Organizations need visibility into their DDoS Protection posture across all Azure subscriptions. This guide introduces a PowerShell script that assesses DDoS Protection status, diagnostic logging configuration, and risk levels for all Public IP addresses.
Introduction
Distributed Denial of Service (DDoS) attacks continue to be one of the most prevalent threats facing organizations with internet-facing workloads. Azure DDoS Protection provides cloud-scale protection against L3/4 volumetric attacks, helping ensure your applications remain available during an attack.
However, as Azure environments grow, maintaining visibility into which resources are protected and whether diagnostic logging is properly configured becomes increasingly challenging. Security teams often struggle to answer basic questions:
- Which Public IP addresses are protected by Azure DDoS Protection?
- Are we using IP Protection or Network Protection (DDoS Protection Plan)?
- Is diagnostic logging enabled for protected resources?
To address these questions at scale, we’ve developed a PowerShell script that assesses your Azure DDoS Protection posture across all subscriptions.
Understanding Azure DDoS Protection SKUs
Azure offers three DDoS Protection tiers:
|
Protection Type |
Description |
Scope |
|
Network Protection |
Enterprise-grade protection via a DDoS Protection Plan attached to VNETs |
All Public IPs in protected VNETs |
|
IP Protection |
Per-IP protection for individual Public IP addresses |
Individual Public IP |
For more details, see Azure DDoS Protection overview.
The Assessment Script
The Check-DDoSProtection.ps1 script provides a full view of DDoS Protection status across your Azure environment. This section covers the script’s key capabilities and the resource types it supports.
Key Features
- Multi-subscription support: Scan a single subscription or all subscriptions you have access to
- DDoS Protection status: Identifies which Public IPs are protected and which SKU is being used
- VNET correlation: Automatically determines the VNET associated with each Public IP to assess Network Protection inheritance
- Diagnostic logging check: Verifies if DDoS diagnostic logs are configured for protected resources
- CSV export: Export results for further analysis or reporting
Prerequisites
Before running the script, ensure you have:
Azure PowerShell modules installed:
Run the following commands in PowerShell (version 5.1+) or PowerShell Core to install the required Azure modules. No special permissions are needed, these will install in your user profile.
Install-Module -Name Az.Accounts -Scope CurrentUser -Force Install-Module -Name Az.Network -Scope CurrentUser -Force Install-Module -Name Az.Monitor -Scope CurrentUser -Force
Appropriate Azure permissions:
o Reader role on subscriptions you want to scan
o Microsoft.Network/publicIPAddresses/read
o Microsoft.Network/virtualNetworks/read
o Microsoft.Insights/diagnosticSettings/read
Azure login:
Authenticate to Azure before running the script. This opens a browser window for interactive sign-in.
Connect-AzAccountHow to Use the Script
Run the script from a PowerShell session where you’ve already authenticated with Connect-AzAccount. The account must have Reader role on the subscriptions you want to scan.
Download the Script
You can download the script from: - GitHub: Check-DDoSProtection.ps1
Basic Usage: Scan Current Subscription
Scans only the subscription currently selected in your Azure context.
.\Check-DDoSProtection.ps1Scan a Specific Subscription
Scans a single subscription by its ID.
.\Check-DDoSProtection.ps1 -SubscriptionId "12345678-1234-1234-1234-123456789012"Scan All Subscriptions
Scans every subscription your account has Reader access to.
.\Check-DDoSProtection.ps1 -AllSubscriptionsExport Results to CSV
Exports the assessment results to a CSV file for reporting or further analysis.
.\Check-DDoSProtection.ps1 -AllSubscriptions -ExportPath "C:\Reports\DDoS-Report.csv"Large Environment Options
For organizations with many subscriptions or thousands of Public IPs, use the following parameters to handle errors gracefully and avoid API throttling.
