5.2 Azure DDoS Protection for Availability
Key Takeaways
- A DDoS attack attempts to exhaust application resources so legitimate users cannot reach the application.
- Azure DDoS Protection provides enhanced mitigation for Azure resources deployed in virtual networks.
- DDoS Protection operates at network layers 3 and 4, while WAF is needed for application-layer web protection.
- DDoS monitoring, analytics, alerting, and Sentinel integration support investigation during and after attacks.
Protect Public Availability from DDoS Attacks
Distributed denial-of-service attacks are availability attacks. The attacker tries to overwhelm an application or its reachable endpoint so legitimate users cannot use it. In Azure infrastructure scenarios, the exam clue is often a public endpoint, a virtual network resource, or a business requirement to stay reachable during high-volume malicious traffic. Azure DDoS Protection is the Microsoft security service in this chapter that addresses that type of risk.
Microsoft describes Azure DDoS Protection as enhanced DDoS mitigation used with application design best practices. It is automatically tuned to help protect specific Azure resources in a virtual network. That phrase matters for SC-900: the service does not replace good architecture, but it adds Azure-native mitigation around resources that could otherwise be targeted through public reachability.
| DDoS concept | Exam-safe meaning |
|---|---|
| Attack goal | Exhaust resources and make an application unavailable to legitimate users |
| Primary Azure control | Azure DDoS Protection |
| Network layer focus | Layers 3 and 4 network protection |
| Web application gap | Layer 7 web protection requires a WAF offering |
| Investigation support | Metrics, alerting, analytics, logs, and Sentinel or SIEM integration can help during attacks |
The layer distinction is one of the most testable points. Azure DDoS Protection protects at network layers 3 and 4. If a question says the concern is SQL injection, cross-site scripting, malicious HTTP headers, or other application-layer web exploits, the better answer is WAF. If the question says the concern is volumetric traffic against an internet-facing endpoint, DDoS Protection becomes the natural answer.
DDoS Protection can also fit into a layered design. A web workload can use DDoS Protection for network-layer attacks and WAF for application-layer attacks. NSGs can still limit which traffic is allowed to subnets or network interfaces. Azure Firewall can still provide central inspection and policy enforcement. These controls do not cancel each other; they cover different attack paths.
For SC-900, do not overstate the service. Azure DDoS Protection is not a promise that no outage can occur, and it is not the tool for storing secrets, reviewing identity risk, or classifying data. Keep the answer tied to enhanced mitigation, public availability, and network-layer attack traffic.
A useful mental model is to imagine a public application behind several layers. DDoS Protection addresses the flood before it consumes the environment. WAF inspects the application request content. Firewall and NSGs enforce allowed paths. Bastion removes unnecessary public management exposure. Key Vault protects secret material used by the app.
- Choose DDoS Protection when the question emphasizes denial of service or public availability.
- Pair DDoS Protection with WAF when the workload is a web application.
- Remember that DDoS Protection is part of defense in depth, not a substitute for every other control.
- Treat logs, metrics, and analytics as support for detection and investigation.
A public web application needs protection against layer 3 and layer 4 denial-of-service traffic. Which control is the best match?
Which statement correctly describes how Azure DDoS Protection and WAF relate?
An exam scenario mentions streaming mitigation flow logs to Microsoft Sentinel during an active DDoS attack. Which Azure service is being described?