Azure DDoS Protection protects Azure resources from Distributed Denial of Service (DDoS) attacks. It is the last line of defense for production internet-facing systems, and Cost Protection dramatically reduces the risk of runaway cloud spend. This article walks through the three tiers, Always On Detection, WAF combinations, and operational best practices end to end.
| Item | Infrastructure Protection | IP Protection | Network Protection |
|---|---|---|---|
| Scope | Every Azure resource | Per Public IP | Per VNet |
| Attack coverage | Volumetric only | L3/L4 + L7 (with WAF integration) | L3/L4 + L7 (with WAF integration) |
| Tunability | Not tunable | Tunable | Tunable + Adaptive Tuning |
| Microsoft DRR | No | No | Yes |
| Cost Protection | No | No | Yes |
| Pricing | Free | USD 199 / Public IP | USD 2,944 / month + data transfer |
| Use case | Standard Azure usage | Small scale, few IPs | Large scale, production internet-facing |
| Type | Layer | Examples | Mitigation |
|---|---|---|---|
| Volumetric Attacks | L3/L4 | UDP Flood, DNS Amplification, NTP Reflection | DDoS Protection |
| Protocol Attacks | L4 | SYN Flood, ACK Flood, Fragment Attack | DDoS Protection |
| Application Layer Attacks | L7 | HTTP Flood, Slowloris, DNS Query Flood | WAF (Application Gateway / Front Door Premium) |
Azure DDoS Network Protection fully covers L3/L4; in production architectures, L7 is handled by combining it with Azure WAF.
Azure DDoS Protection detects and mitigates attacks automatically with Always On Detection (24/7 traffic monitoring) and Adaptive Tuning (ML-based learning of normal traffic patterns).
Mitigation begins within minutes, and Cost Protection covers the Azure auto-scale-out charges incurred during the attack.
Rule of thumb: in a single VNet, under 15 Public IPs → DDoS IP Protection; 15 or more → DDoS Network Protection (199 USD × 15 IP = USD 2,985 > USD 2,944, so Network Protection wins).
For enterprises and production internet-facing systems, DDoS Network Protection is the default choice.
DDoS Protection handles L3/L4 attacks; L7 (Application Layer) attacks require a WAF.
Front Door Premium effectively absorbs large-scale DDoS at the edge, so Volumetric Attacks are dropped before they reach the Azure VNet. For production internet-facing systems, the modern standard pattern is the three-layer stack of Front Door Premium + Application Gateway WAF v2 + DDoS Network Protection.
Forwarding the data to Microsoft Sentinel enables KQL analytics and Logic App Playbook automation (for example, during an attack: notify Slack, escalate to the CISO, email stakeholders).
What is Azure DDoS Protection?
Azure DDoS Protection is a service that protects Azure resources from Distributed Denial of Service (DDoS) attacks. It comes in three tiers: 1) DDoS Network Protection (formerly DDoS Protection Standard): per-VNet protection, USD 2,944/month + data transfer, protects up to 100 Public IPs, covers Volumetric / Protocol / Application Layer attacks, with Adaptive Tuning (ML-based), Rapid Response Team support, and Cost Protection (refunds scale-out charges incurred during attacks). 2) DDoS IP Protection (GA in 2022): per-Public-IP protection, USD 199/month per IP, designed for smaller workloads. 3) DDoS Infrastructure Protection: baseline protection applied free of charge to every Azure resource (Volumetric attacks only, not tunable). For production internet-facing systems, DDoS Network Protection is the standard choice, and Cost Protection dramatically reduces the risk of runaway cloud spend.
What are the three types of DDoS attacks?
DDoS attacks fall into three categories based on the OSI layer. 1) Volumetric Attacks (L3/L4): UDP Flood, DNS Amplification, NTP Reflection and other attacks that saturate network bandwidth, with peaks now exceeding 1 Tbps. Azure DDoS Protection detects and mitigates them automatically with Always On Detection. 2) Protocol Attacks (L4): SYN Flood, ACK Flood, Fragment Attack and similar techniques that exhaust the network stack. 3) Application Layer Attacks (L7): HTTP Flood, Slowloris, DNS Query Flood and others that exhaust the application's processing resources (WAF integration via Application Gateway / Front Door). Azure DDoS Network Protection fully covers categories 1 and 2, while 3 is handled in production architectures by combining it with Azure WAF (Application Gateway / Front Door Premium).
How do Always On Detection and Mitigation work?
Azure DDoS Protection detects and mitigates attacks automatically through Always On Detection (24/7 traffic monitoring) and Adaptive Tuning (ML-based learning of normal traffic patterns). The flow is: 1) continuously learn each Public IP's traffic pattern (typical request rate, bandwidth, geographic distribution), 2) detect anomalies with AI (traffic spikes, sudden surges from new IPs), 3) Microsoft's Global DDoS Mitigation Network drops attack traffic at the edge, 4) only legitimate traffic reaches your Azure VNet, 5) a Mitigation Report is generated (attack details, duration, traffic volume), 6) the Microsoft DDoS Rapid Response Team (DRR) provides custom assistance during large-scale attacks. Mitigation kicks in within minutes, and Cost Protection guarantees a refund of the auto-scale charges incurred during the attack. It is the last line of defense for production web services.
When should I choose DDoS Network Protection vs DDoS IP Protection?
DDoS Network Protection: protects at the VNet level, covering every Public IP in the VNet (up to 100) for a flat USD 2,944/month + data transfer. The per-IP cost drops sharply in larger environments (web app fleets, multi-microservice deployments). DDoS IP Protection: protects per Public IP at USD 199/month, designed for smaller startups and environments with only a handful of Public IPs. Rule of thumb: under 15 Public IPs in one VNet → DDoS IP Protection; 15 or more → DDoS Network Protection (199 USD × 15 IP = USD 2,985 > USD 2,944, so Network Protection wins). Extra benefits of Network Protection: Microsoft DDoS Rapid Response Team support (24/7 specialist engineers) and Cost Protection (refunds for auto-scale charges during attacks). For enterprises and production internet-facing systems, DDoS Network Protection is the default choice.
How does it combine with Application Gateway / Front Door WAF?
DDoS Protection handles L3/L4 attacks; L7 (Application Layer) attacks require a WAF (Web Application Firewall). Standard architecture: 1) Front Door Premium (Anycast + WAF Premium at the edge, absorbing attacks across 300+ Microsoft Edge locations), 2) Application Gateway WAF v2 (in-region L7 control as the Front Door backend), 3) DDoS Network Protection (L3/L4 protection across the VNet), 4) Azure Firewall (FQDN filtering and outbound governance). Front Door Premium effectively soaks up large-scale DDoS at the edge, so Volumetric Attacks are dropped before they ever reach the Azure VNet. The modern standard pattern for production internet-facing systems is a three-layer stack of Front Door Premium + Application Gateway WAF v2 + DDoS Network Protection, covering every attack from L3 through L7.
What about DDoS Attack Analytics and Metrics?
DDoS Protection exposes detailed metrics through Azure Monitor. Key metrics: 1) Under DDoS Attack (a flag indicating an active attack), 2) Packets In DDoS (packets/sec mitigated), 3) Bytes In DDoS (bandwidth mitigated), 4) TCP/UDP/Other Packets (drops by protocol), 5) Inbound TCP/UDP/Other Bytes Dropped. Post-attack DDoS Mitigation Reports include: 1) Attack Vector (protocol and attack technique), 2) Top Source Country, 3) Top Source ASN (source ISP), 4) Top Destination IP (target), 5) Total Packets/Bytes Dropped. Forwarding the data to Microsoft Sentinel enables KQL analytics and Logic App Playbook automation (e.g., during an attack, post to Slack, escalate to the CISO, email stakeholders). Monthly DDoS Reports reviews are the standard pattern for production operations.
What are the cost optimization strategies?
DDoS Protection cost components: 1) DDoS Network Protection flat USD 2,944/month, 2) DDoS IP Protection USD 199 per Public IP, 3) Mitigation data transfer (attack traffic volume, normally zero), 4) Microsoft DRR support (included with DDoS Network Protection). Cost reduction tactics: 1) pick DDoS IP Protection when you have fewer than 15 Public IPs, 2) delete unused Public IPs (199 USD/month each), 3) lean on Front Door Premium to absorb attacks at the edge (no cost since the traffic never reaches the Azure VNet), 4) use Cost Protection to recover auto-scale charges during attacks (DDoS Network Protection only), 5) consolidate Public IPs into a single VNet (one DDoS Network Protection covers everything instead of spreading across multiple VNets). This is critical for cost optimization of production internet-facing systems, and because Microsoft DRR support brings significant value, DDoS Network Protection is also the economically rational choice at enterprise scale.
