Azure DDoS Protection: IP Protection vs. Network Protection for Small Business Workloads
Azure’s network infrastructure absorbs volumetric DDoS attacks automatically at the platform level — that is Azure DDoS Infrastructure Protection, and it is on by default for every Azure subscription at no cost. But it handles only the most obvious, large-scale floods. The moment an attacker moves to protocol-level or application-tuned attacks, or targets specific public IP addresses in your tenant, Infrastructure Protection does not fire mitigation policies. That is the boundary where Azure DDoS Protection Network (formerly Standard) begins — and understanding exactly where that boundary sits is what this article is about.
Three Protection Tiers Compared
| Feature | Infrastructure Protection (free) | DDoS Network Protection | DDoS IP Protection |
|---|---|---|---|
| Scope | All Azure public IPs | All public IPs in protected VNets | Per-IP subscription |
| Traffic profiling | No | Yes — adaptive, per-IP baselines | Yes |
| Mitigation policies | Platform defaults only | Tenant-specific, auto-tuned | Tenant-specific, auto-tuned |
| Attack telemetry + metrics | No | Yes — Azure Monitor metrics | Yes |
| DDoS Rapid Response (DRR) | No | Yes (included) | No |
| SLA guarantee | No | Yes | Yes |
| Cost credit eligibility | No | Yes | Yes |
| Pricing | Free | ~$2,944/month per plan + data overage | ~$199/month per protected IP |
The pricing difference is significant. For a small business running a handful of public-facing workloads, DDoS IP Protection is almost always the correct choice: you pay per IP address rather than a flat plan fee, which means two or three protected IPs costs roughly $400–600/month rather than $3,000+. Network Protection makes financial sense only when you have many public IP addresses within the same virtual network.
How Adaptive Tuning Works
Azure’s DDoS mitigation pipeline monitors traffic to each protected public IP continuously. Over the first 30 days after enabling protection, it profiles normal traffic patterns — packet rates, connection rates, bandwidth volume, protocol distribution (TCP SYN, UDP, ICMP ratios). From that baseline it derives three per-IP mitigation policies:
- TCP SYN policy — packets per second threshold above which SYN cookies are inserted
- TCP policy — total TCP packet rate threshold
- UDP policy — UDP packet rate threshold
These thresholds are visible in Azure Monitor as the metrics If DDoS attack or not, Inbound packets dropped DDoS, Inbound bytes dropped DDoS, and the three DDoS trigger * policy metrics. You should create Azure Monitor alerts on Under DDoS attack (threshold: > 0) and wire them to an action group that pages your on-call contact — this is your real-time attack notification since Azure does not send unprompted alerts.
Enabling DDoS IP Protection
Step 1 — Navigate to the Public IP Resource
Go to Azure portal → Public IP addresses. Select the IP you want to protect (e.g., the public IP attached to your Application Gateway, your VPN Gateway, or your load balancer front-end). In the left pane select DDoS protection.
Step 2 — Enable IP Protection
Select IP protection: Enable. No plan is required for IP Protection — protection is applied directly to the IP resource. Click Save. The change takes effect within seconds; traffic profiling begins immediately but the first adaptive mitigation policies take up to 30 days to fully tune.
Step 3 — Configure Diagnostic Logging
Go to Monitor → Diagnostic settings → Add diagnostic setting for the protected IP. Enable the following logs: DDoSProtectionNotifications, DDoSMitigationFlowLogs, DDoSMitigationReports. Send to a Log Analytics workspace. This gives you attack start/end events, dropped packet details, and mitigation reports in a queryable format — essential for post-incident analysis and insurance documentation.
Step 4 — Set Up Attack Alerts
In Azure Monitor → Alerts → Create alert rule, set scope to your protected public IP, condition to metric Under DDoS attack, operator Greater Than, threshold 0, aggregation 1 minute. Assign an action group with email and SMS. This alert fires the moment Azure detects and begins mitigating an attack — typically within 30–60 seconds of attack onset.
What DDoS Protection Does Not Cover
Azure DDoS Protection operates at L3 and L4 — it handles volumetric and protocol attacks. It does not protect against L7 application-layer attacks (HTTP floods, slow-read attacks, API abuse). For L7 protection you need Azure Web Application Firewall (WAF) in front of Application Gateway or Azure Front Door. DDoS + WAF is the correct architecture for any internet-facing web application: DDoS handles bandwidth exhaustion and protocol floods; WAF handles HTTP-level attacks. They are complementary, not alternatives.
DDoS Protection also does not protect non-Azure endpoints. If your on-premises servers are reachable via public IPs outside Azure, those IPs are not covered. For a hybrid architecture, ensure all public-facing ingress points route through Azure (Application Gateway, Azure Firewall, Front Door) so DDoS protection applies.
Cost Protection and SLA
Both IP Protection and Network Protection include a cost credit guarantee: if a DDoS attack causes your Azure bill to spike (scale-out events triggered by attack traffic), Microsoft credits the overage against your invoice after you file a request. This is particularly valuable for auto-scaling workloads — without DDoS protection, a sustained volumetric attack can trigger scale-out events and inflate your compute bill before mitigation kicks in.
DDoS Network Protection also includes access to the DDoS Rapid Response (DRR) team — Microsoft engineers who can engage during an active attack to assist with triage and mitigation tuning. For IP Protection, DRR is not included, but you retain full telemetry access and the automatic mitigation pipeline still fires.
Practical Guidance for Small Businesses in Berlin
If you run public-facing Azure workloads — a customer portal, a VPN gateway, an externally accessible API — enable DDoS IP Protection on every public IP. At ~€180–200/month per IP, the cost is marginal compared to the risk of an unmitigated attack taking your customer-facing services offline for hours while Azure scales out your infrastructure in response to attack traffic. File a baseline Secure Score check: DDoS Protection Standard/IP Protection contributes to your Azure Security Benchmark score, directly improving your Secure Score posture in Microsoft Defender for Cloud.