Your IP has been flagged by Azure's automatic threat intelligence system for the production LoadBalancer.

Question

Your IP has been flagged by Azure's automatic threat intelligence system for the production LoadBalancer.

Lars van Mourik 0

The production LoadBalancer IP XXX has DDoS protection mode:** VirtualNetworkInherited**, which means it's using Azure's automatic DDoS protection that operates at the network infrastructure level.

This type of protection:

Is NOT visible in Azure CLI standard commands

Operates based on Azure's internal threat intelligence

Can automatically block IPs based on behavioral patterns

Maintains internal blocklists that are not exposed via API

Works at the Azure network edge, before traffic reaches your LoadBalancer

Lars van Mourik 0 Reputation points

2026-03-12T14:15:07.3133333+00:00

i am trying to create a support request but my developer plan doesn't seem to allow it
Vallepu Venkateswarlu 10,000 Reputation points Microsoft External Staff Moderator

2026-03-12T14:23:48.57+00:00

Hi @ Lars van Mourik

Welcome to Microsoft Q&A Platform.

If you have a Developer Plan, your queries will be routed to Q&A automatically. We are the first-level support for your issues and will assist you with your case.

Regarding your query, we will check and update you here. Could you please share the required details in a private message for further troubleshooting?
Vallepu Venkateswarlu 10,000 Reputation points Microsoft External Staff Moderator

2026-03-12T14:58:44.38+00:00
Hi @ Lars van Mourik

Can automatically block IPs based on behavioral patterns? Azure’s DDoS protection system automatically detects and mitigates malicious traffic patterns

Azure continuously monitors traffic patterns using global threat intelligence and anomaly detection. When an attack is detected, Azure can automatically apply mitigations such as:

Traffic rate limiting

Traffic scrubbing

Protocol filtering

Dropping malicious packets

This mitigation occurs at the Azure network edge, before traffic reaches your resources',Refer these for more details.

I hope this information helps resolve your issue. Please feel free to ask if the provided solution does not help or if you have any additional questions.

Please "upvote" if the information helped you. This will help us and others in the community as well.
Lars van Mourik 0 Reputation points

2026-03-12T14:59:37.86+00:00

any way i can see this is actually the case ? the part where it says "not visbile in CLI" and the fact that this ip does not seem to be on any blocklist makes it a bit untangible
Vallepu Venkateswarlu 10,000 Reputation points Microsoft External Staff Moderator

2026-03-12T15:08:58.43+00:00
Hi @ Lars van Mourik

When a DDoS attack is detected, Azure DDoS Protection can provide detailed information about the event. This includes:

Attack metrics – Information about the scale of the attack, dropped traffic, attack vectors, and top contributing sources.

Attack mitigation reports – Detailed breakdown of the attack, including attack types, protocols involved, reasons packets were dropped, and top source countries or regions.

Attack mitigation flow logs – Near real-time visibility into dropped and forwarded traffic during an active mitigation event.

Attack alerting – Notifications when a public IP resource is under attack and when mitigation activities are completed. These insights help you understand the nature of the attack and review how Azure mitigated the traffic.

Ref: Monitor Azure DDoS Protection

I hope this information helps resolve your issue. Please feel free to ask if the provided solution does not help or if you have any additional questions.

Please "upvote" if the information helped you. This will help us and others in the community as well.
Lars van Mourik 0 Reputation points

2026-03-12T15:22:04.7+00:00

it seems that the linked documentation is about extra DDoS protection that i can enable myself, which i did not. is there another one outside of my control that triggers automatically ?
Lars van Mourik 0 Reputation points

2026-03-13T13:54:05.9733333+00:00

how do i know this is the case for sure ? is there a list of ips i can check ?
Lars van Mourik 0 Reputation points

2026-03-13T13:55:16.5166667+00:00

and more importantly, this is our office ip, how can i get it unblocked ?
Vallepu Venkateswarlu 10,000 Reputation points Microsoft External Staff Moderator

2026-03-13T15:23:30.4533333+00:00

this is our office ip, how can i get it unblocked ?

No, unfortunately manual configuration isn't available at this moment.

Ref: Can I allowlist/blocklist specific IP addresses?

Please "upvote" if the information helped you. This will help us and others in the community as well.
Lars van Mourik 0 Reputation points

2026-03-16T09:19:03.6233333+00:00

ok, final question:

how do i know this is the case for sure ? is there a list of ips i can check ?
Vallepu Venkateswarlu 10,000 Reputation points Microsoft External Staff Moderator

2026-03-16T13:44:04.1+00:00

Hi @ Lars van Mourik

No, unfortunately there isn’t an option to view or verify a list of specific IP addresses that have been flagged or blocked by Azure’s automatic threat intelligence or platform-level DDoS protection.