Which related certifications cover this?
AZ-700 (Network Engineer Associate) is the main exam where DDoS Protection is tested in depth as a core topic. AZ-305 (Solutions Architect Expert) covers DDoS mitigation design from an architect's perspective; SC-100 (Cybersecurity Architect Expert) covers network defense within a Zero Trust strategy; SC-500 (the rebranded AZ-500, GA in September 2026) covers Azure security implementation; SC-200 (Security Operations Analyst) covers DDoS event operations from a SOC perspective. Understanding DDoS Protection is an essential skill for Azure network engineers and security architects, and it is a core incident-prevention capability for production internet-facing systems.
Related Articles and Technical Deep Dives
Azure Application Gateway vs Front Door 完全比較|L7 ロードバランサーの選定ガイド【2026 年版】
Azure の L7 ロードバランサー Application Gateway と Front Door を完全比較。リージョン vs グローバル・WAF 機能・SKU 選定 (Standard / Premium)・コスト・適用シーンを表形式で整理。両方組み合わせる多層構成、Traffic Manager / Azure CDN との関係、関連認定試験 (AZ-700 / AZ-305) を日本語で網羅。
AZ-700 完全ガイド|Microsoft Azure Network Engineer Associate 出題範囲・学習リソース・合格戦略
Microsoft Certified: Azure Network Engineer Associate (AZ-700) の完全ガイド。5 ドメインの出題範囲、VNet / VPN Gateway / ExpressRoute / Azure Firewall / Application Gateway / Front Door / Private Link を網羅。必須実機演習、3-4 ヶ月の合格ロードマップ、AZ-305 や SC-500 へのキャリアパスを日本語で網羅。
Azure Key Vault 完全ガイド|Secret/Key/Certificate 管理・Managed Identity 統合・セキュリティベストプラクティス【2026 年版】
Azure Key Vault の完全ガイド。Standard vs Premium vs Managed HSM ティア選定、Secret / Key / Certificate の使い分け、RBAC ベースアクセス制御、Managed Identity 統合 (シークレットレスアプリ)、Soft Delete / Purge Protection、Private Endpoint、Microsoft Defender for Key Vault、関連認定試験 (AZ-204 / SC-300 / SC-100) を日本語で網羅。
Azure Architect キャリアロードマップ|AZ-900 → AZ-305 → SC-100 シニアアーキテクトへの道【2026 年版】
Azure Solutions Architect になるための認定取得ロードマップ完全版。AZ-900 → AZ-104 → AZ-305 の王道ルート、AZ-400 / SC-100 / AZ-700 との二刀流 / 三刀流戦略、マルチクラウド対応 (AWS / GCP)、未経験から 7-12 ヶ月の学習プラン、年収レンジまで日本語で網羅。
Technical information in this article is based on the Azure DDoS Protection Documentation. This article is not an official Microsoft Corporation product and has no affiliation or sponsorship with Microsoft. Microsoft and Azure are trademarks of the Microsoft group of companies. Information is based on public materials as of May 24, 2026. Always check the official pages for the latest details.
Practice with certification-focused question sets
View Azure exam prep pageNicheeLab Editorial Team
NicheeLab editorial team focused on data engineering and cloud certification learning. Content is structured around practical study needs and official exam domains.
AZ-900 Azure Fundamentals: Complete Exam Guide (2026)
Pass AZ-900 — cloud concepts, Azure architecture, management...
Azure Certification Roadmap: Which Cert to Take Next (2026)
Choose your Azure certification path — Fundamentals, Associa...
AI-901 Azure AI Fundamentals (Beta): Complete Guide (2026)
Pass AI-901 — Microsoft Foundry, generative AI, responsible ...
Microsoft Entra ID Fundamentals for Azure Certs (2026)
Entra ID basics every cert candidate needs — tenants, identi...
DP-900 Azure Data Fundamentals: Complete Guide (2026)
Pass DP-900 — relational, non-relational, analytics, Power B...