Changes were made recently to the pricing structure of Azure DDoS Protection Standard which amount to both less cost and more simplicity in understanding and estimating charges. In this post, we will discuss what specifically changed and refresh your understanding of how pricing is calculated.
We removed the data egress charge for DDoS Protection Standard. This charge could be difficult to understand, and even more difficult to estimate across an environment protected by DDoS Protection Standard. Even though the data charges only accounted for a small percentage of most customers’ costs, they tended to create an unnecessary hassle for cost management.
The old pricing model is pictured below:
The new, simpler model follows:
The Components of DDoS Protection Standard
Azure DDoS Protection Standard consists of the following direct and related components, which you should take some time to understand:
DDoS Protection Plans – This is the primary component of the service. Most customers will only need one plan.
Tenants – One DDoS Protection Plan can provide protection for an entire tenant. If you have multiple tenants, then you will need multiple plans.
Subscriptions – Within the same tenant, any number of subscriptions can share the same plan.
Virtual Networks (VNets) – VNets are the object to which plans are attached. Once VNets are attached to the plan, resources within those VNets are protected.
Public IP Addresses – These are the resources that are being protected by the DDoS Protection plan.
It is always helpful to have a refresher for how to calculate costs before provisioning a DDoS Protection Plan and attaching it to VNets to start protecting resources.
The first step in cost calculation is to understand how many public IP addresses are associated to each protected VNet. Of course, public IP addresses do not exist on private virtual networks, but for eligible resources they are associated to other resources which are attached to the VNet.
Eligible public IP addresses include those attached to Application Gateways, Bastions, Load Balancers, Azure Firewalls, VPN Gateways, VMs, and virtual appliances. Unsupported resources include some PaaS services like API Management, Logic Apps, Event Hub, and App Service Environments.
Some examples include:
An Azure Firewall has 3 public IP addresses (default is 1, but more can be added). The Azure Firewall subnet is part of a VNet which is associated with a DDoS Protection plan. This represents 3 protected IP addresses.
A VM has a public IP address associated with its network interface. That network interface also has a private IP address in a VNet associated with a DDoS Protection plan. This represents 1 protected IP.
An Azure Bastion instance has a public IP address, and the Bastion subnet is within a protected VNet. This represents 1 protected IP address.
An Application Gateway v2 (with WAF of course) has 1 public IP address, and is configured to auto-scale to a maximum of 100 instances. The App Gateway subnet is in a VNet associated to the DDoS plan. This represents 1 protected IP.
An added benefit of the last scenario mentioned is that when Application Gateway with WAF is deployed in a DDoS protected VNet, there are no additional charges for WAF - you pay for the Application Gateway at the lower non-WAF rate.
Another key point to make is that billing is calculated hourly, not monthly. In other words, you can turn the service on for testing and pay only for what you use, not the whole month. For production deployments, it is best to leave the service active at all times due to its adaptive tuning.
Now that you have a sense of what counts as a protected IP address, and you know what the charges are (~$3,000/month for up to 100 protected IPs plus $30/month for each IP over 100), let’s consider some simple examples:
Protected IP Addresses
2944 + (30 x 50)
100 (50 per tenant)
2944 x 2
2944 + (2944 + (25 x 30))
We hope this pricing change helps simplify the exercise of cost planning for a DDoS Protection Standard deployment.