Boosting DDoS protection in Microsoft Azure with DDoS Standard

If you are exposing your applications hosted in Microsoft Azure to the Internet, you are protected by the built-in DDoS (distributed denial of service) for free. The feature is always enabled in Azure as part of the protection of the platform. However, we can go to an extra level of security and enable the paid DDoS Standard feature, which brings additional functionalities to your cloud infrastructure.

DDoS attacks are classified into three types, based on Azure documentation. They are:

  • Volumetric attacks: A bunch of connections tries to exhaust network resources. The attacker uses several infected systems to create connections at the same time using TCP, UDP, or ICMP,
  • Protocol attacks: They target the application protocols. The attacker sends malformed packages to make the application answer and wait for a response, thus creating a delay or a crash.
  • Resource attacks: The main goal is to exhaust resources by asking high-demand process to overwhelm their target. Usually, they are a target for the HTTP/HTTPS or DNS protocols.

What is the difference between free and DDoS Standard?

You may be wondering if I have the DDoS basic service for free as part of my subscription, what is the difference of the paid DDoS Standard option? Before answering the question, let’s understand what is being offered in DDoS basic.

DDoS protection in Azure comprises both software and hardware components, and all Azure customers share this protection. When there is a high traffic volume, and an attack seems imminent, the software portion of the DDoS moves the traffic to specific hardware appliances. These appliances will perform further analysis and remove any malicious requests. As a customer, you don’t have control of the scenario above. It is built-in to the Azure platform. Bear in mind that you are sharing the environment with several other tenants, and the basic protection goal is to protect Azure and not your specific application.

That summarizes the DDoS Basic (free). Now let’s see the additional features of DDoS Standard. For starters, the traffic of your application is being monitored 24/7. Thus, any possible DDoS attacks specific to your service will be protected. Perhaps the volume of the attack wouldn’t have been enough to trigger the protection of the DDoS basic but using DDoS Standard you will be protected. The second benefit is visibility — the cloud administrator can see the logs, use Azure Monitor, and contact a DDoS expert team during an attack.

When using Azure Application Gateway, DDoS protection will guard against common attacks such as HTTP protocol violations, SQL injection, XSS, and request-rate limit attacks.

Creating and enabling a DDoS protection plan

The configuration on the Microsoft Azure side is straightforward. We need to associate an existing DDoS Plan to a virtual network. To do that, open the desired virtual network blade in Azure Portal, then click on DDoS Protection.

By default, it is going to be configured as Basic. Click on Standard and select a DDoS Plan from the list. If that is your first one, click on Create a DDoS protection plan link.

The creation of a DDoS protection plan requires only the name that we want to assign to it, nothing else. The creation is depicted in the image below.

After creation, we can list all existing DDoS Protection Plans. Search for DDoS Protection, and on the Overview blade, a list of all protected virtual networks will be shown. Bear in mind that any public IP address associated with the VNet in use will be protected.

Testing the DDoS Standard offering

There is a Microsoft partner (Ixiacom) that allows simulation of a DDoS attack by generating traffic. It helps to see how the feature works and helps training your team to be prepared during an attack. We are going to use their free trial service to simulate a DDoS attack.

The first step is to get access to your trial using this link here. After providing your information and activating your email address, we can log on to the partner website, and we have the DDoS Test Configuration. We need to provide the Azure subscription (Item 1), and the process will require authentication into Azure to confirm the subscription.

After that, we need to enter the public IP address of the VM that we are going to test, port number, type of DDoS attack, the size of the test, and the duration. After filling out all that information, click on Start Test

Auditing the DDoS attack

We can check the Diagnostic Settings at the public IP and select all the DDoS logs (notifications, flow and mitigation) and store in a storage account, event hub or log analytics.

Using metrics and configuring alerts

When using DDoS Standard, the administrator can open Azure Monitor to check metrics related to DDoS. Select the public IP resource that is protected by DDoS Standard and select the DDoS metrics (they contain DDoS in their names).

An important one is the Under DDos Attack. When the value is 1 we know that that specific public IP is under attack.

We can use Azure Monitor to create rules to inform the Security/Operations teams when public IPs are under attack. We need to select the desired public IP address, select Metrics (Item 2), and All (Item 3), then choose Under DDoS attack or not.

DDoS Standard: Where to find cost information

The feature is excellent and brings a lot of value if you want to add an extra layer of security to your applications being hosted in Microsoft Azure.

A key point to consider is the price. DDoS Standard costs around $3,000 to be applied to up to 100 resources. If you have more than 100 resources (public IP-related), there is a fee of $30 per resource. On top of that, there is a cost for the data processed per month, the first tier is from 0 to 100 TB (terabytes), and the price is $0.05.

If you have multiple subscriptions, the resources are counted at the enrollment level, and the data processing fees are charged at the subscription level.

If you need more information about the cost of DDoS Standard, you can use this link here.

Featured image: Shutterstock

Anderson Patricio

Anderson Patricio is a Canadian MVP in Cloud and Datacenter Management, and Office Server and Services, besides of the Microsoft Award he also holds a Solutions Master (MCSM) in Exchange, CISSP and several other certifications. Anderson contributes to the Microsoft Community with articles, tutorials, blog posts, twitter, forums and book reviews. He is a regular contributor here at,, and Anderson (Portuguese).

Published by
Anderson Patricio

Recent Posts

New Mexico sues Google for violating privacy of minors

New Mexico is suing Google for alleged privacy violations against minors, specifically that it uses…

6 hours ago

Exchange 2019: Peaceful coexistence with Exchange 2016

Exchange coexistence has been around for a long time. This can be having Exchange 2010…

11 hours ago

How to check the VM sizes available on your Azure Region

If you want to check VM sizes available to any given region, Azure Portal is…

14 hours ago

Cybersecurity 101: Close the door on open network shares

If you have open network shares on your network, you are opening the door to…

1 day ago

Spear-phishing email results in U.S. gas pipeline ransomware attack

A spear-phishing email has resulted in a U.S. gas pipeline ransomware attack. Making the attack…

1 day ago

Planning your Azure reserved instances and flexibility groups

To really lower your Azure costs, you need actionable information. Get info on flexibility groups…

2 days ago