF’s job. The question it answers is “is the volume or shape of traffic to this IP abnormal?”, never “is this request malicious?”.

Everything is already protected at the fabric level — for free. Microsoft runs DDoS infrastructure protection continuously across the whole Azure platform, at no charge, on every public IP — defending the shared backbone against large attacks. But it is tuned for platform-wide thresholds, not your traffic, and has no SLA, no per-resource alerting, no telemetry, no cost protection. It keeps Azure up; it makes no promise about keeping your single VM up, and never tells you anything happened. Real and valuable, but silent and generic.

A paid tier turns generic protection into tuned, accountable protection. Both paid offerings — Network Protection and IP Protection — add the same things on top of the free fabric: adaptive real-time tuning to your baseline, attack analytics and mitigation reports, metrics and alerting, a mitigation SLA, rapid-response engineering during an active attack (Network tier), and cost protection (credits for scale-out costs during a documented attack). The engine is identical between the two — what differs is scope and billing, which is the entire Network-vs-IP decision.

Network = per-plan-and-VNet; IP = per-public-IP. Network Protection is bought as a DDoS Protection Plan (fixed monthly fee) and attached to a VNet; every protected public IP on that VNet — up to 100 — is covered under the one flat fee. IP Protection is enabled directly on an individual public IP with no plan, billed per protected IP, per month. Network amortises across many IPs; IP is granular pay-as-you-go (cheap for one or two).

Mitigation has three policies, auto-tuned by your traffic. Per protected IP, Azure maintains three mitigation policiesTCP SYN flood, TCP (non-SYN), and UDP — each with a threshold adaptive tuning raises or lowers from the profile it learns over time. When live traffic exceeds a policy threshold, mitigation activates: traffic is scrubbed until rates fall back below it. You don’t set these by hand; you watch the metrics and attack report to see what the engine did.

The vocabulary in one table

Pin down every moving part before the deep sections (the glossary repeats these for lookup):

Term One-line definition Where it lives Why it matters
DDoS infrastructure protection Free, always-on platform defence on all public IPs Azure fabric (no resource) Your baseline; silent, no SLA, no telemetry
DDoS Protection Plan A billable resource for the Network tier Subscription / resource group Flat monthly fee, attached to VNets
Network Protection Per-plan tier covering up to 100 IPs on linked VNets Plan → VNet → its public IPs Cheapest when you protect several IPs
IP Protection Per-IP tier enabled on one public IP The public IP resource itself Granular; pay per protected IP
Adaptive tuning Auto-learns your baseline, sets thresholds Per protected IP Why mitigation fits your traffic
Mitigation policy SYN / TCP / UDP threshold set Per protected IP The three triggers that start scrubbing
Scrubbing Diverting attack traffic, dropping it, forwarding clean Edge mitigation pipeline How the attack is actually absorbed
Volumetric attack Saturate bandwidth (UDP/amplification floods) L3/L4 The classic flood DDoS stops
Protocol attack Abuse L3/L4 state (SYN flood, fragments) L3/L4 Exhausts connection tables; DDoS stops it
Resource/L7 attack App-layer flood (HTTP GET/POST flood) L7 WAF’s job, not DDoS Protection’s
Cost protection Service credit for scale-out during a documented attack Billing benefit Keeps an attack from inflating your bill
Rapid Response (DRR) Engineering help during an active attack Support benefit (Network tier) Humans on the bridge during a big event

The free tier vs the paid tiers — what you actually get

The most common misconception is “Azure already protects me, so I don’t need to buy anything.” That’s partly true and dangerously incomplete. The things that matter in an incident — telemetry, alerting, a report you can show, an SLA, cost protection — are only available once you pay for a tier:

Capability Infrastructure (free) IP / Network Protection (paid)
Always-on L3/L4 protection Yes Yes
Protects the Azure platform fabric Yes Yes
Adaptive tuning to your traffic baseline No Yes
Attack analytics & mitigation reports No Yes
Metrics (under DDoS attack, packets, dropped) No Yes
Alerting on mitigation start/stop No Yes
Mitigation SLA No Yes
Cost protection (scale-out credits) No Yes
DDoS Rapid Response (DRR) engineers No Network tier only
WAF discount No Network tier only
Monthly charge None Plan fee or per-IP fee

