Azure DDoS Protection Tier Comparison
When customers move their apps to the cloud, one of the biggest security and availability challenges they face is distributed denial of service (DDoS) attacks. A denial-of-service attack aims to exhaust the resources of an application, rendering it inaccessible to authorized users. Any endpoint that is accessible to the general public over the internet is a potential target for DDoS assaults.
Azure DDoS Protection offers improved DDoS mitigation features to fight off DDoS attacks when paired with best practices for application architecture.
Azure DDoS Protection offers improved DDoS mitigation features to fight off DDoS attacks when paired with best practices for application architecture.
DDoS Network Protection
When paired with application design best practices, Azure DDoS Network Protection offers improved DDoS mitigation capabilities to fend off DDoS attacks. In a virtual network, it is automatically adjusted to help safeguard your unique Azure resources.
DDoS IP Protection
Pay-per-protected IP is what DDoS IP Protection offers. While DDoS IP Protection and DDoS Network Protection share the same fundamental technical capabilities, DDoS IP Protection will offer additional value-added services such as cost protection, discounts on WAF, and DDoS quick response support.
The features and tiers that go with both Tiers are displayed in the table below.
FeatureDDoS IP ProtectionDDoS Network ProtectionActive traffic monitoring & always on detectionYesYesL3/L4 Automatic attack mitigationYesYesAutomatic attack mitigationYesYesApplication based mitigation policiesYesYesMetrics & alertsYesYesMitigation reportsYesYesMitigation flow logsYesYesMitigation policies tuned to customers applicationYesYesIntegration with Firewall ManagerYesYesMicrosoft Sentinel data connector and workbookYesYesProtection of resources across subscriptions in a tenantYesYesPublic IP Standard tier protectionYesYesPublic IP Basic tier protectionNoYesDDoS rapid response supportNot availableYesCost protectionNot availableYesWAF discountNot availableYesPricePer protected IPPer 100 protected IP addresses
DDoS Network Protection and DDoS IP Protection have the following limitations:
PaaS (multi-tenant), such as Azure App Service Environment for Power Apps and Azure API Management with virtual network integration for deployment modes other than APIMIt is not possible to protect a public IP resource that is connected to a NAT gateway.Virtual machines are not supported in Classic/RDFE setups.A DDoS policy safeguards a virtual network gateway, or VPN gateway. Currently, adaptive tuning is not supported.A public load balancer with a public IP address prefix connected to its frontend can be protected by the Azure DDoS Protection service, but with limited support. DDoS attacks are efficiently detected and mitigated by it. For the protected public IP addresses inside the prefix range, telemetry and logging are not currently available.
While DDoS IP Protection and Network Protection are comparable, DDoS IP Protection has the following extra restriction:
It is not supported to use Public IP Basic tier protection.
When customers move their apps to the cloud, one of the biggest security and availability challenges they face is distributed denial of service (DDoS) attacks. A denial-of-service attack aims to exhaust the resources of an application, rendering it inaccessible to authorized users. Any endpoint that is accessible to the general public over the internet is a potential target for DDoS assaults. Azure DDoS Protection offers improved DDoS mitigation features to fight off DDoS attacks when paired with best practices for application architecture. Azure DDoS Protection offers improved DDoS mitigation features to fight off DDoS attacks when paired with best practices for application architecture. DDoS Network Protection When paired with application design best practices, Azure DDoS Network Protection offers improved DDoS mitigation capabilities to fend off DDoS attacks. In a virtual network, it is automatically adjusted to help safeguard your unique Azure resources. DDoS IP Protection Pay-per-protected IP is what DDoS IP Protection offers. While DDoS IP Protection and DDoS Network Protection share the same fundamental technical capabilities, DDoS IP Protection will offer additional value-added services such as cost protection, discounts on WAF, and DDoS quick response support. The features and tiers that go with both Tiers are displayed in the table below. FeatureDDoS IP ProtectionDDoS Network ProtectionActive traffic monitoring & always on detectionYesYesL3/L4 Automatic attack mitigationYesYesAutomatic attack mitigationYesYesApplication based mitigation policiesYesYesMetrics & alertsYesYesMitigation reportsYesYesMitigation flow logsYesYesMitigation policies tuned to customers applicationYesYesIntegration with Firewall ManagerYesYesMicrosoft Sentinel data connector and workbookYesYesProtection of resources across subscriptions in a tenantYesYesPublic IP Standard tier protectionYesYesPublic IP Basic tier protectionNoYesDDoS rapid response supportNot availableYesCost protectionNot availableYesWAF discountNot availableYesPricePer protected IPPer 100 protected IP addresses DDoS Network Protection and DDoS IP Protection have the following limitations: PaaS (multi-tenant), such as Azure App Service Environment for Power Apps and Azure API Management with virtual network integration for deployment modes other than APIMIt is not possible to protect a public IP resource that is connected to a NAT gateway.Virtual machines are not supported in Classic/RDFE setups.A DDoS policy safeguards a virtual network gateway, or VPN gateway. Currently, adaptive tuning is not supported.A public load balancer with a public IP address prefix connected to its frontend can be protected by the Azure DDoS Protection service, but with limited support. DDoS attacks are efficiently detected and mitigated by it. For the protected public IP addresses inside the prefix range, telemetry and logging are not currently available.While DDoS IP Protection and Network Protection are comparable, DDoS IP Protection has the following extra restriction: It is not supported to use Public IP Basic tier protection. Read More
