Azure Network Security Blog

6 MIN READ

A Practical Guide to Azure DDoS Protection Cost Optimization

SaleemBseeu

Microsoft

Feb 18, 2026

This guide covers best practices for optimizing Azure DDoS Protection costs while maintaining strong security for your workloads.

Introduction

Azure provides infrastructure-level DDoS protection by default to protect Azure’s own platform and services. However, this protection does not extend to customer workloads or non-Microsoft managed resources like Application Gateway, Azure Firewall, or virtual machines with public IPs. To protect these resources, Azure offers enhanced DDoS protection capabilities (Network Protection and IP Protection) that customers can apply based on workload exposure and business requirements. As environments scale, it’s important to ensure these capabilities are applied deliberately and aligned with actual risk.

For more details on how Azure DDoS protection works, see Understanding Azure DDoS Protection: A Closer Look.

Why Cost Optimization Matters

Cost inefficiencies related to Azure DDoS Protection typically emerge as environments scale:

New public IPs are introduced
Virtual networks evolve
Workloads change ownership
Protection scope grows without clear alignment to workload exposure

The goal here is deliberate, consistent application of enhanced protection matched to real risk rather than historical defaults.

Scoping Enhanced Protection

Customer workloads with public IPs require enhanced DDoS protection to be protected against targeted attacks. Enhanced DDoS protection provides:

Advanced mitigation capabilities
Detailed telemetry and attack insights
Mitigation tuned to specific traffic patterns
Dedicated support for customer workloads

When to apply enhanced protection:

Workload Type	Enhanced Protection Recommended?
Internet-facing production apps with direct customer impact	Yes
Business-critical systems with compliance requirements	Yes
Internal-only workloads behind private endpoints	Typically not needed
Development/test environments	Evaluate based on exposure

Best Practice: Regularly review public IP exposure and workload criticality to ensure enhanced protection aligns with current needs.

Understanding Azure DDoS Protection SKUs

Azure offers two ways to apply enhanced DDoS protection: DDoS Network Protection and DDoS IP Protection. Both provide DDoS protection for customer workloads.

Comparison Table

Feature	DDoS Network Protection	DDoS IP Protection
Scope	Virtual network level	Individual public IP
Pricing model	Fixed base + overage per IP	Per protected IP
Included IPs	100 public IPs	N/A
DDoS Rapid Response (DRR)	Included	Not available
Cost protection guarantee	Included	Not available
WAF discount	Included	Not available
Best for	Production environments with many public IPs	Selective protection for specific endpoints
Management	Centralized	Granular
Cost efficiency	Lower per-IP cost at scale (100+ IPs)	Lower total cost for few IPs (< 15)

DDoS Network Protection

DDoS Network Protection can be applied in two ways:

VNet-level protection: Associate a DDoS Protection Plan with virtual networks, and all public IPs within those VNets receive enhanced protection
Selective IP linking: Link specific public IPs directly to a DDoS Protection Plan without enabling protection for the entire VNet

This flexibility allows you to protect entire production VNets while also selectively adding individual IPs from other environments to the same plan.

For more details on selective IP linking, see Optimizing DDoS Protection Costs: Adding IPs to Existing DDoS Protection Plans.

Ideal for: - Production environments with multiple internet-facing workloads - Mixed environments where some VNets need full coverage and others need selective protection - Scenarios requiring centralized visibility, management, and access to DRR, cost protection, and WAF discounts

DDoS IP Protection

DDoS IP Protection allows enhanced protection to be applied directly to individual public IPs, with per-IP billing. This is a standalone option that does not require a DDoS Protection Plan.

Ideal for:

Environments with fewer than 15 IPs requiring protection
Cases where DRR, cost protection, and WAF discounts are not needed
Quick enablement without creating a protection plan

Decision Tree: Choosing the Right SKU

Now that you know the main scenarios, the decision tree below can help you determine which SKU best fits your environment based on feature requirements and scale:

Network Protection exclusive features:

DDoS Rapid Response (DRR): Access to Microsoft DDoS experts during active attacks
Cost protection: Resource credits for scale-out costs incurred during attacks
WAF discount: Reduced pricing on Azure Web Application Firewall

Consolidating Protection Plans at Tenant Level

A single DDoS Protection Plan can protect multiple virtual networks and subscriptions within a tenant. Each plan includes:

Fixed monthly base cost
100 public IPs included
Overage charges for additional IPs beyond the included threshold

Cost Comparison Example

Consider a customer with 130 public IPs requiring enhanced protection:

Configuration	Plans	Base Cost	Overage	Total Monthly Cost
Two separate plans	2	$2,944 × 2 = $5,888	$0	~$5,888
Single consolidated plan	1	$2,944	30 IPs × $30 = $900	~$3,844

Savings: ~$2,044/month ($24,528/year) by consolidating to a single plan.

In both cases, the same public IPs receive the same enhanced protection. The cost difference is driven entirely by plan architecture.

How to Consolidate Plans

Use the PowerShell script below to list existing DDoS Protection Plans and associate virtual networks with a consolidated plan. Run this script from Azure Cloud Shell or a local PowerShell session with the [Az module](https://learn.microsoft.com/powershell/azure/install-azure-powershell) installed. The account running the script must have Network Contributor role (or equivalent) on the virtual networks being modified and Reader access to the DDoS Protection Plan.

# List all DDoS Protection Plans in your tenant
Get-AzDdosProtectionPlan | Select-Object Name, ResourceGroupName, Id

# Associate a virtual network with an existing DDoS Protection Plan
$ddosPlan = Get-AzDdosProtectionPlan -Name "ConsolidatedDDoSPlan" -ResourceGroupName "rg-security"
$vnet = Get-AzVirtualNetwork -Name "vnet-production" -ResourceGroupName "rg-workloads"
$vnet.DdosProtectionPlan = New-Object Microsoft.Azure.Commands.Network.Models.PSResourceId
$vnet.DdosProtectionPlan.Id = $ddosPlan.Id
$vnet.EnableDdosProtection = $true
Set-AzVirtualNetwork -VirtualNetwork $vnet

Preventing Protection Drift

Protection drift occurs when the resources covered by DDoS protection no longer align with the resources that actually need it. This mismatch can result in wasted spend (protecting resources that are no longer critical) or security gaps (missing protection on newly deployed resources). Common causes include:

Applications are retired but protection remains
Test environments persist longer than expected
Ownership changes without updating protection configuration

Quarterly Review Checklist

List all public IPs with enhanced protection enabled
Verify each protected IP maps to an active, production workload
Confirm workload criticality justifies enhanced protection
Review ownership tags and update as needed
Remove protection from decommissioned or non-critical resources
Validate DDoS Protection Plan consolidation opportunities

Sample Query: List Protected Public IPs

Use the following PowerShell script to identify all public IPs currently receiving DDoS protection in your environment. This helps you audit which resources are protected and spot candidates for removal. Run this from Azure Cloud Shell or a local PowerShell session with the Az module installed. The account must have Reader access to the subscriptions being queried.

# List all public IPs with DDoS protection enabled
Get-AzPublicIpAddress | Where-Object {
    $_.DdosSettings.ProtectionMode -eq "Enabled" -or
    ($_.IpConfiguration -and (Get-AzVirtualNetwork | Where-Object { $_.EnableDdosProtection -eq $true }).Subnets.IpConfigurations.Id -contains $_.IpConfiguration.Id)
} | Select-Object Name, ResourceGroupName, IpAddress, @{N='Tags';E={$_.Tag | ConvertTo-Json -Compress}}

For a comprehensive assessment of all public IPs and their DDoS protection status across your environment, use the DDoS Protection Assessment Tool.

Making Enhanced Protection Costs Observable

Ongoing visibility into DDoS Protection costs enables proactive optimization rather than reactive bill shock. When costs are surfaced early, you can spot scope creep before it impacts your budget, attribute spending to specific workloads, and measure whether your optimization efforts are paying off. The following sections cover three key capabilities: budget alerts to notify you when spending exceeds thresholds, Azure Resource Graph queries to analyze protection coverage, and tagging strategies to attribute costs by workload.

Setting Up Cost Alerts

Navigate to Azure Cost Management + Billing
Select Cost alerts > Add
Configure:

o Scope: Subscription or resource group

o Budget amount: Based on expected DDoS Protection spend

o Alert threshold: 80%, 100%, 120%

o Action group: Email security and finance teams

Tagging Strategy for Cost Attribution

Apply consistent tags to track DDoS protection costs by workload:

# Tag public IPs for cost attribution
$pip = Get-AzPublicIpAddress -Name "pip-webapp" -ResourceGroupName "rg-production"
$tags = @{
    "CostCenter" = "IT-Security"
    "Workload" = "CustomerPortal"
    "Environment" = "Production"
    "DDoSProtectionTier" = "NetworkProtection"
}
Set-AzPublicIpAddress -PublicIpAddress $pip -Tag $tags

Summary

This guide covered how to consolidate DDoS Protection Plans to avoid paying multiple base costs, select the appropriate SKU based on IP count and feature needs, apply protection selectively with IP linking, and prevent configuration drift through regular reviews. These practices help ensure you're paying only for the protection your workloads actually need.