The blunt reading: the free tier keeps Azure standing; the paid tier gives you a tuned defence you can see, prove, and be paged about. If your service tolerates “we were probably fine, we can’t tell,” the free tier is acceptable. If anyone will ever ask “prove the attack was mitigated” or “did it inflate our bill,” you need a paid tier — and teams usually discover each gap (no telemetry, no alert, no baseline tuning, no cost credit) mid-incident, at the worst possible time.

Network Protection vs IP Protection — the real decision

Both tiers run the identical mitigation engine — same scrubbing, tuning, telemetry, SLA, and cost protection. The differences are scope, packaging, and two Network-only extras (Rapid Response and the WAF discount):

Dimension Network Protection IP Protection
Billing model Flat monthly fee per plan Per protected public IP, per month
What you protect Public IPs on VNets linked to the plan One specific public IP at a time
IPs included Up to 100 IP resources under the flat fee The IPs you individually enable (each billed)
Plan resource needed? Yes — a DDoS Protection Plan No — set a flag on the public IP
Adaptive tuning Yes Yes
Metrics & attack reports Yes Yes
Mitigation SLA Yes Yes
Cost protection Yes Yes
DDoS Rapid Response (DRR) Yes No
WAF (Front Door/App GW) discount Yes No
Best for Several public IPs, hub-spoke, enterprise scale One or two IPs, small/single workloads
Cross-subscription reuse One plan can cover VNets across subscriptions in a tenant Per-IP, no sharing

The mental shortcut: Network Protection is a bulk subscription — one flat fee, up to 100 IPs, so the per-IP cost collapses as you add resources, plus Rapid Response and the WAF discount. IP Protection is a-la-carte — ideal for one internet-facing IP where a flat plan fee is overkill, but it grows expensive with the count and omits the two extras.

The break-even, in plain terms

On cost alone the crossover is the plan’s flat fee divided by the per-IP fee — a fairly high IP count at list prices. But once you weigh the Network-only extras (DRR, the WAF discount, landing-zone consistency), most teams switch much earlier, around the mid-teens of protected IPs. The decision table turns that into a rule you can apply without a spreadsheet:

If you have… And you want… Choose Why
1–2 public IPs to protect Lowest cost, simplicity IP Protection No flat plan fee; pay only for what you protect
A handful of IPs, no DRR need Granular billing IP Protection Still under the plan break-even
Many IPs (≈15+) Lowest cost at scale Network Protection Flat fee amortises; per-IP cost drops
Hub-spoke / enterprise landing zone Central, consistent protection Network Protection One plan, many VNets, up to 100 IPs
WAF on Front Door / App Gateway already The bundled WAF discount Network Protection The discount only comes with the plan
An active-attack support relationship Humans during an incident Network Protection DDoS Rapid Response is Network-only
Just dev/test public endpoints Probably nothing paid Free tier Don’t pay to protect throwaway resources

How mitigation actually works — adaptive tuning and the three policies

Once a public IP is protected (either tier), Azure profiles its traffic: adaptive tuning observes the normal rate of packets and connections and sets per-policy thresholds accordingly. This is why protection fits your service — a quiet internal API and a busy storefront get different trigger points automatically.

There are exactly three mitigation policies per protected IP; knowing them tells you what kind of attack triggered a mitigation when you read the report:

Policy Triggers on Example attack it catches Tuned by
TCP SYN flood Half-open SYNs exceeding the learned rate SYN flood exhausting the connection table Adaptive tuning
TCP (non-SYN) Established/other TCP exceeding baseline TCP connection / state-exhaustion floods Adaptive tuning
UDP UDP packet rate exceeding baseline UDP / amplification / reflection floods Adaptive tuning

When traffic crosses a policy threshold, mitigation activates: the IP’s traffic is scrubbed (malicious portion dropped, clean remainder forwarded) and IfUnderDDoSAttack flips to 1, returning to 0 once rates fall back. You never start or stop this by hand — your job is to watch it, be alerted, then read the attack mitigation report for the vectors, peak rates, and what was dropped.

