To the DDoS Part of the question , from a Microsoft/first-party perspective, consider Az Front Door + WAF and see the L7/App DDoS Protection page here. Front door is by it's design (edge PaaS service) highly elastic. Ensure that you lock down access between front door and any web app or API origin using either private link (for premium) or through App Service IP ACLs and front door id header check. As explained here.
Front door will also be useful from an edge caching perspective , and in general can provide better performance where the clients to your app are widely distributed.