Azure DDoS protection operates at the Azure network edge and automatically detects and mitigates suspicious traffic patterns using internal threat intelligence. Because this process is managed internally by the Azure platform, the list of flagged or blocked IP addresses isn’t exposed to customers through the Azure portal, CLI, or APIs.

Traffic dropped in DDOS due to following reasons:**

** Protocol violation invalid TCP. syn Protocol violation invalid TCP, Protocol violation invalid UDP, UDP reflection, TCP rate limit exceeded, UDP rate limit exceeded, Destination limit exceeded, Other packet flood Rate limit exceeded, and Packet was forwarded to service. Protocol violation invalid drop reasons refer to malformed packets.

You can check the DDoS Mitigation FlowLogs for more details.

The mitigation flow logs allow you to review the dropped traffic, forwarded traffic, and other interesting data-points during an active DDoS attack in near-real time.

These mitigations occur before the traffic reaches your resources.

You can Configure DDoS Protection metrics and alerts.

Please "upvote" if the information helped you. This will help us and others in the community as well.
Lars van Mourik 0 Reputation points

2026-04-02T08:09:22.41+00:00

I ended up putting CloudFlare proxy in front so "source ip" problem went away. I would still like to make a case for you to create an endpoint where we can at least see which ips are being blocked (and for bonus points also "why").
Vallepu Venkateswarlu 10,000 Reputation points Microsoft External Staff Moderator

2026-04-02T17:16:13.0733333+00:00

Hi @ Lars van Mourik,

You can enable diagnostic logs to identify if a specific IP is being blocked. These logs can be accessed in your Log Analytics workspace.

1 answer

Your answer

Lars van Mourik 0 Reputation points

2026-03-12T14:15:07.3133333+00:00

i am trying to create a support request but my developer plan doesn't seem to allow it
Vallepu Venkateswarlu 10,000 Reputation points Microsoft External Staff Moderator

2026-03-12T14:23:48.57+00:00

Hi @ Lars van Mourik

Welcome to Microsoft Q&A Platform.

If you have a Developer Plan, your queries will be routed to Q&A automatically. We are the first-level support for your issues and will assist you with your case.

Regarding your query, we will check and update you here. Could you please share the required details in a private message for further troubleshooting?
Vallepu Venkateswarlu 10,000 Reputation points Microsoft External Staff Moderator

2026-03-12T14:58:44.38+00:00

Hi @ Lars van Mourik

Can automatically block IPs based on behavioral patterns? Azure’s DDoS protection system automatically detects and mitigates malicious traffic patterns

Azure continuously monitors traffic patterns using global threat intelligence and anomaly detection. When an attack is detected, Azure can automatically apply mitigations such as:

Traffic rate limiting

Traffic scrubbing

Protocol filtering

Dropping malicious packets

This mitigation occurs at the Azure network edge, before traffic reaches your resources',Refer these for more details.

I hope this information helps resolve your issue. Please feel free to ask if the provided solution does not help or if you have any additional questions.

Please "upvote" if the information helped you. This will help us and others in the community as well.
Lars van Mourik 0 Reputation points

2026-03-12T14:59:37.86+00:00

any way i can see this is actually the case ? the part where it says "not visbile in CLI" and the fact that this ip does not seem to be on any blocklist makes it a bit untangible
Vallepu Venkateswarlu 10,000 Reputation points Microsoft External Staff Moderator

2026-03-12T15:08:58.43+00:00

Hi @ Lars van Mourik

When a DDoS attack is detected, Azure DDoS Protection can provide detailed information about the event. This includes:

Attack metrics – Information about the scale of the attack, dropped traffic, attack vectors, and top contributing sources.

Attack mitigation reports – Detailed breakdown of the attack, including attack types, protocols involved, reasons packets were dropped, and top source countries or regions.

Attack mitigation flow logs – Near real-time visibility into dropped and forwarded traffic during an active mitigation event.

Attack alerting – Notifications when a public IP resource is under attack and when mitigation activities are completed. These insights help you understand the nature of the attack and review how Azure mitigated the traffic.

Ref: Monitor Azure DDoS Protection

I hope this information helps resolve your issue. Please feel free to ask if the provided solution does not help or if you have any additional questions.

Please "upvote" if the information helped you. This will help us and others in the community as well.
Lars van Mourik 0 Reputation points

2026-03-12T15:22:04.7+00:00

it seems that the linked documentation is about extra DDoS protection that i can enable myself, which i did not. is there another one outside of my control that triggers automatically ?
Lars van Mourik 0 Reputation points

2026-03-13T13:54:05.9733333+00:00

how do i know this is the case for sure ? is there a list of ips i can check ?
Lars van Mourik 0 Reputation points

2026-03-13T13:55:16.5166667+00:00

and more importantly, this is our office ip, how can i get it unblocked ?
Vallepu Venkateswarlu 10,000 Reputation points Microsoft External Staff Moderator

2026-03-13T15:23:30.4533333+00:00

this is our office ip, how can i get it unblocked ?

No, unfortunately manual configuration isn't available at this moment.

Ref: Can I allowlist/blocklist specific IP addresses?

Please "upvote" if the information helped you. This will help us and others in the community as well.
Lars van Mourik 0 Reputation points

2026-03-16T09:19:03.6233333+00:00

ok, final question:

how do i know this is the case for sure ? is there a list of ips i can check ?
Vallepu Venkateswarlu 10,000 Reputation points Microsoft External Staff Moderator

2026-03-16T13:44:04.1+00:00

Hi @ Lars van Mourik

No, unfortunately there isn’t an option to view or verify a list of specific IP addresses that have been flagged or blocked by Azure’s automatic threat intelligence or platform-level DDoS protection.

Azure DDoS protection operates at the Azure network edge and automatically detects and mitigates suspicious traffic patterns using internal threat intelligence. Because this process is managed internally by the Azure platform, the list of flagged or blocked IP addresses isn’t exposed to customers through the Azure portal, CLI, or APIs.

Traffic dropped in DDOS due to following reasons:**

** Protocol violation invalid TCP. syn Protocol violation invalid TCP, Protocol violation invalid UDP, UDP reflection, TCP rate limit exceeded, UDP rate limit exceeded, Destination limit exceeded, Other packet flood Rate limit exceeded, and Packet was forwarded to service. Protocol violation invalid drop reasons refer to malformed packets.

You can check the DDoS Mitigation FlowLogs for more details.

The mitigation flow logs allow you to review the dropped traffic, forwarded traffic, and other interesting data-points during an active DDoS attack in near-real time.

These mitigations occur before the traffic reaches your resources.

You can Configure DDoS Protection metrics and alerts.

Please "upvote" if the information helped you. This will help us and others in the community as well.
Lars van Mourik 0 Reputation points

2026-04-02T08:09:22.41+00:00

I ended up putting CloudFlare proxy in front so "source ip" problem went away. I would still like to make a case for you to create an endpoint where we can at least see which ips are being blocked (and for bonus points also "why").
Vallepu Venkateswarlu 10,000 Reputation points Microsoft External Staff Moderator

2026-04-02T17:16:13.0733333+00:00

Hi @ Lars van Mourik,

You can enable diagnostic logs to identify if a specific IP is being blocked. These logs can be accessed in your Log Analytics workspace.

Answer 1

Hi @ Lars van Mourik

Yes, Azure continuously monitors traffic patterns using global threat intelligence and anomaly detection. even if you did not explicitly enable Azure DDoS Network Protection or DDoS IP Protection, Azure still provides platform-level DDoS protection automatically for all public IP resources.

This built-in protection (often referred to as DDoS Protection Basic) operates at the Azure infrastructure level and cannot be disabled or configured by customers. It helps protect Azure services from common volumetric and protocol-based attacks.

Ref: What is Azure DDoS Protection?

Azure DDoS protection operates at the Azure network edge and automatically detects and mitigates suspicious traffic patterns using internal threat intelligence. Because this process is managed internally by the Azure platform, the list of flagged or blocked IP addresses isn’t exposed to customers through the Azure portal, CLI, or APIs.

Traffic dropped in DDOS due to following reasons:

Protocol violation invalid TCP. syn Protocol violation invalid TCP, Protocol violation invalid UDP, UDP reflection, TCP rate limit exceeded, UDP rate limit exceeded, Destination limit exceeded, Other packet flood Rate limit exceeded, and Packet was forwarded to service. Protocol violation invalid drop reasons refer to malformed packets.

Azure DDoS Protection provides detailed diagnostic logs, including notifications, mitigation reports, and mitigation flow logs, which can show evidence of a specific IP being blocked.- You can access these logs in your Log Analytics workspace. The logs include:

DDoSProtectionNotifications: Notifies when a public IP resource is under attack and when mitigation starts or stops.
DDoSMitigationFlowLogs: Shows dropped and forwarded traffic, including the source IP, destination IP, ports, protocol, and reasons for dropped packets.
DDoSMitigationReports: Provides a summary of the attack, including drop reasons (such as protocol violations, rate limits exceeded, etc.), and details about the blocked IPs.

To enable the logs: Go to Azure Monitor and enable logs --->Diagnostic settings--->Select the DDOS protect resource from the dropdown-->Add diagnostic setting--->Select the Log Analytics and wait for some time get the logs in Log Analytics.
User's image

You can follow the link Query Azure DDoS Protection logs in log analytics workspace for more details.

The DDoS Mitigation FlowLogs allow you to review the dropped traffic, forwarded traffic, and other interesting data-points during an active DDoS attack in near-real time.
Pleaseand “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Share via

Your IP has been flagged by Azure's automatic threat intelligence system for the production LoadBalancer.

1 answer

Your answer