The attack vectors Azure DDoS mitigates (and the one it doesn’t)

The first two rows are squarely DDoS Protection’s territory; the third is not — it belongs to WAF.

Attack category OSI layer Mechanism Handled by Azure DDoS?
Volumetric (UDP flood, amplification, reflection) L3/L4 Saturate bandwidth/packets-per-second Yes — scrubbed
Protocol (SYN flood, fragmented packets, Ping of Death) L3/L4 Exhaust connection state / stack resources Yes — scrubbed
Resource / application (HTTP GET/POST flood, slow-loris, cache-busting query floods) L7 Exhaust app/server compute with valid-looking requests No — use WAF

This boundary is the most important takeaway after the Network-vs-IP choice. A request flood against /api/search?q=... with thousands of distinct queries is valid HTTP traffic at the network layer — DDoS sees normal-looking packets and lets them through, because dropping them would drop legitimate requests. Only a tool that reads the HTTP layer (WAF, with rate-limiting and bot rules) tells that flood apart. Run them together: DDoS for the volume, WAF for the requests.

Architecture at a glance

Trace a request from the internet to your app and you see exactly where DDoS Protection bites and where it hands off. Traffic from real users and the botnet arrives at the Azure network edge, addressed to your public IP — the unit of protection, whether via IP Protection or a Network plan on its VNet. Under normal load the scrubbing pipeline is transparent: packets pass straight through to your front end (a Standard Load Balancer, Application Gateway, or Azure Firewall) and on to the backend pool inside the VNet. The moment traffic crosses a tuned threshold, mitigation activates — attack packets dropped at the edge, IfUnderDDoSAttack flips to 1, and Azure Monitor records the metrics and report that fire your alert.

The numbered badges mark the four points that matter: the public IP as the protection boundary (1), the L3/L4 scrubbing line where volumetric and protocol floods die (2), the L7 gap where WAF must cover the HTTP request floods that sail past the scrubber (3), and the telemetry path to Azure Monitor that turns “we think we were attacked” into a report and an alert (4). Follow the blue path left-to-right for the clean request; the red badges are where each attack class is caught — or slips past DDoS into WAF’s lap.

Left-to-right Azure architecture showing internet users and a botnet sending traffic to an Azure public IP at the network edge, through the DDoS scrubbing pipeline with TCP SYN, TCP, and UDP mitigation policies, into a virtual network where a Standard Load Balancer or Application Gateway with WAF fronts the backend, with Azure Monitor capturing under-attack metrics and mitigation reports; numbered badges mark the public IP protection boundary, the L3/L4 scrubbing line, the L7 WAF gap, and the telemetry-to-Monitor path

Real-world scenario

Meridian Retail runs a mid-sized e-commerce platform in Azure South India: a storefront on Application Gateway v2 + WAF, a customer API behind a Standard Load Balancer, an Azure Firewall for egress, and a VPN Gateway for the warehouse VPN — four public IPs in a hub-spoke topology, one subscription. For two years they relied on the free infrastructure protection. It was invisible and, as far as anyone could tell, fine.

During a regional festival sale the storefront began timing out at 21:40. Autoscale on the App Gateway backend ramped from 3 to 12 instances in twenty minutes; the on-call engineer assumed organic load. By 22:30 the site was intermittently unreachable and NAT Gateway egress was saturating. With no DDoS metric to consult — the free tier exposes none — the team debated “real traffic or attack?” for nearly an hour with no data to settle it. They eventually correlated source IPs in VNet flow logs and saw thousands of distinct hosts hitting the API’s public IP with a UDP reflection flood, plus an HTTP GET flood against the storefront’s /search. Two attacks, two layers.

