Share via

Azure Front Door DDoS Protection Status with WAF in Detection Mode

S79 0 Reputation points
2025-05-30T02:18:18.8133333+00:00

Hello Team,

I`m seeking confirmation regarding the operational status of Azure Front Door's DDoS protection when our Web Application Firewall (WAF) part of Azure Front Door (Premium) is configured in Detection mode.

Environment Details

  • Azure Front Door Premium

Kindly provide clarity on the following quesitons:

1. DDoS Protection Independence

Question:

Does Azure Front Door's built-in Infrastructure DDoS Protection remain fully operational when the associated WAF policy is set to Detection mode?

Does DDoS protection operates at the infrastructure level, independent of WAF policy configuration?

2. Protection Scope Validation

Question: Which specific DDoS protection capabilities remain active in Detection mode?

Volumetric attack mitigation (UDP/TCP floods)

Protocol attacks (SYN floods, fragmented packet attacks)

  • Reflection amplification attacks (DNS, NTP)

3. Monitoring and Alerting

Question: Are DDoS protection metrics and alerts available in Azure Monitor when WAF is in Detection mode? If so, which specific metrics should we monitor to validate protection status?

Regards,

Azure Front Door
Azure Front Door
An Azure service that provides a cloud content delivery network with threat protection.
860 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sindhuja Dasari 1,520 Reputation points Microsoft External Staff Moderator
    2025-05-30T03:04:05.6666667+00:00

    Hello S79

    I understand that you're looking for some clarification regarding how Azure Front Door's DDoS protection works, especially when your Web Application Firewall (WAF) is set to Detection mode.

    1. DDoS Protection Independence:

    Yes, the Azure Front Door's built-in Infrastructure DDoS Protection remains fully operational even when your associated WAF policy is set to Detection mode. The DDoS protection operates at the infrastructure level, meaning it functions independently of the WAF policy configuration (whether Detection or Prevention).

    This allows DDoS protection to actively mitigate network layer attacks regardless of how the WAF is set up.

    Refer https://learn.microsoft.com/en-us/azure/frontdoor/front-door-ddos

    2. Protection Scope Validation

    All Standard DDoS protection mechanisms remain active

    • Volumetric attacks (UDP/TCP floods)
    • Protocol Attacks (SYN floods)
    • Fragmented Packet Attacks
    • Reflection Amplification (DNS, NTP)

    While infrastructure DDoS protection blocks large-scale volumetric attacks, WAF (in protection mode) is responsible for application-layer protections (like HTTP request floods, SQLi, XSS)

    Refer https://learn.microsoft.com/en-us/azure/ddos-protection/types-of-attacks

    So, even in Detection mode, DDoS protection still mitigates these types of attacks effectively

    3. Monitoring and Alerting

    Yes, DDoS protection metrics and alerts are available in Azure Monitor when WAF is in Detection mode. You should monitor various metrics to validate the protection status, such as:

    • DDoS attack metrics: These will show if any attacks were attempted and how they were mitigated.
    • Network traffic patterns: This will help identify unusual traffic spikes.

    Refer https://learn.microsoft.com/en-us/azure/ddos-protection/monitor-ddos-protection-reference

    Please don’t forget to close the thread by clicking "Accept the answer" and "Yes" wherever the information provided helps you, as this can be beneficial to other community members.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.