How to switch Azure DDoS Protection tiers using Azure portal

In this guide, we walk through the steps to switch between Network Protection and IP Protection tiers using Azure portal. This guide follows the Application running on load-balanced virtual machines architecture. To learn more about the different architectures, see Azure DDoS Protection reference architectures.


Switch Azure DDoS Protection tiers

Switch to Network Protection

Services must be added to the DDoS protection plan to be protected by Network Protection. Once the service is added to the DDoS protection plan, the tier will automatically transition to Network Protection from IP Protection. You don't need disable IP protection during this transition.

  1. Sign in to the Azure portal.

  2. In the search box at the top of the portal, enter DDoS protection plans. Select your DDoS protection plan.

  3. In the Settings pane, select the Protected Resources tab, then select Add.

    Screenshot of adding protected resources to DDoS protection plan.

  4. In the Add virtual network to DDoS plan pane, select the Subscription and Resource group that contains the virtual network, then select the Virtual network that contains the protected resources. Select Add.

    Screenshot of adding virtual network to DDoS protection plan.

Validate DDoS Protection status

To validate the status of your protected resource follow the steps below.

  1. Select All resources on the top, left of the portal.

  2. Enter public IP address in the Filter box. When public IP address appear in the results, select it.

  3. Select your public IP Address from the list.

  4. In the Overview page, select the Properties tab in the middle of the page, then select DDoS protection.

  5. View Protection status and verify your public IP is protected.

    Screenshot showing view of Public IP Properties.

Next steps