Explore Distributed Denial-of-Service (DDoS) protection options

  • 4 minutes

Azure has three DDoS protection service offerings that provide protection from network attacks (Layer 3 and 4):

  • DDoS Infrastructure Protection: Infrastructure protection is integrated into the Azure by default at no additional cost. The scale and capacity of the globally deployed Azure network provides defense against common network-layer attacks through always-on traffic monitoring and real-time mitigation. DDoS infrastructure protection requires no user configuration or application changes. DDoS infrastructure protection helps protect all Azure services, including PaaS services. DDoS infrastructure protection in Azure consists of both software and hardware components. A software control plane decides when, where, and what type of traffic should be steered through hardware appliances that analyze and remove attack traffic. The control plane makes this decision based on an infrastructure-wide DDoS Protection policy. This policy is statically set and universally applied to all Azure customers. The Azure DDoS infrastructure protection service is targeted at protection of the infrastructure and protection of the Azure platform. It mitigates traffic when it exceeds a rate that's so significant that it might affect multiple customers in a multitenant environment. It doesn’t provide alerting or per-customer customized policies.
  • DDoS Network Protection: Network Protection provides enhanced DDoS mitigation features. It's automatically tuned to help protect your specific Azure resources in a virtual network. Protection is simple to enable on any new or existing virtual network, and it requires no application or resource changes. It has several advantages over the basic service, including logging, alerting, and telemetry.
  • DDoS IP Protection: DDoS IP Protection is a pay-per-protected IP model. DDoS IP Protection contains the same core engineering features as DDoS Network Protection, but will differ in the following value-added services: DDoS rapid response support, cost protection, and discounts on WAF.