Azure DDOS Protection

Azure DDoS Protection is a service designed to safeguard your Azure resources from Distributed Denial of Service (DDoS) attacks. It provides two main tiers of protection: Free Tier and Standard Tier.

1. Free Tier (Included with all Azure Services)

• Automatic Protection: The Free Tier is automatically enabled for all Azure resources deployed in a virtual network (VNet), providing basic DDoS protection for free, without requiring any additional setup or configuration.

• Basic Level of Protection:

  • Protection Against Common Attacks: It defends against typical DDoS attacks that target public IP addresses, such as volumetric and small-scale protocol attacks.

  • Basic Monitoring: The Free Tier provides basic monitoring, including alerting when an attack is detected and basic attack metrics via Azure Monitor.

  • No Additional Cost: This tier incurs no additional charges—it is included in the cost of using Azure services.

2. Standard Tier (Subscription-Based)

• Advanced Protection: The Standard Tier offers advanced DDoS protection and is subscription-based, meaning it provides enhanced features beyond the Free Tier.

• Comprehensive Attack Mitigation:

  • Adaptive Threat Detection: It uses machine learning and telemetry to detect and mitigate large, sophisticated DDoS attacks in real-time.

  • Protection for All Azure Resources: This includes not only Azure virtual machines (VMs) but also services like Azure Web Apps, Azure Kubernetes Service (AKS), and any other service with a public IP.

  • Customizable Policies: You can create custom DDoS protection policies to define the thresholds for attack detection, helping you manage response actions based on your specific needs.

  • 24/7 Monitoring and Alerts: You get detailed insights, real-time metrics, and comprehensive monitoring through Azure Monitor. This includes attack diagnostics and alerts on attack severity and mitigation actions.

• DDoS Protection Analytics: With the Standard Tier, you can access detailed DDoS attack analytics and gain insights into the types of attacks, their frequency, and their impact.

• Protection for Virtual Networks: The Standard Tier provides protection for entire VNets, meaning all the resources inside the VNet are protected from DDoS threats.

• Cost: The Standard Tier is subscription-based and incurs additional costs, calculated based on the protected public IP addresses. The pricing varies based on the scale of protection and usage.

Summary of Differences:

Feature	Free Tier	Standard Tier
Protection Type	Basic DDoS protection	Advanced DDoS protection
Automatic Protection	Yes	Yes
Real-Time Monitoring	Basic alerts and metrics	Advanced, customizable monitoring with detailed attack diagnostics
Cost	Free (Included with all Azure services)	Subscription-based, additional cost
Customizable Protection Rules	No	Yes
Protection Scope	Public IP addresses in a VNet	All resources with public IPs, including VNets, VMs, apps, AKS, etc.
Additional Features	Basic DDoS attack mitigation	Adaptive threat detection, 24/7 monitoring, DDoS Protection Analytics, enhanced attack mitigation

Use Cases:

• Free Tier: Suitable for smaller applications or environments where you need basic protection from standard DDoS threats, with no additional cost.

• Standard Tier: Ideal for enterprises or mission-critical applications that require advanced, customizable DDoS protection, including real-time attack monitoring, detailed analytics, and sophisticated mitigation strategies.