Azure Firewall Public IP and DDoS protection



We have a zero trust network setup where we use Azure Firewall Standard Edition with hub/spoke model, there is mandatory requirement to assign few Public IP addresses to the firewall, we have included these assigned public IP addresses to a DDoS plan as well. There is no ingress in this environment (It is backend message processing system which does not need any internet / frontend web APIs).

As we are running this in production, we see many DDoS mitigation alerts on firewall Public IPs.

We are thinking of reducing cost and removing DDoS protection plan because only resources that are the plan are firewall's public IP addresses, hence the questions are:

1. how the azure firewall will behave if assigned public IPs are not included in DDoS protection plan?

2. Do azure firewall internally have bult in mechanism to defend against DDoS attacks on its public IPs

3. Is there standard recommendation that when Azure firewall is deployed, customers also must use DDoS plan?


2 Replies

Azure Firewall has NO inbuild DDoS Protection feature. You must enroll in a DDoS Plan and join. By Default Microsoft provides basic DDoS prevention as free . It is usually advisable to have a DDOS protection if you have computers that has internet traffic or public IP address .

However, you can associate a DDoS Protection Plan with an Azure Firewall in a virtual network that already contains a DDoS Protection Plan. You can create and manage your Azure DDoS Protection Plans using Firewall


 Refer this URL
Please "Accept as Answer" if it helped so it can help others in community looking for help on similar topics.

Hi @sachip-msft
1. If the Azure Firewall public IPs are not included in a DDoS protection plan, they will be protected by Azure's basic DDoS protection. This basic protection is designed to handle common network layer attacks and comes at no additional cost. However, it does not have the same level of customization, mitigation policies, and attack telemetry as the Standard DDoS protection plan. If your network doesn't require the additional features provided by the Standard DDoS protection plan, you may choose to rely on basic protection.

2. Azure Firewall has some built-in protections against DDoS attacks. It is a stateful firewall that automatically scales to handle changing network traffic. It can handle millions of flows simultaneously, and Azure's basic DDoS protection will help mitigate common network layer attacks. However, for more advanced protection and features, the Standard DDoS protection plan is recommended.

3. There isn't a strict recommendation that customers must use a DDoS protection plan when deploying an Azure Firewall. The decision depends on your specific requirements and risk tolerance. If your network is not exposed to the internet, and you don't expect any high-profile or targeted attacks, you may decide that the basic protection is sufficient. However, for enhanced security, customization, and peace of mind, a Standard DDoS protection plan is recommended.

In summary, if your environment has no ingress and the only resources in the DDoS plan are the Firewall's public IPs, you may choose to rely on Azure's basic DDoS protection, keeping in mind that it won't provide the same level of protection, customization, and telemetry as the Standard plan.