Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Azure DDoS Protection for BYOIPs now available
Published Apr 18 2022 05:33 PM 4,722 Views

Author: Alethea Toh


Following the announcement of the general availability of the Bring Your Own IP addresses (BYOIP) function to Azure in all public regions, we’re excited to share that public IP ranges brought to Azure via Custom IP Prefixes can be protected with Azure DDoS Protection Standard. 


What is Azure DDoS Protection Standard? 

Azure DDoS Protection Standard provides DDoS mitigation features to defend against DDoS attacks. It is automatically tuned to help protect public IP addresses in virtual networks. Protection is simple to enable on any new or existing virtual network and requires no application or resources changes. 


What are BYOIPs? 

When planning a potential migration of on-premises infrastructure to Azure, you may want to retain your existing public IP addresses due to your customers' dependencies (for example, firewalls or other IP hardcoding) or to preserve an established IP reputation.  

Using the Custom IP Prefix resource, you can now bring your own public IPv4 ranges to Azure and use them like any other Azure-owned public IP ranges. Once onboarded, these BYOIPs can be associated with Azure resources, interact with private IPs and VNETs within Azure’s network, and reach external destinations by egressing from Microsoft’s Wide Area Network.  

With BYOIP functionality, onboarded IPs can be associated with any resource that supports Standard SKU public IPs, such as virtual machines, Standard Public Load Balancers, Azure Firewalls, and more. 


Why is DDoS protection important for BYOIPs? 

Whether in the cloud or on-premises, Distributed Denial-of-Service (DDoS) attacks can be targeted at any endpoint that is publicly reachable through the Internet. 

BYOIPs are public IP ranges that are exposed to the internet and are susceptible to DDoS attacks. Enabling DDoS Protection Standard on virtual networks will protect any publicly exposed IP ranges that reside within the virtual network. 




How can I onboard IP ranges to Azure? 

Refer to this guide for the onboarding process of bringing your IP addresses to Azure. Key takeaways: 

  • The ability to bring your own IP addresses (BYOIP) to Azure is currently available in all regions. 
  • The minimum size of an onboarded range is /24 (256 IP addresses). 
  • Onboarded IPs are put in a Custom IP Prefix resource for management, from which Public IP Prefixes can be derived and utilized across subscriptions. 
  • You are not charged for the hosting or management of onboarded ranges brought to Azure. 


Read more 

1 Comment
Version history
Last update:
‎Apr 18 2022 05:53 PM
Updated by: