About Azure DDoS Protection tier Comparison
The sections in this article discuss the resources and settings of Azure DDoS Protection.
Tiers
Azure DDoS Protection supports two tier types, DDoS IP Protection and DDoS Network Protection. The tier is configured in the Azure portal during the workflow when you configure Azure DDoS Protection.
The following table shows features and corresponding tiers.
Feature | DDoS IP Protection | DDoS Network Protection |
---|---|---|
Active traffic monitoring & always on detection | Yes | Yes |
L3/L4 Automatic attack mitigation | Yes | Yes |
Automatic attack mitigation | Yes | Yes |
Application based mitigation policies | Yes | Yes |
Metrics & alerts | Yes | Yes |
Mitigation reports | Yes | Yes |
Mitigation flow logs | Yes | Yes |
Mitigation policies tuned to customers application | Yes | Yes |
Integration with Firewall Manager | Yes | Yes |
Microsoft Sentinel data connector and workbook | Yes | Yes |
Protection of resources across subscriptions in a tenant | Yes | Yes |
Public IP Standard tier protection | Yes | Yes |
Public IP Basic tier protection | No | Yes |
DDoS rapid response support | Not available | Yes |
Cost protection | Not available | Yes |
WAF discount | Not available | Yes |
Price | Per protected IP | Per 100 protected IP addresses |
Note
At no additional cost, Azure DDoS infrastructure protection protects every Azure service that uses public IPv4 and IPv6 addresses. This DDoS protection service helps to protect all Azure services, including platform as a service (PaaS) services such as Azure DNS. For more information on supported PaaS services, see DDoS Protection reference architectures. Azure DDoS infrastructure protection requires no user configuration or application changes. Azure provides continuous protection against DDoS attacks. DDoS protection does not store customer data.
Limitations
DDoS Network Protection and DDoS IP Protection have the following limitations:
- PaaS services (multi-tenant), which includes Azure App Service Environment for Power Apps, Azure API Management in deployment modes other than APIM with virtual network integration (For more information see https://techcommunity.microsoft.com/t5/azure-network-security-blog/azure-ddos-standard-protection-now-supports-apim-in-vnet/ba-p/3641671), and Azure Virtual WAN aren't currently supported.
- Protecting a public IP resource attached to a NAT Gateway isn't supported.
- Virtual machines in Classic/RDFE deployments aren't supported.
- VPN gateway or Virtual network gateway is protected by a DDoS policy. Adaptive tuning isn't supported at this stage.
- Partially supported: the Azure DDoS Protection service can protect a public load balancer with a public IP address prefix linked to its frontend. It effectively detects and mitigates DDoS attacks. However, telemetry and logging for the protected public IP addresses within the prefix range are currently unavailable.
DDoS IP Protection is similar to Network Protection, but has the following additional limitation:
- Public IP Basic tier protection isn't supported.
Note
Scenarios in which a single VM is running behind a public IP is supported, but not recommended. For more information, see Fundamental best practices.
For more information, see Azure DDoS Protection reference architectures.
Next steps
Feedback
https://aka.ms/ContentUserFeedback.
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see:Submit and view feedback for