The post-incident review was uncomfortable. The volumetric UDP flood is exactly what DDoS Protection mitigates automatically — but with only the free tier there was no tuning to Meridian’s baseline, no alert, and no report; the fabric stayed up but Meridian’s API absorbed the hit. The HTTP flood was an L7 attack DDoS Protection would never have stopped anyway — it needed WAF rate-limiting, which they had on the storefront but had left in Detection mode, logging the flood without blocking it.

The remediation was modest. Below the cost-only break-even with four IPs, they nonetheless valued Rapid Response and the WAF discount and expected to add IPs, so they provisioned one DDoS Network Protection plan and linked the hub VNet, covering all four IPs under the flat fee. They flipped the storefront WAF policy to Prevention and enabled its rate-limit rule, then wired a metric alert on IfUnderDDoSAttack to the on-call action group. Six weeks later a smaller UDP flood hit the same API IP; this time the alert paged within a minute, the metric and report confirmed it in seconds, scrubbing dropped the flood, and cost protection credited the autoscale overage. Total recurring cost: one flat plan fee — and “were we protected, and can you prove it?” finally had a one-word answer.

Advantages and disadvantages

Like every edge-security control, DDoS Protection is a clear win in some situations and pure overhead in others. The honest two-column view, then when each side matters:

Advantages Disadvantages
Automatic L3/L4 mitigation tuned to your baseline L3/L4 only — does nothing for application-layer (L7) floods
Telemetry, metrics, and attack reports you can prove Fixed recurring cost (plan fee or per-IP), even with zero attacks
Mitigation SLA + cost protection (scale-out credits) Cost protection is a credit after the fact, not prevention
No app changes — it’s an edge/network capability Tuning takes time to learn your baseline after enablement
Network tier: one plan covers up to 100 IPs + DRR + WAF discount IP tier gets expensive once you protect many IPs
Standardises protection across a landing zone (Network tier) Only protects Standard SKU public IPs / supported resources

Advantages dominate for any internet-facing, revenue- or reputation-critical workload where downtime is costly and “prove we mitigated it” matters. Disadvantages dominate for dev/test endpoints, internal-only services with no public IP, or a single tiny endpoint where the per-IP fee outweighs the risk — there, the free tier is right. The recurring trap: buying DDoS while ignoring WAF leaves you exposed at L7. They’re complements, not substitutes.

Hands-on lab

This lab provisions a DDoS Network Protection plan, links a VNet, and enables IP Protection on a standalone public IP — so you see both billing models. A plan and protected IPs bill from creation, so do this only if you accept a brief charge and delete promptly (step 9).

1. Set variables and create a resource group.

RG=rg-ddos-lab
LOC=southindia
az group create --name $RG --location $LOC

2. Create a DDoS Protection Plan (the Network-tier resource).

az network ddos-protection create \
  --resource-group $RG --name ddos-plan-lab --location $LOC
# Note: this resource starts billing the flat monthly plan fee immediately.
PLAN_ID=$(az network ddos-protection show -g $RG -n ddos-plan-lab --query id -o tsv)

3. Create a VNet linked to the plan (Network Protection covers its public IPs).

az network vnet create \
  --resource-group $RG --name vnet-ddos-lab \
  --address-prefixes 10.50.0.0/16 \
  --subnet-name snet-app --subnet-prefixes 10.50.1.0/24 \
  --ddos-protection-plan $PLAN_ID --ddos-protection true

4. Verify the VNet shows DDoS Protection enabled.

az network vnet show -g $RG -n vnet-ddos-lab \
  --query "{ddosEnabled:enableDdosProtection, plan:ddosProtectionPlan.id}" -o jsonc
# enableDdosProtection should be true and the plan id should match.

5. Enable IP Protection on a standalone public IP. The per-IP tier — no plan, just a flag (--ddos-protection-mode Enabled) on a single Standard public IP:

az network public-ip create \
  --resource-group $RG --name pip-ipprotect-lab \
  --sku Standard --allocation-method Static \
  --ddos-protection-mode Enabled
# This IP is now billed per-IP under DDoS IP Protection (no plan resource).

6. Confirm the public IP’s DDoS mode.

az network public-ip show -g $RG -n pip-ipprotect-lab \
  --query "{name:name, sku:sku.name, ddosMode:ddosSettings.protectionMode}" -o jsonc
# ddosMode should read "Enabled".

