Share via

DDoS Simulation Test via External WAF (Imperva) – Need to Notify Microsoft?

Dimitrios Katsaras 0 Reputation points
2026-06-11T10:24:28.88+00:00

Hello,

We are planning to perform a scheduled DDoS simulation test targeting systems hosted in Azure during the following window:

  • Date/Time: June 13th 23:00 – June 14th 06:00 (approximately)

The simulated attack traffic will target URLs that are fronted by an external WAF service (Imperva). From there, the traffic will be forwarded to our backend infrastructure hosted in Azure.

Given that:

  • A significant amount of traffic is expected to pass through the WAF and reach Azure resources
  • This traffic may resemble a volumetric or application-layer DDoS pattern

We would like to clarify the following:

Is it recommended or required to notify Microsoft (e.g., via a support ticket) prior to conducting such a DDoS simulation test?

More specifically:

  • Could this type of activity trigger Azure platform-level DDoS protection or abuse detection mechanisms?
  • Is prior coordination with Microsoft advised even when the target endpoints are behind a third-party WAF (Imperva)?

We want to ensure the test is conducted in accordance with Azure policies and does not unintentionally impact platform protections or service availability.

Thanks in advance for your guidance.

Azure DDos Protection
Azure DDos Protection

An Azure service that provides defense against distributed denial-of-service (DDoS) attacks.

3 answers

Sort by: Most helpful
Most helpful Newest Oldest

  1. AI answer

    2026-06-11T10:24:50.9166667+00:00

    Denial-of-service and DDoS-style testing against Azure resources is governed by specific rules of engagement.

    1. Direct, self-run DDoS/DoS tests are not permitted The penetration testing guidance explicitly states that Denial of Service (DoS) testing of any kind, including tests that determine, demonstrate, or simulate DoS, is strictly prohibited against Microsoft online services, regardless of authorization. This prohibition applies even if:
      • The traffic is generated as a “simulation,” and
      • The target is ultimately hosted on Azure, including when fronted by a third‑party WAF such as Imperva.
    2. Supported way to test DDoS resilience To test DDoS resilience for Azure-hosted public endpoints, the supported approach is to use Microsoft‑approved DDoS simulation partners, as documented under Azure DDoS Protection simulation testing. These partners (for example, BreakingPoint Cloud, MazeBolt, Red Button, RedWolf) provide controlled simulations that comply with Microsoft’s rules of engagement and avoid violating the DoS prohibition. The security testing guidance reiterates that DoS simulations in Azure must follow the policies in Azure DDoS Protection simulation testing.
    3. Notification/coordination with Microsoft
      • When using the approved DDoS simulation partners and following the Azure DDoS Protection simulation testing guidance, coordination with Microsoft is built into the supported process.
      • Running an independent DDoS simulation (even via an external WAF) that generates significant attack-like traffic toward Azure endpoints, outside of that approved process, falls under the prohibited DoS testing category and is not allowed rather than something that can be “pre‑approved” via a normal support ticket.
    4. Platform detection and abuse handling Azure runs automated abuse detection on inbound and outbound traffic. Activity that resembles DDoS may be flagged, and Microsoft may, at its discretion, interrupt the activity even if it is part of a test. If legitimate testing that complies with the rules is ever flagged, the guidance is to respond to the abuse notification with authorization details and scope.

    Summary:

    • Self-managed DDoS/DoS simulations against Azure resources (including those behind Imperva) are not permitted under the penetration testing rules.
    • To test DDoS resilience, use the Microsoft‑approved DDoS simulation partners and follow the Azure DDoS Protection simulation testing guidance; coordination with Microsoft is handled through that channel, rather than via an ad‑hoc support ticket for a custom DDoS test.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

    1 person found this answer helpful.
  2. Venkatesan S 9,055 Reputation points Microsoft External Staff Moderator
    2026-06-12T00:40:50.28+00:00

    Hi Dimitrios Katsaras,

    Thanks for reaching out in Microsoft Q&A forum,

    Is it recommended or required to notify Microsoft (e.g., via a support ticket) prior to conducting such a DDoS simulation test? Yes, and more than just notification is needed. Microsoft has a formal policy: you can only simulate attacks using approved testing partners, and your target public IP addresses must belong to an Azure subscription of your own, which will be validated by those partners before testing begins.

    The approved partners are:

    • BreakingPoint Cloud (self-service)
    • MazeBolt (continuous, non-disruptive)
    • Red Button (guided, expert-led)
    • RedWolf (self-service or guided)

    These partners' simulation environments are built within Azure, and the target public IPs must be protected under Azure DDoS Protection. Running a DDoS simulation outside this approved partner framework even on your own Azure-hosted resources is against Azure's testing policy.

    Could this type of activity trigger Azure platform-level DDoS protection or abuse detection mechanisms?

    Yes, absolutely.

    • Azure DDoS Protection continuously monitors incoming traffic patterns to identify potential DDoS attacks, and upon detection, it automatically triggers mitigation measures.
    • Volumetric or application-layer traffic resembling a DDoS attack will be detected and potentially mitigated, whether or not it comes from a legitimate test which is exactly why Microsoft requires the use of approved partners who coordinate with the platform.

    Is prior coordination with Microsoft advised even when the target endpoints are behind a third-party WAF (Imperva)?

    No, it does not exempt you. The critical factor is that traffic ultimately reaches Azure-hosted public IPs. The presence of Imperva in the traffic path does not remove the obligation to follow Azure's simulation policy for the backend infrastructure.

    Official Microsoft Documentation

    Kindly let us know if the above helps or you need further assistance on this issue.

    Please do not forget to 210246-screenshot-2021-12-10-121802.pngand “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    Was this answer helpful?

    0 comments
  3. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

    Comments have been turned off. Learn more

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.