Azure DDoS Protection and Firewall

A Distributed Denial of Service (DDoS) attack floods a target — a server, application, or network — with so much traffic that legitimate users cannot access it. Attackers use botnets of thousands of compromised devices to generate volumetric traffic exceeding the target's capacity. DDoS attacks range from simple volumetric floods (UDP amplification) to application-layer attacks (HTTP floods targeting a specific endpoint).

Azure provides two tiers of DDoS protection. DDoS Network Protection (Basic) — previously called DDoS Basic — is built into the Azure platform and automatically protects all Azure public IP addresses at no extra cost. It mitigates common network-layer attacks. DDoS IP Protection and DDoS Network Protection (Standard) add always-on traffic monitoring, adaptive tuning specific to your workload, rapid response teams, and cost protection (credits for Azure resources consumed during an attack).