7. Read the DDoS metric (no attack expected — value 0). This is the metric that flips to 1 during a real mitigation:

PIP_ID=$(az network public-ip show -g $RG -n pip-ipprotect-lab --query id -o tsv)
az monitor metrics list --resource "$PIP_ID" \
  --metric "IfUnderDDoSAttack" --interval PT1M --aggregation Maximum -o table
# 0 = not under attack; flips to 1 during a real mitigation.

8. (Bicep alternative) The same plan + linked VNet as infrastructure-as-code.

param location string = resourceGroup().location

resource ddosPlan 'Microsoft.Network/ddosProtectionPlans@2023-11-01' = {
  name: 'ddos-plan-lab'
  location: location
}

resource vnet 'Microsoft.Network/virtualNetworks@2023-11-01' = {
  name: 'vnet-ddos-lab'
  location: location
  properties: {
    addressSpace: { addressPrefixes: [ '10.50.0.0/16' ] }
    enableDdosProtection: true
    ddosProtectionPlan: { id: ddosPlan.id }
    subnets: [
      { name: 'snet-app', properties: { addressPrefix: '10.50.1.0/24' } }
    ]
  }
}

// IP Protection on a standalone public IP — note ddosSettings, no plan reference
resource pip 'Microsoft.Network/publicIPAddresses@2023-11-01' = {
  name: 'pip-ipprotect-lab'
  location: location
  sku: { name: 'Standard' }
  properties: {
    publicIPAllocationMethod: 'Static'
    ddosSettings: { protectionMode: 'Enabled' }
  }
}

9. Tear down — do this promptly to stop billing.

az group delete --name $RG --yes --no-wait
# Deletes the plan, VNet, and protected public IP, stopping all DDoS charges.

Expected outcome: both tiers created and confirmed (the VNet flag for Network, the per-IP protectionMode for IP Protection), and you’ve queried the metric that flips during a real attack — without simulating one (never DDoS your own production; Azure has rules about penetration testing).

Common mistakes & troubleshooting

These are the failure modes that actually cost teams an incident or a surprise bill. Symptom → root cause → how to confirm → fix.

# Symptom Root cause Confirm with Fix
1 “We bought DDoS Protection but got flooded anyway” It was an L7 (HTTP) flood — DDoS is L3/L4 only WAF/App GW logs show request flood; DDoS metric stayed 0 Add/enable WAF rate-limiting in Prevention mode
2 Plan created but a public IP isn’t actually protected The IP’s VNet isn’t linked to the plan az network vnet show --query enableDdosProtection is false Link the VNet (--ddos-protection-plan + --ddos-protection true)
3 Surprise monthly charge on a dev subscription A plan or per-IP protection was left enabled List plans / check IP ddosSettings.protectionMode Delete the plan / set IP mode to Disabled
4 “Basic” public IP won’t take protection DDoS protects Standard SKU public IPs / supported resources az network public-ip show --query sku.name shows Basic Recreate the IP as Standard SKU
5 No alert fired during a real attack No metric alert was wired (free tier has none anyway) No alert rule on IfUnderDDoSAttack exists Create a metric alert on a paid tier
6 Mitigation reports / metrics are empty You’re on the free infrastructure tier (no telemetry) Public IP / VNet shows no DDoS plan or IP mode Enable a paid tier to unlock telemetry
7 Attack ended but bill spiked from autoscale Forgot that cost protection is a post-hoc credit Compare autoscale cost vs the attack window Open a support case citing the documented attack
8 IP Protection bill keeps climbing Per-IP fee × many IPs has passed the plan break-even Count protected IPs; compare to plan flat fee Switch to Network Protection (one plan, up to 100 IPs)
9 Plan can’t be deleted A VNet is still linked to it az network ddos-protection show lists associated VNets Unlink VNets first, then delete the plan
10 Tuning seems to miss a small attack early on Adaptive tuning hadn’t learned the baseline yet Attack timing is soon after enablement Allow the profiling window; baseline tightens over time

