Hello @EnterpriseArchitect ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
DDoS Protection Standard is designed for services that are deployed in a virtual network. For other services, the default DDoS Protection Basic service applies. To learn more about supported architectures, see DDoS Protection reference architectures.
DDoS protection plans have a fixed monthly charge of $2,944 per month which covers up to 100 public IP addresses. Protection for additional resources will cost an additional $30 per resource per month.
Under a tenant, a single DDoS protection plan can be used across multiple subscriptions, so there is no need to create more than one DDoS protection plan.
When Application Gateway with WAF is deployed in a DDoS protected VNet, there are no additional charges for WAF - you pay for the Application Gateway at the lower non-WAF rate. This applies to both Application Gateway v1 and v2 SKUs.
Refer : https://learn.microsoft.com/en-us/azure/ddos-protection/ddos-faq#how-does-pricing-work-
https://azure.microsoft.com/en-gb/pricing/details/ddos-protection/
- Public Facing Web Apps are protected by DDOS Standard.
- When deployed with a web application firewall (WAF), DDoS Protection Standard protects both at the network layer (Layer 3 and 4, offered by Azure DDoS Protection Standard) and at the application layer (Layer 7, offered by a WAF).
- Public facing Storage Accounts are not deployed in a Vnet, so it is not covered under DDOS Standard but the default DDoS Protection Basic service applies.
- Any services with Public IP address : In the context of Azure DDoS Protection, a resource is a public IP attached to an IaaS VM, Load Balancer (Classic & Standard Load Balancers), Application Gateway (including WAF) cluster, Service Fabric or an IaaS based Network Virtual Appliance (NVA). Additional protected resources may be added in the future.
- ExpressRoute circuit : Not covered under DDOS Standard but the ExpressRoute gateway deployed in your Vnet is covered by DDOS Standard.
DDoS Protection Standard monitors actual traffic utilization and constantly compares it against the thresholds defined in the DDoS Policy. When the traffic threshold is exceeded, DDoS mitigation is initiated automatically. When traffic returns below the thresholds, the mitigation is stopped.
It is automatically tuned to help protect your specific Azure resources in a virtual network. Automatic learning of per-customer (per- Public IP) traffic patterns for Layer 3 and 4. DDoS Protection Standard applies three autotuned mitigation policies (TCP SYN, TCP, and UDP) for each public IP of the protected resource, in the virtual network that has DDoS enabled.
Refer Azure DDoS Protection Standard features for more information:
https://learn.microsoft.com/en-us/azure/ddos-protection/ddos-protection-standard-features
Fundamental best practices guidance to build DDoS-resilient services on Azure :
https://learn.microsoft.com/en-us/azure/ddos-protection/fundamental-best-practices
Learn how your services will respond to an attack by testing through simulations.
https://learn.microsoft.com/en-us/azure/ddos-protection/test-through-simulations
Kindly let us know if the above helps or you need further assistance on this issue.
----------------------------------------------------------------------------------------------------------------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.