How to switch Azure DDoS Protection tiers using Azure portal

In this guide, we walk through the steps to switch between Network Protection and IP Protection tiers using Azure portal. This guide follows the Application running on load-balanced virtual machines architecture. To learn more about the different architectures, see Azure DDoS Protection reference architectures.

Prerequisites

• An Azure account with an active subscription. Create an account for free.
• DDoS Network Protection must be enabled on a virtual network or DDoS IP Protection must be enabled on a public IP address.

Switch Azure DDoS Protection tiers

Network Protection

Switch to Network Protection

Services must be added to the DDoS protection plan to be protected by Network Protection. Once the service is added to the DDoS protection plan, the tier will automatically transition to Network Protection from IP Protection. You don't need disable IP protection during this transition.

1. Sign in to the Azure portal.

2. In the search box at the top of the portal, enter DDoS protection plans. Select your DDoS protection plan.

3. In the Settings pane, select the Protected Resources tab, then select Add.

   

4. In the Add virtual network to DDoS plan pane, select the Subscription and Resource group that contains the virtual network, then select the Virtual network that contains the protected resources. Select Add.

   

IP Protection

Switch to IP Protection

You can switch from Network Protection to IP Protection using the Azure portal. To prevent DDoS protection downtime, you must enable IP Protection before disabling Network Protection.

1. Sign in to the Azure portal.

2. In the search box at the top of the portal, enter public IP Addresses. Select public IP Address.

3. Select your Public IP address.

4. In the Overview pane, select the Properties tab, then select DDoS protection.

   

5. In the Configure DDoS protection pane, under Protection type, select IP, then select Save.

   

Disable Network Protection

The DDoS protection plan must be disassociated from the protected resources before you can delete the plan.

Warning

To maintain DDoS Protection during migration, ensure IP protection is enabled on all public IPs protected by Network Protection.

1. In the search box at the top of the portal, enter DDoS protection plans. Select your DDoS protection plan.

2. In the Settings page, select the Protected Resources tab, then select the Dissociate icon next to the virtual network that contains the resources you're protecting. When prompted, select Yes to confirm.

   

Validate DDoS Protection status

To validate the status of your protected resource follow the steps below.

1. Select All resources on the top, left of the portal.

2. Enter public IP address in the Filter box. When public IP address appear in the results, select it.

3. Select your public IP Address from the list.

4. In the Overview page, select the Properties tab in the middle of the page, then select DDoS protection.

5. View Protection status and verify your public IP is protected.

   

Next steps

• Learn how to configure diagnostic logging.