To find every DDoS plan in a subscription (catching stray costs on dev/test):

az network ddos-protection list --query "[].{name:name, rg:resourceGroup, vnets:length(virtualNetworks)}" -o table

Best practices

Security notes

DDoS Protection is itself a security control, but a few isolation points matter around it. Reduce your attack surface first: fewer public IPs is the cheapest posture — prefer private endpoints for PaaS access (no public IP at all) where you can, per Private Endpoint vs Service Endpoint. Keep NSGs tight on the protected resource: DDoS scrubs floods, but NSGs still enforce which ports and sources are even allowed, shrinking what an attacker can target. Use RBAC on the plan and public IPs: creating or deleting a DDoS plan is billing-impacting — scope Network Contributor carefully so nobody can silently disable protection or spin up costly plans. Treat the mitigation report as security telemetry: route DDoS metrics and attack reports into Azure Monitor / Log Analytics and your SIEM. Finally, the shared-responsibility line: Microsoft mitigates the network flood; you still own application resilience — graceful degradation, sane timeouts, and an L7 WAF policy are yours to design.

Cost & sizing

DDoS pricing has two shapes, which is the whole reason the Network-vs-IP choice exists. Network Protection is a flat monthly fee per plan (order of ~₹250,000 / ~US$2,944/mo at list) covering up to 100 public IPs; beyond 100 there’s a small per-IP overage. IP Protection has no plan fee — a per-protected-IP monthly fee (order of ~₹1,700 / ~US$20 per IP/mo at list). The free infrastructure tier costs nothing. Approximate figures (confirm against the live Azure Pricing Calculator — list, pre-discount, region-dependent):

Tier Unit Approx. monthly (USD) Approx. monthly (INR) Includes
Infrastructure (free) n/a $0 ₹0 Always-on L3/L4 fabric protection only
IP Protection Per protected public IP ~$20 / IP ~₹1,700 / IP Tuning, telemetry, SLA, cost protection
Network Protection Per plan (≤100 IPs) ~$2,944 / plan ~₹250,000 / plan All of IP + DRR + WAF discount, ≤100 IPs
Network overage Per IP beyond 100 small per-IP small per-IP Same protection past the bundled 100

Sizing is mostly counting IPs. On cost alone, Network wins only when the per-IP fees you’d otherwise pay exceed the flat plan fee — a high IP count at these list numbers. In practice most teams adopt Network far earlier (mid-teens of IPs) because the plan also buys DRR, the WAF discount, and consistent landing-zone coverage, which the pure division ignores. So: 1–2 IPs → IP Protection; mid-teens or more, or any hub-spoke estate → Network Protection (up to 100 IPs included, small per-IP overage past 100).

Two cost notes people miss. Cost protection is a credit, not a cap — it reimburses scale-out costs from a documented attack but doesn’t stop the spend in the moment, so keep autoscale maximums sane. And WAF is billed separately — the Network-tier “WAF discount” reduces, but doesn’t eliminate, the cost of running WAF. Budget DDoS and WAF as two line items; set a budget alert per Cost Management Budgets and Alerts in the first 30 days.

Interview & exam questions

1. What does Azure’s free DDoS infrastructure protection actually protect, and what does it lack? It provides always-on L3/L4 protection for the Azure platform fabric on every public IP. It lacks adaptive tuning to your traffic, telemetry/metrics, alerting, a mitigation SLA, cost protection, and attack reports — all of which require a paid tier. (AZ-700/AZ-500)

2. Differentiate DDoS Network Protection from IP Protection. Both run the identical mitigation engine. Network Protection is a flat-fee plan attached to VNets, covering up to 100 public IPs, and adds DDoS Rapid Response and a WAF discount. IP Protection is enabled per public IP and billed per IP, with no plan and without the two Network-only extras. (AZ-700)

3. A customer is hit by an HTTP GET flood and asks why DDoS Protection didn’t stop it. What do you say? DDoS Protection operates at L3/L4 (volumetric and protocol attacks); an HTTP flood is L7 traffic of valid-looking requests. That needs WAF rate-limiting/bot rules on Front Door or Application Gateway, not DDoS Protection. (AZ-500)

4. Which public IP SKU is supported for DDoS Protection, and why does it matter? Standard SKU public IPs (and supported resources on them). Basic SKU is not a protection target and is being retired, so internet-facing resources should use Standard. (AZ-700)

5. How does mitigation get triggered if you never set thresholds? Adaptive real-time tuning learns each protected IP’s traffic baseline and sets thresholds on three policies — TCP SYN, TCP (non-SYN), and UDP. When live traffic exceeds a policy threshold, mitigation activates and scrubs that IP’s traffic. (AZ-700)

6. What is “cost protection” and its limit? A paid-tier billing benefit that credits scale-out (resource) costs from a documented attack on a protected resource. It is a post-hoc credit, not a spending cap — it doesn’t prevent the cost in real time. (AZ-500)

7. How would you prove, after an incident, that an attack was mitigated? On a paid tier, show the IfUnderDDoSAttack metric flipping to 1 during the window, the inbound vs dropped-traffic metrics, and the attack mitigation report detailing vectors and peak rates. The free tier produces none of this. (AZ-700)

8. When does Network Protection become cheaper than IP Protection? On cost alone, at the break-even of plan-fee ÷ per-IP-fee. In practice most teams switch around the mid-teens of protected IPs once the Network-only extras (DRR, WAF discount, landing-zone coverage) are weighed — and immediately if you specifically need DRR or the WAF discount. (AZ-700)

9. Can one DDoS Protection plan cover multiple subscriptions? Yes — a single plan can protect VNets across subscriptions within the same tenant, which is why it suits hub-spoke landing zones. IP Protection has no such sharing; it’s per-IP. (AZ-700)

10. Where do NSGs and Azure Firewall fit relative to DDoS Protection? They filter/allow by rule at L3/L4 (Firewall also L7) but can’t absorb a volumetric flood — anything matching an allow rule still arrives at volume. DDoS absorbs the flood; the others enforce policy on what’s allowed. (AZ-500)

11. What’s the first thing to wire up after enabling a paid tier, and why? A metric alert on IfUnderDDoSAttack routed to your on-call action group — so you’re paged when mitigation starts rather than learning from users or finding it in a report after the fact. (AZ-700)

12. A single small public-facing API needs DDoS protection on a tight budget. Which tier? IP Protection — one per-IP fee, no flat plan cost, full tuning/telemetry/SLA. Move to Network Protection only as the IP count rises past the break-even or you need DRR/WAF discount. (AZ-700)

Quick check

  1. True or false: the free Azure DDoS infrastructure tier sends you an alert when it mitigates an attack on your VM.
  2. You have two internet-facing public IPs and a tight budget. Network Protection or IP Protection?
  3. An attacker floods your storefront with millions of HTTP GET requests to /search. Which Azure product stops it — DDoS Protection or WAF?
  4. How many public IP resources does a single DDoS Network Protection plan cover under its flat fee?
  5. Name the three mitigation policies that adaptive tuning maintains per protected IP.

Answers

  1. False. The free infrastructure tier has no telemetry and no alerting — it protects the platform fabric silently. You only get alerts on a paid tier with a metric alert wired up.
  2. IP Protection. With only two IPs you’re well below the plan break-even, so pay per-IP and skip the flat plan fee.
  3. WAF. An HTTP GET flood is a Layer-7 application attack; DDoS Protection is L3/L4 and won’t see it. WAF rate-limiting (in Prevention mode) is the answer.
  4. Up to 100 public IP resources, across all VNets linked to the plan; beyond 100 there’s a small per-IP overage.
  5. TCP SYN flood, TCP (non-SYN), and UDP.

Glossary

Next steps

AzureDDoS ProtectionNetworkingSecurityVirtual NetworkPublic IPCost OptimizationResilience
Need this built for real?

Vinod is a Senior Cloud Architect (22+ yrs) — available for Azure / AWS / GCP architecture, landing zones, and migrations.

Work with me

Comments

Keep Reading