Azure DDoS Protection has been a key part of securing internet-facing applications in the cloud. The DDoS Network Protection SKU already provides robust capabilities for protecting resources at scale. However, in certain architectures, additional flexibility is beneficial. This allows organizations to align protection more closely with their security and cost management strategies.
We're introducing a new enhancement “Add to existing DDoS Protection Plan” that provides more flexibility.
This feature allows you to link individual Public IPs (configured with the IP Protection SKU) to a DDoS Network Protection plan. Once linked, the Public IP is no longer billed at the standalone IP Protection SKU rate of 199 USD/month. Instead, it is covered under the DDoS Network Protection plan billing. The DDoS Network Protection plan itself is priced at 2,944 USD/month and includes coverage for up to 100 Public IPs. If the number of linked IPs exceeds 100, each additional IP incurs an overage fee of 29,5 USD/month. This provides a more scalable and cost-effective way to manage DDoS protection across large environments.
How to Link Public IPs to a DDoS Protection Plan
Below is how you can configure this feature using the Azure Portal and PowerShell:
In the Azure Portal
- Go to Public IP addresses in the Azure portal.
- Select the Public IP you want to protect.
- Under Protect IP Address, click Protect.
- Set Protection Type to IP.
- Enable Add to existing DDoS Protection Plan.
- Choose your existing DDoS Network Protection plan from the dropdown.
- Click Save.
This links the Public IP to your network-level DDoS plan and eliminates the separate charge for the IP Protection SKU, avoiding duplicate billing.
Using PowerShell
# Get the DDoS protection plan
$ddosPlan = Get-AzDdosProtectionPlan -Name "YourPlanName" -ResourceGroupName "YourPlanRG"
# Get and update the Public IP
$publicIp = Get-AzPublicIpAddress -Name "YourPublicIPName" -ResourceGroupName "YourIPRG"
$publicIp.DdosSettings = @{
ProtectionMode = "Enabled"
DdosProtectionPlan = @{ Id = $ddosPlan.Id }
}
Set-AzPublicIpAddress -PublicIpAddress $publicIp
Use Case 1: Selective Protection Within a VNET
In many environments, a single VNET may host multiple Public IPs across development, staging, and production workloads. Previously, enabling DDoS Network Protection at the VNET level would automatically include all Public IPs, potentially securing more resources than intended and increasing cost.
With this new feature, you can:
- Assign the DDoS IP Protection SKU only to the Public IPs you want to protect
- Link them individually to a DDoS Network Protection plan
- Gain granular control and optimize costs without restructuring your network
This is ideal for organizations that want to apply protection only where it's needed, such as critical production endpoints, while excluding development and test environments.
Use Case 2: Enabling DDoS Protection on Azure Firewall in Virtual WAN Hubs
While it has always been possible to enable DDoS IP Protection on Azure Firewalls deployed in Virtual WAN (VWAN) hubs using the IP Protection SKU, customers using the DDoS Network Protection SKU could not previously extend their existing plan to cover these firewall Public IPs. This meant they would incur additional costs for IP Protection even if they were already paying for Network Protection.
With the Add to existing DDoS Protection Plan feature, this limitation is removed. Customers can now:
- Assign the DDoS IP Protection SKU to the Azure Firewall’s Public IP in a VWAN hub
- Link that Public IP to their existing DDoS Network Protection plan
Once linked, the standalone IP Protection SKU charge is waived, allowing customers to consolidate billing under their Network Protection plan. This improves cost efficiency and enables unified protection across both VNET and non-VNET resources.
Script to Link Public IPs to DDoS Protection Plan
To streamline the process, here is a PowerShell script that enables the DDoS IP Protection SKU on selected Public IPs and links them to an existing DDoS Network Protection plan.
Update the variables below with your environment details:
# Variables
$resourceGroupName = "YourResourceGroupName"
$ddosProtectionPlanName = "YourDdosProtectionPlanName"
$publicIpNames = @("PublicIP1", "PublicIP2", "PublicIP3") # Add your public IP names here
# Get the DDoS protection plan
$ddosProtectionPlan = Get-AzDdosProtectionPlan -ResourceGroupName $resourceGroupName -Name $ddosProtectionPlanName
# Loop through each public IP and enable DDoS protection
foreach ($publicIpName in $publicIpNames) {
# Get the public IP address
$publicIp = Get-AzPublicIpAddress -Name $publicIpName -ResourceGroupName $resourceGroupName
# Check if the public IP is Standard SKU
if ($publicIp.Sku.Name -ne "Standard") {
Write-Output "Skipping ${publicIpName}: DDoS protection is only supported on Standard SKU public IPs."
continue
}
# Enable DDoS protection and associate with the DDoS protection plan
$publicIp.DdosSettings = @{
ProtectionMode = "Enabled"
DdosProtectionPlan = @{
Id = $ddosProtectionPlan.Id
}
}
# Update the public IP address
Set-AzPublicIpAddress -PublicIpAddress $publicIp
Write-Output "DDoS protection enabled for ${publicIpName} and associated with DDoS protection plan ${ddosProtectionPlanName}."
This script is also available in our GitHub repository for easy access and more details on how to run it.
Note: DDoS protection is supported only on Standard SKU Public IPs. The script checks and skips unsupported ones automatically.
Conclusion
The Add to existing DDoS Protection Plan feature gives Azure customers more control and flexibility in applying DDoS protection to their resources. Whether you are looking to protect specific workloads within a VNET or extend coverage to non-VNET resources like Azure Firewall in Virtual WAN, this capability helps you:
- Apply protection exactly where it is needed
- Avoid unnecessary billing
- Automate DDoS configuration at scale
To learn more Azure DDoS Protection, visit the official Azure documentation Azure DDoS Protection Overview | Microsoft Learn
Microsoft