Forum Discussion
Azure DDoS Protection Tier Comparison
When customers move their apps to the cloud, one of the biggest security and availability challenges they face is distributed denial of service (DDoS) attacks. A denial-of-service attack aims to exhaust the resources of an application, rendering it inaccessible to authorized users. Any endpoint that is accessible to the general public over the internet is a potential target for DDoS assaults.
Azure DDoS Protection offers improved DDoS mitigation features to fight off DDoS attacks when paired with best practices for application architecture.
Azure DDoS Protection offers improved DDoS mitigation features to fight off DDoS attacks when paired with best practices for application architecture.
DDoS Network Protection
When paired with application design best practices, Azure DDoS Network Protection offers improved DDoS mitigation capabilities to fend off DDoS attacks. In a virtual network, it is automatically adjusted to help safeguard your unique Azure resources.
DDoS IP Protection
Pay-per-protected IP is what DDoS IP Protection offers. While DDoS IP Protection and DDoS Network Protection share the same fundamental technical capabilities, DDoS IP Protection will offer additional value-added services such as cost protection, discounts on WAF, and DDoS quick response support.
The features and tiers that go with both Tiers are displayed in the table below.
Feature | DDoS IP Protection | DDoS Network Protection |
Active traffic monitoring & always on detection | Yes | Yes |
L3/L4 Automatic attack mitigation | Yes | Yes |
Automatic attack mitigation | Yes | Yes |
Application based mitigation policies | Yes | Yes |
Metrics & alerts | Yes | Yes |
Mitigation reports | Yes | Yes |
Mitigation flow logs | Yes | Yes |
Mitigation policies tuned to customers application | Yes | Yes |
Integration with Firewall Manager | Yes | Yes |
Microsoft Sentinel data connector and workbook | Yes | Yes |
Protection of resources across subscriptions in a tenant | Yes | Yes |
Public IP Standard tier protection | Yes | Yes |
Public IP Basic tier protection | No | Yes |
DDoS rapid response support | Not available | Yes |
Cost protection | Not available | Yes |
WAF discount | Not available | Yes |
Price | Per protected IP | Per 100 protected IP addresses |
 
DDoS Network Protection and DDoS IP Protection have the following limitations:
- PaaS (multi-tenant), such as Azure App Service Environment for Power Apps and Azure API Management with virtual network integration for deployment modes other than APIM
- It is not possible to protect a public IP resource that is connected to a NAT gateway.
- Virtual machines are not supported in Classic/RDFE setups.
- A DDoS policy safeguards a virtual network gateway, or VPN gateway. Currently, adaptive tuning is not supported.
- A public load balancer with a public IP address prefix connected to its frontend can be protected by the Azure DDoS Protection service, but with limited support. DDoS attacks are efficiently detected and mitigated by it. For the protected public IP addresses inside the prefix range, telemetry and logging are not currently available.
While DDoS IP Protection and Network Protection are comparable, DDoS IP Protection has the following extra restriction:
- It is not supported to use Public IP Basic tier protection.