.\Check-DDoSProtection.ps1 -AllSubscriptions `
-ContinueOnError `
-SavePerSubscription `
-ExportPath "C:\Reports\DDoS-Report.csv" `
-ThrottleDelayMs 200Parameters for large environments:
|
Parameter |
Description |
|
-ContinueOnError |
Continue scanning even if a subscription fails (e.g., access denied) |
|
-SavePerSubscription |
Save a separate CSV file for each subscription |
|
-ThrottleDelayMs |
Delay between API calls to avoid throttling (default: 100ms) |
Understanding the Output
The script provides both console output and optional CSV export. This section covers what each output type contains.
Console Output
The script displays a summary table for each subscription:
Summary Statistics
At the end of each subscription scan:
CSV Export Columns
|
Column |
Description |
|
Subscription |
Name of the Azure subscription |
|
Public IP Name |
Name of the Public IP resource |
|
Resource Group |
Resource group containing the Public IP |
|
Location |
Azure region |
|
IP Address |
Actual IP address (or “Dynamic” if not allocated) |
|
IP SKU |
Basic or Standard |
|
DDoS Protected |
Yes/No |
|
Risk Level |
High (unprotected) / Low (protected) |
|
DDoS SKU |
Network Protection, IP Protection, or None |
|
DDoS Plan Name |
Name of the DDoS Protection Plan (if applicable) |
|
VNET Name |
Associated Virtual Network name |
|
Associated Resource |
Resource the Public IP is attached to |
|
Resource Type |
Type of associated resource (VM, AppGw, LB, etc.) |
|
Diagnostic Logging |
Configured/Not Configured/N/A |
|
Log Destination |
Log Analytics, Storage, Event Hub, or None |
|
Recommendation |
Suggested action for unprotected resources |
Sample Scenarios
Scenario 1: Protected Application Gateway
Public IP Name: appgw-frontend-pip
DDoS Protected: Yes
DDoS SKU: Network Protection
DDoS Plan Name: contoso-ddos-plan
VNET Name: production-vnet
Diagnostic Logging: Configured (Log Analytics)
Risk Level: Low
Explanation: The Application Gateway’s Public IP inherits protection from the VNET which has a DDoS Protection Plan attached. Diagnostic logging is properly configured.
Scenario 2: Unprotected External Load Balancer
Public IP Name: external-lb-pip
DDoS Protected: No
DDoS SKU: VNET not protected
VNET Name: (External LB)
Diagnostic Logging: N/A
Risk Level: High
Recommendation: Enable DDoS Protection on associated VNET or enable IP Protection
Explanation: This external Load Balancer’s Public IP is not in a protected VNET. The script flags this as high risk.
Scenario 3: IP Protection Without Logging
Public IP Name: standalone-api-pip
DDoS Protected: Yes
DDoS SKU: IP Protection
VNET Name: -
Diagnostic Logging: Not Configured
Risk Level: Low
Recommendation: Configure diagnostic logging for DDoS-protected resources
Explanation: The IP has IP Protection enabled, but diagnostic logging is not configured. While protected, you won’t have visibility into attack telemetry.
Troubleshooting
Script Doesn’t Find All Subscriptions
Use the following command to list your Azure role assignments and verify you have Reader access to the target subscriptions. Run this from Azure Cloud Shell or a local PowerShell session after authenticating with Connect-AzAccount.
# Check your role assignments
Get-AzRoleAssignment -SignInName (Get-AzContext).Account.Id | Select-Object Scope, RoleDefinitionNameAPI Throttling
The script includes built-in retry logic for API throttling. If you still experience rate limit errors, increase the delay between API calls. Run this from the directory containing the script.
.\Check-DDoSProtection.ps1 -AllSubscriptions -ThrottleDelayMs 500Access Denied for Specific Resources
The script displays “(Access Denied)” for VNETs or resources you don’t have permission to read. This doesn’t affect the overall assessment but may result in incomplete VNET information.
Summary
This guide covered how to use the Check-DDoSProtection.ps1 script to identify unprotected Public IP addresses, determine which DDoS SKU (Network Protection vs. IP Protection) is in use, verify diagnostic logging configuration, and assess risk levels across all subscriptions. Running this script periodically helps security teams track protection coverage as their Azure environment evolves.
Related Resources
Microsoft