5.2 Azure DDoS Protection for Availability
Key Takeaways
- A DDoS attack is an availability attack: it floods a public endpoint so legitimate users cannot reach the application; Azure DDoS Protection adds enhanced L3/L4 mitigation around resources in DDoS-enabled virtual networks.
- Azure DDoS Protection has two paid tiers: Network Protection (whole-VNet, includes DDoS Rapid Response, cost protection, and a WAF discount) and IP Protection (per public-IP, no Rapid Response).
- DDoS Protection guards layers 3 and 4 only; layer 7 web exploits still require a Web Application Firewall, so the two are paired in a layered design.
- Adaptive tuning, attack metrics, alerts, and mitigation flow logs streamed to Microsoft Sentinel support detection and investigation during an attack.
Protect Public Availability from DDoS Attacks
Distributed denial-of-service (DDoS) attacks are availability attacks — they target the A in the CIA triad. The attacker overwhelms an application or its reachable endpoint with traffic so legitimate users cannot use it. In Azure scenarios the exam clue is usually a public endpoint, a virtual-network resource, or a business requirement to stay reachable during high-volume malicious traffic. Azure DDoS Protection is the Microsoft service that addresses this risk.
Microsoft describes Azure DDoS Protection as enhanced mitigation that is automatically (adaptively) tuned to help protect specific Azure resources in a virtual network, combined with application design best practices. That phrasing matters for SC-900: the service does not replace good architecture — it adds always-on, Azure-native mitigation around resources that public reachability would otherwise expose. Every Azure customer also gets DDoS Infrastructure Protection (also called basic) for free at the platform level; the paid offering adds dedicated monitoring, adaptive tuning, telemetry, and guarantees for your resources.
Two Paid Tiers: Network Protection vs IP Protection
The paid offering comes in two SKUs, and the exam may test the difference at a conceptual level.
| Tier | Scope | Key extras | Best when |
|---|---|---|---|
| DDoS Network Protection | Plan covers an entire DDoS-enabled virtual network (up to 100 public IPs included) | DDoS Rapid Response (DRR) team support, cost-protection guarantee, WAF discount | You have many protected public IPs (roughly 15+) |
| DDoS IP Protection | Enabled per individual public IP address | Same core mitigation, but no Rapid Response or cost-protection extras | You only need to protect a few public IPs |
The rule of thumb Microsoft publishes: if you protect fewer than about 15 public IP resources, the per-IP IP Protection tier is more cost-effective; beyond that, the whole-network Network Protection tier wins. You do not need exact prices for SC-900, but knowing Network Protection = whole VNet + Rapid Response versus IP Protection = per public IP is fair game.
| DDoS concept | Exam-safe meaning |
|---|---|
| Attack goal | Exhaust resources so the app is unavailable to legitimate users |
| Primary Azure control | Azure DDoS Protection |
| Network layer focus | Layers 3 and 4 only |
| Web application gap | Layer 7 web protection needs a WAF |
| Investigation support | Metrics, alerts, attack analytics, and mitigation flow logs to Sentinel/SIEM |
Layer Boundaries and Layered Design
The layer distinction is the most testable point. Azure DDoS Protection protects at layers 3 and 4. If a stem describes SQL injection, cross-site scripting, malicious HTTP headers, or other application-layer web exploits, the better answer is WAF. If the stem describes volumetric traffic against an internet-facing endpoint, DDoS Protection is the natural answer.
DDoS Protection slots into a layered design rather than replacing other controls. A web workload can use DDoS Protection for network-layer floods and WAF for application-layer attacks; NSGs still limit which traffic reaches subnets or interfaces; Azure Firewall still provides central inspection and policy. These controls cover different attack paths and do not cancel one another.
Do not overstate the service for the exam. Azure DDoS Protection is not a guarantee that no outage can ever occur, and it is not the tool for storing secrets, reviewing identity risk, or classifying data. Keep your answer tied to enhanced mitigation, public availability, and network-layer attack traffic.
A useful mental model: imagine a public application behind several layers. DDoS Protection addresses the flood before it consumes the environment; WAF inspects the request content; Firewall and NSGs enforce allowed paths; Bastion removes unnecessary public management exposure; Key Vault protects secret material.
- Choose DDoS Protection when the question emphasizes denial of service or public availability.
- Pair DDoS Protection with WAF when the workload is a web application.
- Treat DDoS Protection as part of defense in depth, not a substitute for every other control.
- Treat metrics, alerts, attack analytics, and Sentinel flow logs as detection and investigation support.
Attack Types and Why Mitigation Is Adaptive
DDoS attacks come in categories, and understanding them clarifies why a managed service exists. Volumetric attacks flood the target with massive traffic to saturate bandwidth (for example, UDP or amplification floods). Protocol attacks consume connection-state resources on network devices (for example, SYN floods). Resource (application-layer) attacks target the application itself — these are layer 7, and that is precisely where DDoS Protection hands off to WAF. Azure DDoS Protection focuses on the first two categories at layers 3 and 4.
| Attack category | Layer | Example | Best Azure control |
|---|---|---|---|
| Volumetric | L3/L4 | UDP/amplification flood | Azure DDoS Protection |
| Protocol | L3/L4 | SYN flood | Azure DDoS Protection |
| Resource / application | L7 | HTTP flood, slowloris | Web Application Firewall |
The word adaptive is worth knowing. DDoS Protection learns the normal traffic patterns (a policy baseline) for each protected public IP. When traffic crosses the learned threshold, mitigation engages automatically and continues until traffic normalizes — without the customer manually invoking anything.
This is the difference between the free platform-level Infrastructure Protection every Azure customer gets and the paid offering: the paid tiers add dedicated, per-resource adaptive tuning, telemetry, alerting, and (on Network Protection) the DDoS Rapid Response (DRR) team plus a cost-protection guarantee that credits scale-out costs incurred during a documented attack.
A frequent exam trap is treating DDoS Protection as a security-of-data control. It is not. It does not inspect payloads for malware, it does not encrypt anything, and it does not authenticate users. Its single job is availability — keeping a reachable resource reachable. Pair it with WAF for request content, with NSGs and Azure Firewall for allowed paths, and with identity controls for who may connect.
A public web application needs protection against layer 3 and layer 4 denial-of-service traffic. Which control is the best match?
Which statement correctly distinguishes the two paid Azure DDoS Protection tiers?
An exam scenario mentions streaming mitigation flow logs to Microsoft Sentinel during an active DDoS attack. Which Azure service is being described?
Which statement about the relationship between Azure DDoS Protection and Web Application Firewall is correct?