Azure DDoS IP Protection is Now Available in Public Preview
Published Nov 21 2022 03:52 AM 3,675 Views

Written in collaboration with @eve_kilel 



IP Protection is a new SKU for Azure DDoS Protection that is designed with SMBs in mind and delivers enterprise-grade, and cost-effective DDoS protection. You can defend against L3/L4 DDoS attacks with always-on monitoring and adaptive tuning that ensure your application is always protected. With IP Protection, you now have the flexibility to enable protection on a single public IP. Azure DDoS Protection integrates seamlessly with other Azure services for real-time alerts, metrics, and insights to strengthen your security posture.


If you have only a few public IPs in your environment, then you can start with IP protection SKU which can be enabled directly on the Public IP resource, and you only pay for that protected resource. The cost is a fixed 199$/month for each public IP resource protected with no additional variable costs. Prices may vary by region. Billing for IP Protection will be effective starting on February 1, 2023. Please see full detailed pricing list here Azure DDoS Protection Pricing | Microsoft Azure


SKU comparison

The new IP protection SKU contains some feature differences compared to Network protection SKU, below you can see the main differences in features:



DDoS IP Protection

DDoS Network Protection

Active traffic monitoring & always on detection



L3/L4 Automatic attack mitigation



Automatic attack mitigation



Application based mitigation policies



Metrics & alerts



Mitigation reports



Mitigation flow logs



Mitigation policies tuned to customers application



Integration with Firewall Manager



Azure Sentinel data connector and workbook



DDoS rapid response support

Not available


Cost protection

Not available


WAF discount

Not available



$199/month Per protected IP

$2,944/month per DDoS protection plan and overage charge of $30 for each extra public IP above 100 IPs


Region Availability




Middle East


Asia Pacific

West Central US

France Central

UAE Central

South Africa North

Australia Central

North Central US

Germany West Central

Qatar Central


Korea Central

West US

Switzerland North



Japan East

West US 3

France South



West India


Norway East



Jio India Central


Sweden Central



Australia Central 2


Germany North





More available regions are being updated here About Azure DDoS Protection SKU Comparison | Microsoft Learn


Enabling Azure DDoS IP Protection



  1. Log in using Azure preview portal if you want to use Azure portal for DDoS IP Protection configuration
  2. Deploy the Public IP in one of the supported regions mentioned above
  3. Deploy the Public IP in standard SKU


Using Azure Portal

To enable IP protection SKU using Azure portal, first make sure you’re using the preview portal After you sign in, you can either create a new public IP or use the existing one to deploy in one of the supported regions.


Navigate to your Public IP resource and on the Overview page, you will see “Protect IP address” on the bottom right corner





Once you click on “Protect”, you will be given 3 options:

  1. Network: Inherit DDoS protection from the virtual network. You should use this option if you’re using DDoS Network Protection plan to protect the Vnet where public IP is attached, and you want to add it to your plan.
  2. IP: Specific to this IP address. Selecting this option will enable the DDoS IP Protection specifically on this public IP. (We will be using this option to demonstrate the new SKU)
  3. Disable: The “disable” option gives you the ability to exclude public IPs from DDoS Network Protection plan. You can read more about this here


The protection status will warn you if your public IP is not protected by DDoS protection. After choosing the IP protection and saving the settings, you can see below that the protection status is green.





Using PowerShell

Another way to enable IP protection is via PowerShell. To create a new Public IP with DDoS IP protection enabled on it, use the following command:


New-AzPublicIpAddress -Name myStandardPublicIP -ResourceGroupName MyResourceGroup -Sku Standard -Location "East US" -AllocationMethod Static -DdosProtectionMode Enabled  


Note: Make sure to choose Standard SKU when you're creating the public IP


If you already have a Public IP and want to enable DDoS protection on it, use these commands:


$publicIp = Get-AzPublicIpAddress -Name myStandardPublicIP -ResourceGroupName MyResourceGroup

$publicIp.DdosSettings.ProtectionMode = 'Enabled'

Set-AzPublicIpAddress -PublicIpAddress $publicIp


To verify that your DDoS IP Protection is enabled on your public IP, run these commands:


$publicIp = Get-AzPublicIpAddress -Name myStandardPublicIP -ResourceGroupName MyResourceGroup

$protectionMode = $publicIp.DdosSettings.ProtectionMode



Please refer to this link for more information about configuring Azure DDoS IP Protection using Azure PowerShell Quickstart: Create and configure Azure DDoS IP Protection using PowerShell | Microsoft Learn


Protecting resources using DDoS IP protection and Azure Firewall Basic

With DDoS IP protection SKU public preview announcement at Microsoft Ignite 2022 also came Azure Firewall Basic SKU announcement. This is a new SKU of Azure Firewall that provides the essential protection SMB customers need at an affordable price point, with cloud-native, highly available, stateful firewall as a service offering that enables customers to centrally govern and log all their traffic flows with essential capabilities at scale.


These two new SKUs provide SMB customers enterprise-grade network firewall and DDoS protection at a lower price point. By deploying Azure Firewall Basic and enabling DDoS IP protection on firewall’s public IP, customers can benefit from both services. Azure Firewall Basic provides L3-L7 filtering of East-West and North-South traffic with built-in threat intelligence to block malicious traffic; DDoS IP protection provides cloud scale DDoS protection to defend against large and sophisticated DDoS attacks. For more information and configuration instructions about Azure Firewall Basic, see Azure Firewall Basic SKU is now Available in Public Preview - Microsoft Community Hub



DDoS attacks are one of the biggest security concerns for the applications in the cloud and are increasing in complexity and frequency based on the evolving challenges in the cyber security landscape. All customers inclusive of the small and medium-sized are affected by the recent increase in DDoS attacks. We now have a DDoS per IP SKU that can support the SMBs/SMEs to curb the Layer 3 and Layer 4 DDoS attacks for their public IPs that includes Firewalls, Application Gateways and Load Balancers. This also ensures that all customers using Public IPs on azure are protected.


Additional Resources:

What’s new in Azure Network Security at Microsoft Ignite 2022 - Microsoft Community Hub

Public preview: IP Protection SKU for Azure DDoS Protection | Azure updates | Microsoft Azure

Azure DDoS Protection Overview | Microsoft Learn

Deploy & configure Azure Firewall Basic (preview) and policy using the Azure portal | Microsoft Lear...

Version history
Last update:
‎Nov 21 2022 03:52 AM
Updated by: