How to enable/configure Basic DDOS Protection

Question

An Azure support chat agent stated that all Public IP addresses have Basic DDOS protection available at no extra cost, but it must be enabled. When I follow tutorial at https://learn.microsoft.com/en-us/azure/ddos-protection/manage-ddos-ip-protection-portal, my portal does not show the DDOS Protection configuration section under properties.

My Public IP is Basic SKU, Regional Tier and Dynamic (meaning it wasn't allocated until it was associated to the VM). It is currently allocated to a VM.

1. Is it true that there is a Basic DDOS protection available for Public IP Addresses at no extra cost?
2. If so, is it automatically enabled now, meaning the documentation is out of date?
3. Is the tutorial provided by the agent only for the $200/IP/month Standard DDOS Protection option?

Answer 1

Hi @Brent Long , I understand that you have questions regarding DDoS protection in Azure.

Answering your question:

1. If you have DDoS Network Protection, you need to register your virtual networks into the DDoS protection. After that, all of your Public IP addresses in those virtual networks are protected, including Public IP Basic SKU. There is cost for DDoS Network Protection - see "Network Protection" from this page: https://azure.microsoft.com/en-us/pricing/details/ddos-protection/
2. Documentation is not out of date.
3. DDoS IP Protection does not support Public IP Basic SKU. You need to use Public IP Standard SKU if you want to enable DDoS IP Protection.

Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

Answer 2

@Brent Long ,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

Azure DDOS has two tiers,

• DDoS Network Protection - Protects upto 100 IP Addresses at fixed cost and additional IPs are charged extra
• DDoS IP Protection - Protects individual IP Address at fixed cost

There is no explicit tier called "Basic" tier. What actually happens is,

Services running on Azure are inherently protected by the default infrastructure-level DDoS protection. However, the protection that safeguards the infrastructure has a much higher threshold than most applications have the capacity to handle, and does not provide telemetry or alerting, so while a traffic volume may be perceived as harmless by the platform, it can be devastating to the application that receives it.

• See : Are services unsafe in Azure without the service?
• You will not be able to view it in the Portal like you do for Network/IP Protection

2.If so, is it automatically enabled now, meaning the documentation is out of date?

• As mentioned, the infrastructure-level DDoS protection comes into picture

3.Is the tutorial provided by the agent only for the $200/IP/month Standard DDOS Protection option?

• Not sure what agent gave you this info
• To enable
  • Azure DDoS Network Protection : Follow Create and configure Azure DDoS Network Protection
  • Azure DDoS IP Protection : Follow Create and configure Azure DDoS IP Protection
• For pricing, check out Azure DDoS Protection pricing
• For Cost assessment, follow : Compare pricing between Azure DDoS Protection tiers
• Again, there is no "Standard" tier, only "Network" and "IP" Protection

NOTE:

As mentioned by , Basic Public IP is not covered by "DDoS IP Protection"

• See : DDOS Limitations
• This means, you have to either upgrade your Public IP to Standard SKU
• or use DDoS Network Protection (which is comparatively costlier)

I would greatly appreciate if you could Accept the answer and close this thread

Original posters help the community find answers faster by identifying the correct answer.

Cheers,

Kapil@Brent Long ,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

Azure DDOS has two tiers,

• DDoS Network Protection - Protects upto 100 IP Addresses at fixed cost and additional IPs are charged extra
• DDoS IP Protection - Protects individual IP Address at fixed cost

There is no explicit tier called "Basic" tier. What actually happens is,

Services running on Azure are inherently protected by the default infrastructure-level DDoS protection. However, the protection that safeguards the infrastructure has a much higher threshold than most applications have the capacity to handle, and does not provide telemetry or alerting, so while a traffic volume may be perceived as harmless by the platform, it can be devastating to the application that receives it.

• See : Are services unsafe in Azure without the service?
• You will not be able to view it in the Portal like you do for Network/IP Protection

2.If so, is it automatically enabled now, meaning the documentation is out of date?

• As mentioned, the infrastructure-level DDoS protection comes into picture

3.Is the tutorial provided by the agent only for the $200/IP/month Standard DDOS Protection option?

• Not sure what agent gave you this info
• To enable
  • Azure DDoS Network Protection : Follow Create and configure Azure DDoS Network Protection
  • Azure DDoS IP Protection : Follow Create and configure Azure DDoS IP Protection
• For pricing, check out Azure DDoS Protection pricing
• For Cost assessment, follow : Compare pricing between Azure DDoS Protection tiers
• Again, there is no "Standard" tier, only "Network" and "IP" Protection

NOTE:

As mentioned by , Basic Public IP is not covered by "DDoS IP Protection"

• See : DDOS Limitations
• This means, you have to either upgrade your Public IP to Standard SKU
• or use DDoS Network Protection (which is comparatively costlier)

I would greatly appreciate if you could Accept the answer and close this thread

Original posters help the community find answers faster by identifying the correct answer.

Cheers,

Kapil