Forum Discussion

dglumesh's avatar
dglumesh
Copper Contributor
Jul 27, 2024

Azure DDoS Protection Tier Comparison

When customers move their apps to the cloud, one of the biggest security and availability challenges they face is distributed denial of service (DDoS) attacks. A denial-of-service attack aims to exhaust the resources of an application, rendering it inaccessible to authorized users. Any endpoint that is accessible to the general public over the internet is a potential target for DDoS assaults.

 

Azure DDoS Protection offers improved DDoS mitigation features to fight off DDoS attacks when paired with best practices for application architecture.

 

Azure DDoS Protection offers improved DDoS mitigation features to fight off DDoS attacks when paired with best practices for application architecture.

 

DDoS Network Protection

 

When paired with application design best practices, Azure DDoS Network Protection offers improved DDoS mitigation capabilities to fend off DDoS attacks. In a virtual network, it is automatically adjusted to help safeguard your unique Azure resources.

 

 

DDoS IP Protection

 

Pay-per-protected IP is what DDoS IP Protection offers. While DDoS IP Protection and DDoS Network Protection share the same fundamental technical capabilities, DDoS IP Protection will offer additional value-added services such as cost protection, discounts on WAF, and DDoS quick response support.

 

The features and tiers that go with both Tiers are displayed in the table below.

 

FeatureDDoS IP ProtectionDDoS Network Protection
Active traffic monitoring & always on detectionYesYes
L3/L4 Automatic attack mitigationYesYes
Automatic attack mitigationYesYes
Application based mitigation policiesYesYes
Metrics & alertsYesYes
Mitigation reportsYesYes
Mitigation flow logsYesYes
Mitigation policies tuned to customers applicationYesYes
Integration with Firewall ManagerYesYes
Microsoft Sentinel data connector and workbookYesYes
Protection of resources across subscriptions in a tenantYesYes
Public IP Standard tier protectionYesYes
Public IP Basic tier protectionNoYes
DDoS rapid response supportNot availableYes
Cost protectionNot availableYes
WAF discountNot availableYes
PricePer protected IPPer 100 protected IP addresses

 

DDoS Network Protection and DDoS IP Protection have the following limitations:

 

  • PaaS (multi-tenant), such as Azure App Service Environment for Power Apps and Azure API Management with virtual network integration for deployment modes other than APIM
  • It is not possible to protect a public IP resource that is connected to a NAT gateway.
  • Virtual machines are not supported in Classic/RDFE setups.
  • A DDoS policy safeguards a virtual network gateway, or VPN gateway. Currently, adaptive tuning is not supported.
  • A public load balancer with a public IP address prefix connected to its frontend can be protected by the Azure DDoS Protection service, but with limited support. DDoS attacks are efficiently detected and mitigated by it. For the protected public IP addresses inside the prefix range, telemetry and logging are not currently available.

While DDoS IP Protection and Network Protection are comparable, DDoS IP Protection has the following extra restriction:

 

  • It is not supported to use Public IP Basic tier protection.
No RepliesBe the first to reply

Resources