Azure DDoS Standard depoyment and configuration best practice?

EnterpriseArchitect 4,916 Reputation points

How does the Azure DDoS Standard protection works?

because it is quite expensive and how many do I require to secure:

  1. Public Facing Web Apps
  2. Web Application deployed behind the Azure AppGwV2-WAF
  3. Public facing Storage Account
  4. Any services with Public IP address.

I also have ExpressRoute circuit to connect the Azure VNET to my OnPremise network, does this also gets protected by the DDoS Standard?

Azure DDos Protection
Azure DDos Protection
An Azure service that provides defense against distributed denial-of-service (DDoS) attacks.
67 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,231 questions
Azure ExpressRoute
Azure ExpressRoute
An Azure service that provides private connections between Azure datacenters and infrastructure, either on premises or in a colocation environment.
336 questions
0 comments No comments
{count} votes

Accepted answer
  1. GitaraniSharma-MSFT 48,516 Reputation points Microsoft Employee

    Hello @EnterpriseArchitect ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    DDoS Protection Standard is designed for services that are deployed in a virtual network. For other services, the default DDoS Protection Basic service applies. To learn more about supported architectures, see DDoS Protection reference architectures.

    DDoS protection plans have a fixed monthly charge of $2,944 per month which covers up to 100 public IP addresses. Protection for additional resources will cost an additional $30 per resource per month.

    Under a tenant, a single DDoS protection plan can be used across multiple subscriptions, so there is no need to create more than one DDoS protection plan.
    When Application Gateway with WAF is deployed in a DDoS protected VNet, there are no additional charges for WAF - you pay for the Application Gateway at the lower non-WAF rate. This applies to both Application Gateway v1 and v2 SKUs.

    Refer :

    • Public Facing Web Apps are protected by DDOS Standard.
    • When deployed with a web application firewall (WAF), DDoS Protection Standard protects both at the network layer (Layer 3 and 4, offered by Azure DDoS Protection Standard) and at the application layer (Layer 7, offered by a WAF).
    • Public facing Storage Accounts are not deployed in a Vnet, so it is not covered under DDOS Standard but the default DDoS Protection Basic service applies.
    • Any services with Public IP address : In the context of Azure DDoS Protection, a resource is a public IP attached to an IaaS VM, Load Balancer (Classic & Standard Load Balancers), Application Gateway (including WAF) cluster, Service Fabric or an IaaS based Network Virtual Appliance (NVA). Additional protected resources may be added in the future.
    • ExpressRoute circuit : Not covered under DDOS Standard but the ExpressRoute gateway deployed in your Vnet is covered by DDOS Standard.

    DDoS Protection Standard monitors actual traffic utilization and constantly compares it against the thresholds defined in the DDoS Policy. When the traffic threshold is exceeded, DDoS mitigation is initiated automatically. When traffic returns below the thresholds, the mitigation is stopped.

    It is automatically tuned to help protect your specific Azure resources in a virtual network. Automatic learning of per-customer (per- Public IP) traffic patterns for Layer 3 and 4. DDoS Protection Standard applies three autotuned mitigation policies (TCP SYN, TCP, and UDP) for each public IP of the protected resource, in the virtual network that has DDoS enabled.
    Refer Azure DDoS Protection Standard features for more information:

    Fundamental best practices guidance to build DDoS-resilient services on Azure :

    Learn how your services will respond to an attack by testing through simulations.

    Kindly let us know if the above helps or you need further assistance on this issue.


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful