HomeAzure NetworkingAzure DDoS Protection
Last updated: May 2026
Azure Networking Intermediate AZ-104 ⏱ 9 min read

Azure DDoS Protection

A Distributed Denial of Service (DDoS) attack floods your resources with so much traffic that legitimate users can't get through. Azure DDoS Protection defends your Azure resources against these attacks — automatically detecting and mitigating attack traffic while allowing legitimate traffic through. It leverages Microsoft's massive global network scale to absorb attack traffic.

What you'll learn DDoS attack types · Azure DDoS Protection tiers (Infrastructure, IP, Network) · How mitigation works · Adaptive tuning · DDoS telemetry and alerts · SLA credit guarantee · DDoS Rapid Response team · Cost · Best practices
Table of Contents
  1. DDoS Attack Types
  2. Protection Tiers
  3. How Mitigation Works
  4. Adaptive Tuning
  5. Telemetry and Alerts
  6. SLA Credit Guarantee
  7. DDoS Rapid Response
  8. Enabling DDoS Protection
  9. Practice Questions

DDoS Attack Types

TypeDescriptionExample
VolumetricFlood bandwidth with massive trafficUDP flood, ICMP flood — measured in Gbps
ProtocolExhaust network equipment (firewalls, load balancers)SYN flood, fragmented packet attacks
Resource layer (L7)Exhaust application resourcesHTTP flood — appears as legitimate traffic

Protection Tiers

DDoS Infrastructure Protection (Free)

Automatically applied to all Azure services. Provides basic protection against common attacks that affect the Azure platform itself. No SLA, no telemetry, no adaptive tuning. Sufficient for most standard workloads that don't specifically target your application.

DDoS IP Protection

Pay-per-protected-IP model — enable on individual public IP resources. Includes adaptive tuning, telemetry, alerts, and post-attack reports. Cheaper than Network Protection for workloads with few public IPs. No DDoS Rapid Response support.

DDoS Network Protection

The most comprehensive tier — enabled at VNet level, protects all public IP resources in the VNet. Includes everything in IP Protection plus DDoS Rapid Response (access to Microsoft DDoS experts during an attack) and SLA credit guarantee.

FeatureInfrastructureIP ProtectionNetwork Protection
CostFreePer-IP charge~₹180,000+/month per plan
Adaptive tuning
Attack telemetry
Alerts
Post-attack report
DDoS Rapid Response
SLA credit guarantee
Cost protection

How Mitigation Works

When an attack is detected against your resources:

  1. Azure's network monitors traffic patterns continuously
  2. When anomalous traffic is detected (traffic exceeding learned baselines), mitigation begins automatically
  3. Attack traffic is scrubbed — malicious packets are dropped while legitimate traffic passes through
  4. Azure's global network scale absorbs volumetric floods (terabits per second capacity)
  5. After attack subsides, mitigation is removed automatically
ℹ️
Always-On Protection DDoS Protection is always monitoring — there's no need to activate it during an attack. Mitigation begins automatically within seconds of attack detection, with no impact on legitimate traffic.

Adaptive Tuning

DDoS IP and Network Protection learn the normal traffic patterns for your application over time. When traffic deviates significantly from the learned baseline, mitigation triggers. This reduces false positives compared to static threshold-based approaches — your legitimate traffic spikes (e.g., flash sales) won't accidentally trigger mitigation.

Telemetry and Alerts

With IP or Network Protection enabled, you get:

  • Real-time attack metrics in Azure Monitor (packets dropped, attack vectors, attack type)
  • Attack start/stop alerts
  • Post-attack mitigation reports
  • Integration with Azure Sentinel for SIEM alerting

SLA Credit Guarantee

DDoS Network Protection includes a financial protection — if a DDoS attack causes your application to scale out or incur extra compute/bandwidth charges, Microsoft provides service credits to offset those costs. Available only with Network Protection tier.

DDoS Rapid Response

During an active attack, DDoS Network Protection customers can engage Microsoft's DDoS experts for assistance — available 24/7 during an ongoing attack. They can help identify the attack type, recommend mitigations, and provide guidance. Only available with Network Protection tier.

Enabling DDoS Protection

Azure CLICreate DDoS Protection plan and link to VNet
# Create DDoS protection plan
az network ddos-protection create \
  --name myDdosPlan \
  --resource-group myRG \
  --location centralindia

# Link to VNet
az network vnet update \
  --name myVNet \
  --resource-group myRG \
  --ddos-protection-plan myDdosPlan \
  --ddos-protection true
💡
AZ-104 Exam Tip Know the three tiers: Infrastructure (free, automatic), IP Protection (per-IP, no DRR), Network Protection (per-VNet, includes DRR and SLA credits). Know that DDoS protection is always-on and automatic — no manual activation during attacks. Know that Network Protection enables cost protection via SLA credits.
📝 Practice Questions
Click an option to check your answer.
Q1. Which Azure DDoS Protection tier is automatically applied to all Azure resources at no extra cost?
A — DDoS Infrastructure Protection
B — DDoS IP Protection
C — DDoS Network Protection
D — DDoS Basic
Q2. Which DDoS Protection tier includes access to Microsoft DDoS experts during an active attack (DDoS Rapid Response)?
A — DDoS Infrastructure Protection
B — DDoS IP Protection
C — DDoS Network Protection
D — Both IP Protection and Network Protection
Q3. What is "adaptive tuning" in Azure DDoS Protection?
A — Fixed bandwidth thresholds that trigger mitigation at preset levels
B — Machine learning that learns normal traffic patterns and adjusts thresholds to reduce false positives
C — Automatic scaling of your application during a DDoS attack
D — Automatic firewall rule updates during an attack
Q4. Does Azure DDoS Protection require manual activation when an attack begins?
A — Yes — you must enable mitigation mode in the Azure Portal
B — No — it is always-on and activates automatically when an attack is detected
C — No — but there is a 5-minute delay before mitigation starts
D — Yes — you must call Azure Support to initiate mitigation
Q5. A volumetric DDoS attack floods your application with 500 Gbps of traffic. Which DDoS attack type is this?
A — Volumetric attack
B — Protocol attack
C — Resource layer attack
D — DNS amplification attack
Related Topics
Azure NetworkingAzure Firewall Azure NetworkingNetwork Security Groups Azure NetworkingAzure Private Endpoints
← PreviousAzure Firewall
Comments
Disclaimer: RedKite Cloud is an independent educational resource and is not affiliated with Microsoft Corporation.