Partnering with Azure DDoS Protection Standard

This article describes partnering opportunities enabled by the Azure DDoS Protection Standard. This article is designed to help product managers and business development roles understand the investment paths and provide insight into the partnering value propositions.


Distributed denial of service (DDoS) attacks are one of the top availability and security concerns voiced by customers moving their applications to the cloud. With extortion and hacktivism being the common motivations behind DDoS attacks, they have been consistently increasing in type, scale, and frequency of occurrence as they are relatively easy and cheap to launch.

Azure DDoS Protection provides countermeasures against the most sophisticated DDoS threats, leveraging the global scale of Azure networking. The service provides enhanced DDoS mitigation capabilities for applications and resources deployed in virtual networks.

Technology partners can protect their customers' resources natively with Azure DDoS Protection Standard to address the availability and reliability concerns due to DDoS attacks.

Introduction to Azure DDoS Protection Standard

Azure DDoS Protection Standard provides enhanced DDoS mitigation capabilities against Layer 3 and Layer 4 DDoS attacks. The following are the key features of DDoS Protection Standard service.

Adaptive real-time tuning

For every protected application, Azure DDoS Protection Standard automatically tunes the DDoS mitigation policy thresholds based on the application’s traffic profile patterns. The service accomplishes this customization by using two insights:

  • Automatic learning of per-customer (per-IP) traffic patterns for Layer 3 and 4.
  • Minimizing false positives, considering that the scale of Azure allows it to absorb a significant amount of traffic.

Adaptive real time tuning

Attack analytics, telemetry, monitoring, and alerting

Azure DDoS Protection identifies and mitigates DDoS attacks without any user intervention.

  • If the protected resource is in the subscription covered under Microsoft Defender for Cloud, DDoS Protection Standard automatically sends an alert to Defender for Cloud whenever a DDoS attack is detected and mitigated against the protected application.
  • Alternatively, to get notified when there’s an active mitigation for a protected public IP, you can configure an alert on the metric Under DDoS attack or not.
  • You can additionally choose to create alerts for the other DDoS metrics and configure attack telemetry to understand the scale of the attack, traffic being dropped, attack vectors, top contributors, and other details.

DDoS metrics

DDoS rapid response (DRR)

DDoS Protection Standard customers have access to Rapid Response team during an active attack. DRR can help with attack investigation during an attack as well as post-attack analysis.

SLA guarantee and cost protection

DDoS Protection Standard service is covered by a 99.99% SLA, and cost protection provides resource credits for scale out during a documented attack. For more information, see SLA for Azure DDoS Protection.

The following are key benefits you can derive by integrating with the Azure DDoS Protection Standard:

  • Partners' offered services (load balancer, web application firewall, firewall, etc.) to their customers are automatically protected (white labeled) by Azure DDoS Protection Standard in the back end.
  • Partners have access to Azure DDoS Protection Standard attack analytics and telemetry that they can integrate with their own products, offering a unified customer experience.
  • Partners have access to DDoS rapid response support even in the absence of Azure rapid response, for DDoS related issues.
  • Partners' protected applications are backed by a DDoS SLA guarantee and cost protection in the event of DDoS attacks.

Technical integration overview

Azure DDoS Protection Standard partnering opportunities are made available via Azure portal, APIs, and CLI/PS.

Integrate with DDoS Protection Standard

The following steps are required for partners to configure integration with Azure DDoS Protection Standard:

  1. Create a DDoS Protection Plan in your desired (partner) subscription. For step-by-step instructions, see Create a DDoS Standard Protection plan.


    Only 1 DDoS Protection Plan needs to be created for a given tenant.

  2. Deploy a service with public endpoint in your (partner) subscriptions, such as load balancer, firewalls, and web application firewall.
  3. Enable Azure DDoS Protection Standard on the virtual network of the service that has public endpoints using DDoS Protection Plan created in the first step. For step-by-step instructions, see Enable DDoS Standard Protection plan


    After Azure DDoS Protection Standard is enabled on a virtual network, all public IPs within that virtual network are automatically protected. The origin of these public IPs can be either within Azure (client subscription) or outside of Azure.

  4. Optionally, integrate Azure DDoS Protection Standard telemetry and attack analytics in your application-specific customer-facing dashboard. For more information about using telemetry, see View and configure DDoS protection telemetry.

Onboarding guides and technical documentation

Get help

  • If you have questions about application, service, or product integrations with Azure DDoS Protection Standard, reach out to the Azure security community.
  • Follow discussions on Stack Overflow.

Get to market

Next steps

View existing partner integrations: