July 17, 2026

Azure DDoS Protection - Simply Explained

Azure DDoS Protection - Simply Explained
Azure DDoS Protection - Simply Explained
M365 FM Podcast
Azure DDoS Protection - Simply Explained

Azure DDoS Protection is Microsoft's managed service for defending internet-facing applications against Distributed Denial-of-Service (DDoS) attacks. These attacks attempt to overwhelm websites, APIs, virtual machines, and cloud services with massive amounts of malicious traffic, preventing legitimate users from accessing them. Azure DDoS Protection continuously monitors incoming network traffic, detects abnormal spikes using adaptive machine learning, and automatically mitigates attacks before they can impact your applications. Built on Microsoft's globally distributed network, the service protects workloads running behind Azure Public IP addresses while allowing legitimate traffic to continue flowing normally.

UNDERSTANDING HOW DDOS ATTACKS WORK
A DDoS attack works like thousands—or even millions—of fake visitors attempting to enter a small store at the same time. Instead of legitimate customers accessing your application, attackers flood your internet connection or servers until genuine users can no longer connect. Modern attacks typically combine multiple techniques, including volumetric attacks that consume bandwidth, protocol attacks that exhaust server resources, and application-layer attacks that target expensive API endpoints. Rather than relying on a single attack method, cybercriminals increasingly launch multi-vector attacks that combine all three simultaneously, making automated detection and mitigation essential for maintaining service availability.

AZURE'S BUILT-IN PROTECTION VS PAID DDOS PROTECTION
Every Azure customer automatically benefits from Microsoft's always-on infrastructure-level DDoS protection at no additional cost. This baseline service protects the Azure platform itself against large-scale attacks and helps keep Microsoft's global infrastructure operational. However, it is designed to protect Azure rather than individual customer workloads. Azure DDoS Protection adds workload-specific intelligence by learning the normal traffic patterns of your applications and automatically adjusting mitigation thresholds. It also provides real-time monitoring, attack alerts, detailed reports, adaptive tuning, and advanced mitigation capabilities that are unavailable in the free tier, making it significantly more effective for protecting business-critical applications.

NETWORK PROTECTION, IP PROTECTION, AND WAF
Azure DDoS Protection is available in two deployment models. IP Protection secures individual Public IP addresses, making it ideal for smaller environments with only a few internet-facing services. Network Protection protects every Public IP within an Azure Virtual Network while adding enterprise features such as Rapid Response support from Microsoft engineers, cost protection for attack-related autoscaling, and Web Application Firewall (WAF) discounts. It's important to remember that Azure DDoS Protection focuses on Layers 3 and 4 of the network stack. For Layer 7 application attacks that target websites and APIs using legitimate-looking HTTP requests, organizations should combine DDoS Protection with Azure Web Application Firewall (WAF) running on Application Gateway or Azure Front Door. Together they provide comprehensive defense against both network floods and application-level attacks.

WHY DDOS PROTECTION MATTERS FOR EVERY BUSINESS
Many organizations assume cybercriminals only target large enterprises, but modern DDoS attacks are highly automated. Botnets constantly scan the internet for vulnerable public endpoints regardless of company size. Even a moderate attack can overwhelm a small application long before it threatens Azure's underlying infrastructure. For businesses running websites, SaaS platforms, APIs, online stores, or customer portals, downtime can quickly translate into lost revenue, damaged reputation, and reduced customer trust. Azure DDoS Protection provides automated mitigation without requiring security teams to manually respond during an attack, allowing organizations to stay online while Microsoft's platform absorbs and filters malicious traffic.

BUILDING A LAYERED DEFENSE STRATEGY
Azure DDoS Protection is most effective as part of a layered security architecture. Organizations should combine Azure's built-in infrastructure protection with Azure DDoS Protection for workload-specific mitigation, Azure Web Application Firewall for HTTP and API security, Network Security Groups for traffic filtering, and Azure Monitor for alerts and diagnostics. Enabling logging, configuring attack notifications, and regularly reviewing mitigation reports provide valuable visibility into security events while helping organizations improve their defenses over time. By combining intelligent network-layer mitigation with application-layer protection and continuous monitoring, Azure DDoS Protection helps ensure internet-facing workloads remain secure, resilient, and available even during large-scale cyberattacks.

Become a supporter of this podcast: https://www.spreaker.com/podcast/m365-fm-modern-work-security-and-productivity-with-microsoft-365--6704921/support.

🚀 Want to be part of m365.fm?

Then stop just listening… and start showing up.

👉 Connect with me on LinkedIn and let’s make something happen:

  • 🎙️ Be a podcast guest and share your story
  • 🎧 Host your own episode (yes, seriously)
  • 💡 Pitch topics the community actually wants to hear
  • 🌍 Build your personal brand in the Microsoft 365 space

This isn’t just a podcast — it’s a platform for people who take action.

🔥 Most people wait. The best ones don’t.

👉 Connect with me on LinkedIn and send me a message:
"I want in"

Let’s build something awesome 👊

1
00:00:00,000 --> 00:00:02,000
Welcome to another episode of Microsoft Knowledge

2
00:00:02,000 --> 00:00:03,320
nuggets here on M365.

3
00:00:03,320 --> 00:00:05,080
FM, I'm your host, Mirko Peters.

4
00:00:05,080 --> 00:00:07,840
Today's topic is one that almost everyone has heard of,

5
00:00:07,840 --> 00:00:09,960
but few understand, de-doss attacks.

6
00:00:09,960 --> 00:00:11,720
Picture this, you run a small online store,

7
00:00:11,720 --> 00:00:13,560
nothing huge just a steady business.

8
00:00:13,560 --> 00:00:15,880
Orders come in, you ship them out, life is good.

9
00:00:15,880 --> 00:00:17,360
Then one day everything goes dark.

10
00:00:17,360 --> 00:00:18,680
Your website stops loading,

11
00:00:18,680 --> 00:00:21,480
customers start emailing you saying the page won't open,

12
00:00:21,480 --> 00:00:22,920
and you check your server dashboard

13
00:00:22,920 --> 00:00:25,560
to see a traffic spike like nothing you've ever seen before.

14
00:00:25,560 --> 00:00:27,640
Your server is completely overwhelmed.

15
00:00:27,640 --> 00:00:29,640
No order is going through, no way to fix it.

16
00:00:29,640 --> 00:00:30,760
Here's what actually happened,

17
00:00:30,760 --> 00:00:32,560
you got hit by a de-doss attack.

18
00:00:32,560 --> 00:00:34,000
Most people have heard the term,

19
00:00:34,000 --> 00:00:35,840
but very few understand what it actually is

20
00:00:35,840 --> 00:00:37,360
or how Azure protects against it.

21
00:00:37,360 --> 00:00:39,520
And that's a problem because if you run anything

22
00:00:39,520 --> 00:00:42,640
on the internet, a website, an API, a backend service,

23
00:00:42,640 --> 00:00:44,200
this is something you need to know about.

24
00:00:44,200 --> 00:00:45,120
By the end of this episode,

25
00:00:45,120 --> 00:00:47,760
you'll know exactly what de-doss attacks are,

26
00:00:47,760 --> 00:00:49,760
which Azure defenses kick in by default

27
00:00:49,760 --> 00:00:52,160
and which ones you might actually need to pay for.

28
00:00:52,160 --> 00:00:55,120
What a de-doss attack actually is.

29
00:00:55,120 --> 00:00:56,280
So let's start with the basics.

30
00:00:56,280 --> 00:00:57,360
What is a de-doss attack?

31
00:00:57,360 --> 00:00:59,560
Imagine a tiny coffee shop with one barista.

32
00:00:59,560 --> 00:01:01,600
It's a small place, cozy, maybe four tables.

33
00:01:01,600 --> 00:01:04,120
The barista can handle maybe 10 customers an hour.

34
00:01:04,120 --> 00:01:05,960
Now imagine 10,000 people walk in at once.

35
00:01:05,960 --> 00:01:07,000
They don't order anything.

36
00:01:07,000 --> 00:01:09,480
They just stand there asking questions, blocking the counter,

37
00:01:09,480 --> 00:01:10,560
taking up space.

38
00:01:10,560 --> 00:01:12,400
The barista can't serve real customers.

39
00:01:12,400 --> 00:01:14,440
The real customers can't even get through the door.

40
00:01:14,440 --> 00:01:17,400
The shop is technically open, but it's completely useless.

41
00:01:17,400 --> 00:01:18,560
That's a de-doss attack.

42
00:01:18,560 --> 00:01:20,600
The name tells you exactly what it is.

43
00:01:20,600 --> 00:01:23,320
Distributed means the attack comes from many computers at once,

44
00:01:23,320 --> 00:01:24,560
not just one person.

45
00:01:24,560 --> 00:01:26,640
It's not one guy with a grudge sitting in his basement.

46
00:01:26,640 --> 00:01:29,520
It's thousands, sometimes hundreds of thousands of devices,

47
00:01:29,520 --> 00:01:32,240
all sending traffic to your server at the same time.

48
00:01:32,240 --> 00:01:35,480
Denial of service means your real users can't get through.

49
00:01:35,480 --> 00:01:38,480
The service is denied to the people who actually needed.

50
00:01:38,480 --> 00:01:40,640
Now these attacks come in different flavors.

51
00:01:40,640 --> 00:01:42,560
The most common one is volumetric.

52
00:01:42,560 --> 00:01:44,120
That's the brute force approach.

53
00:01:44,120 --> 00:01:45,760
Attackers try to clog your internet pipe

54
00:01:45,760 --> 00:01:46,920
with raw traffic.

55
00:01:46,920 --> 00:01:49,480
So much data that your connection simply can't handle it.

56
00:01:49,480 --> 00:01:51,560
Think of it like trying to pour the entire ocean

57
00:01:51,560 --> 00:01:52,880
through a garden hose.

58
00:01:52,880 --> 00:01:54,040
Then you have protocol attacks.

59
00:01:54,040 --> 00:01:56,480
These target how your server handles connections.

60
00:01:56,480 --> 00:01:58,000
Instead of flooding your bandwidth,

61
00:01:58,000 --> 00:02:00,880
they exploit the way your server opens and closes connections.

62
00:02:00,880 --> 00:02:03,320
They send half-open connection requests over and over

63
00:02:03,320 --> 00:02:05,960
until your server runs out of memory and crashes.

64
00:02:05,960 --> 00:02:07,960
And then there are application layer attacks.

65
00:02:07,960 --> 00:02:09,120
These are the sneaky ones.

66
00:02:09,120 --> 00:02:10,600
Instead of sending garbage traffic,

67
00:02:10,600 --> 00:02:13,320
they send requests that look perfectly legitimate.

68
00:02:13,320 --> 00:02:16,880
A single request to your most expensive API endpoint looks fine,

69
00:02:16,880 --> 00:02:20,040
but 10,000 of them from different IPs can bring your app down.

70
00:02:20,040 --> 00:02:21,280
The server can't tell the difference

71
00:02:21,280 --> 00:02:22,640
between a real user and an attacker

72
00:02:22,640 --> 00:02:24,400
because the request itself is valid.

73
00:02:24,400 --> 00:02:25,880
Here's the thing about modern attacks.

74
00:02:25,880 --> 00:02:26,960
They're not just one of these.

75
00:02:26,960 --> 00:02:28,200
They're multi-vector.

76
00:02:28,200 --> 00:02:30,400
Attackers hit you on multiple fronts at once.

77
00:02:30,400 --> 00:02:32,960
A volumetric flood to saturate your bandwidth.

78
00:02:32,960 --> 00:02:35,720
A protocol attack to exhaust your server resources.

79
00:02:35,720 --> 00:02:38,320
And application layer attacks to drain your back end.

80
00:02:38,320 --> 00:02:39,080
All at the same time.

81
00:02:39,080 --> 00:02:40,680
So now you know what DDoS is.

82
00:02:40,680 --> 00:02:44,280
The important question is, what does Azure do about it?

83
00:02:44,280 --> 00:02:46,160
The free protection you already get.

84
00:02:46,160 --> 00:02:47,120
Here's some good news.

85
00:02:47,120 --> 00:02:49,320
Every Azure customer gets baseline protection

86
00:02:49,320 --> 00:02:50,760
that's always on and always free

87
00:02:50,760 --> 00:02:52,720
with nothing to configure or pay for.

88
00:02:52,720 --> 00:02:54,440
It's just there automatically.

89
00:02:54,440 --> 00:02:57,120
Microsoft calls this infrastructure level DDoS protection

90
00:02:57,120 --> 00:02:58,400
and it's not a joke.

91
00:02:58,400 --> 00:03:00,760
The same global defense systems that protect Microsoft's

92
00:03:00,760 --> 00:03:02,280
own services are running here.

93
00:03:02,280 --> 00:03:05,560
And Azure handles over 2,000 DDoS attacks every single day

94
00:03:05,560 --> 00:03:07,040
across its infrastructure.

95
00:03:07,040 --> 00:03:09,520
That's a lot of real world experience built into the system.

96
00:03:09,520 --> 00:03:10,800
But here's the important catch.

97
00:03:10,800 --> 00:03:13,360
This free protection protects Azure's network,

98
00:03:13,360 --> 00:03:16,160
not necessarily your specific application.

99
00:03:16,160 --> 00:03:17,640
Think of it like a security guard

100
00:03:17,640 --> 00:03:20,000
at the front gate of a large apartment building.

101
00:03:20,000 --> 00:03:21,520
They stop obvious troublemakers.

102
00:03:21,520 --> 00:03:23,520
Someone walking in with a crowbar gets caught,

103
00:03:23,520 --> 00:03:25,200
but they don't know your neighbor Sally

104
00:03:25,200 --> 00:03:26,520
from a complete stranger.

105
00:03:26,520 --> 00:03:28,000
They don't know what normal traffic looks like

106
00:03:28,000 --> 00:03:29,400
for your specific apartment.

107
00:03:29,400 --> 00:03:31,600
So if someone walks in who looks reasonably normal,

108
00:03:31,600 --> 00:03:32,640
they'll let them through.

109
00:03:32,640 --> 00:03:33,560
That's the free tier.

110
00:03:33,560 --> 00:03:35,200
It's a safety net for the platform,

111
00:03:35,200 --> 00:03:37,080
not a tailored defense for your workload.

112
00:03:37,080 --> 00:03:38,920
Here's what you don't get with the free tier.

113
00:03:38,920 --> 00:03:41,360
No visibility, no alerts, no reports,

114
00:03:41,360 --> 00:03:43,120
no way to tell an attack even happened.

115
00:03:43,120 --> 00:03:45,480
You might be under attack right now and never know it

116
00:03:45,480 --> 00:03:47,600
because the free tier doesn't tell you anything.

117
00:03:47,600 --> 00:03:49,640
It also doesn't tune itself to your workload.

118
00:03:49,640 --> 00:03:52,120
Your small web app and a massive video streaming service

119
00:03:52,120 --> 00:03:53,280
get treated the same way.

120
00:03:53,280 --> 00:03:55,080
The thresholds are set high because they're designed

121
00:03:55,080 --> 00:03:58,240
to protect Azure's infrastructure, not your specific application.

122
00:03:58,240 --> 00:03:59,920
And here's the most important part.

123
00:03:59,920 --> 00:04:02,080
If a moderate attack hits your specific application,

124
00:04:02,080 --> 00:04:03,640
the free tier might not step in.

125
00:04:03,640 --> 00:04:04,800
From Azure's perspective,

126
00:04:04,800 --> 00:04:06,720
the traffic isn't enough to threaten the platform,

127
00:04:06,720 --> 00:04:08,520
so it doesn't trigger any mitigation.

128
00:04:08,520 --> 00:04:09,720
But from your perspective,

129
00:04:09,720 --> 00:04:12,080
that moderate attack is enough to take your server down

130
00:04:12,080 --> 00:04:12,880
completely.

131
00:04:12,880 --> 00:04:16,120
Your server can still go down even though Azure's network is fine.

132
00:04:16,120 --> 00:04:17,440
The free tier protects Azure.

133
00:04:17,440 --> 00:04:18,600
It doesn't always protect you.

134
00:04:18,600 --> 00:04:20,080
That's where the paid tier comes in.

135
00:04:20,080 --> 00:04:22,160
Azure Deedos protection adds intelligence

136
00:04:22,160 --> 00:04:24,600
and visibility on top of that free baseline.

137
00:04:24,600 --> 00:04:26,960
And that's what we're going to talk about next.

138
00:04:26,960 --> 00:04:29,120
Azure Deedos protection, the two flavors.

139
00:04:29,120 --> 00:04:31,600
So Azure Deedos protection comes in two versions.

140
00:04:31,600 --> 00:04:33,440
Microsoft calls them SKUs.

141
00:04:33,440 --> 00:04:34,880
Network protection is the first one

142
00:04:34,880 --> 00:04:36,680
and IP protection is the second.

143
00:04:36,680 --> 00:04:39,400
They both do the same core job of protecting against layer three

144
00:04:39,400 --> 00:04:40,680
and layer four attacks.

145
00:04:40,680 --> 00:04:43,120
But the real difference is in scope, price,

146
00:04:43,120 --> 00:04:44,960
and what extras you get.

147
00:04:44,960 --> 00:04:46,520
Let's start with network protection.

148
00:04:46,520 --> 00:04:49,040
This is the original option, the more complete one.

149
00:04:49,040 --> 00:04:50,960
You protect an entire virtual network,

150
00:04:50,960 --> 00:04:53,080
which means every single public IP address

151
00:04:53,080 --> 00:04:55,520
inside that VNet gets covered automatically.

152
00:04:55,520 --> 00:04:58,880
If you add a new VM with a public IP tomorrow, it's protected.

153
00:04:58,880 --> 00:05:00,120
You don't have to think about it.

154
00:05:00,120 --> 00:05:01,480
For the first 100 public IPs,

155
00:05:01,480 --> 00:05:04,080
you're looking at about $2,700 per month.

156
00:05:04,080 --> 00:05:07,560
After that, it's roughly $27 per additional IP per month.

157
00:05:07,560 --> 00:05:09,280
So if you have a decent size deployment,

158
00:05:09,280 --> 00:05:11,960
the per IP cost gets very reasonable.

159
00:05:11,960 --> 00:05:13,560
But the price isn't the only thing you get.

160
00:05:13,560 --> 00:05:16,720
Network protection includes Deedos rapid response support,

161
00:05:16,720 --> 00:05:18,560
a dedicated team of Microsoft engineers

162
00:05:18,560 --> 00:05:20,120
you can call during an active attack.

163
00:05:20,120 --> 00:05:22,360
They help investigate, manually adjust thresholds

164
00:05:22,360 --> 00:05:25,320
if needed, and assist with post-attack analysis.

165
00:05:25,320 --> 00:05:27,400
It's like having a SWAT team on speed dial.

166
00:05:27,400 --> 00:05:28,880
It also includes cost protection.

167
00:05:28,880 --> 00:05:31,480
If an attack causes your resources to auto scale,

168
00:05:31,480 --> 00:05:33,920
say your application gateway spins up more instances

169
00:05:33,920 --> 00:05:35,000
to handle the flood.

170
00:05:35,000 --> 00:05:37,840
Microsoft gives you service credits for that extra cost.

171
00:05:37,840 --> 00:05:39,760
You document the attack, submit a claim,

172
00:05:39,760 --> 00:05:41,000
and you get the overage back.

173
00:05:41,000 --> 00:05:42,440
And there's a WAF discount, too.

174
00:05:42,440 --> 00:05:45,040
For application gateway running inside a protected VNet,

175
00:05:45,040 --> 00:05:47,560
the WF part of the cost is 100% discounted.

176
00:05:47,560 --> 00:05:49,640
You only pay the standard application gateway price.

177
00:05:49,640 --> 00:05:51,840
That's a nice saving if you're already using WAF.

178
00:05:51,840 --> 00:05:54,800
Now IP protection is the newer, simpler, cheaper option.

179
00:05:54,800 --> 00:05:57,160
Instead of protecting an entire virtual network,

180
00:05:57,160 --> 00:06:00,160
you protect individual public IP addresses one at a time.

181
00:06:00,160 --> 00:06:02,920
Each IP will cost you about 109 niles per month,

182
00:06:02,920 --> 00:06:03,920
but you lose some things.

183
00:06:03,920 --> 00:06:06,160
No rapid response team, no cost protection,

184
00:06:06,160 --> 00:06:07,040
no WAF discount.

185
00:06:07,040 --> 00:06:08,520
You get the same core mitigation,

186
00:06:08,520 --> 00:06:10,960
the same adaptive tuning, the same metrics and logging,

187
00:06:10,960 --> 00:06:12,760
but the enterprise extras are gone.

188
00:06:12,760 --> 00:06:14,080
So which one do you choose?

189
00:06:14,080 --> 00:06:15,400
Here's a rough rule of thumb.

190
00:06:15,400 --> 00:06:18,080
If you have fewer than 15 critical public IPs,

191
00:06:18,080 --> 00:06:19,480
IP protection is cheaper.

192
00:06:19,480 --> 00:06:21,280
If you have more than 15 network protection

193
00:06:21,280 --> 00:06:22,520
makes more financial sense.

194
00:06:22,520 --> 00:06:25,440
And if you want that rapid response support or cost protection,

195
00:06:25,440 --> 00:06:27,280
network protection is the only option.

196
00:06:27,280 --> 00:06:28,760
But here's the thing about cost.

197
00:06:28,760 --> 00:06:30,400
Most people focus on the monthly price

198
00:06:30,400 --> 00:06:33,160
and forget what an attack actually costs them in downtime.

199
00:06:33,160 --> 00:06:35,840
We'll get to that later, but keep it in mind.

200
00:06:35,840 --> 00:06:39,240
Now, what about attacks that don't target the network layer at all?

201
00:06:39,240 --> 00:06:42,080
What happens when the attack looks like normal web traffic?

202
00:06:42,080 --> 00:06:44,280
Layer 7 attacks and where WAF fits.

203
00:06:44,280 --> 00:06:45,680
So here's the limitation.

204
00:06:45,680 --> 00:06:48,800
Azure DDoS protection only covers layers 3 and 4,

205
00:06:48,800 --> 00:06:50,440
the network and transport layers.

206
00:06:50,440 --> 00:06:53,480
It looks at IP addresses, ports, protocols and packet rates,

207
00:06:53,480 --> 00:06:56,840
but it never inspects the actual content of your HTTP requests.

208
00:06:56,840 --> 00:06:58,440
Attackers know this, so they've adapted.

209
00:06:58,440 --> 00:07:00,240
Instead of sending garbage traffic

210
00:07:00,240 --> 00:07:02,480
that network level defenses catch,

211
00:07:02,480 --> 00:07:05,200
they send traffic that looks perfectly legitimate.

212
00:07:05,200 --> 00:07:08,280
A single request to your most expensive API endpoint

213
00:07:08,280 --> 00:07:09,760
has the right headers and format,

214
00:07:09,760 --> 00:07:13,160
but 10,000 of them from different IPs can take your app down.

215
00:07:13,160 --> 00:07:14,760
These are application layer attacks,

216
00:07:14,760 --> 00:07:15,960
layer 7 attacks,

217
00:07:15,960 --> 00:07:18,000
and Azure DDoS protection can't stop them

218
00:07:18,000 --> 00:07:19,880
because it doesn't look inside the request.

219
00:07:19,880 --> 00:07:23,520
This is where Azure Web Application Firewall or WAF comes into the picture.

220
00:07:23,520 --> 00:07:25,000
WAF sits in front of your application

221
00:07:25,000 --> 00:07:27,320
and inspects every single HTTP request.

222
00:07:27,320 --> 00:07:30,560
It identifies patterns, rate limits, specific endpoints

223
00:07:30,560 --> 00:07:33,720
and blocks the suspicious traffic based on the content of the request,

224
00:07:33,720 --> 00:07:35,320
not just where it came from.

225
00:07:35,320 --> 00:07:37,640
There's a feature called the HTTP DDoS

226
00:07:37,640 --> 00:07:39,720
rule set for application gateway WAF.

227
00:07:39,720 --> 00:07:42,200
It learns your normal traffic patterns over 24 hours

228
00:07:42,200 --> 00:07:44,120
and automatically sets thresholds.

229
00:07:44,120 --> 00:07:46,440
If a client suddenly sends way more requests than usual,

230
00:07:46,440 --> 00:07:48,040
it gets temporarily blocked.

231
00:07:48,040 --> 00:07:50,520
It's adaptive, just like the network level protection,

232
00:07:50,520 --> 00:07:52,320
but specifically for HTTP traffic.

233
00:07:52,320 --> 00:07:55,360
On top of that, you have rate limiting for deterministic controls.

234
00:07:55,360 --> 00:07:58,800
You can say no more than 100 requests per minute to this login endpoint

235
00:07:58,800 --> 00:08:00,120
and WAF enforces it.

236
00:08:00,120 --> 00:08:03,560
You also have bot protection features like JavaScript challenges and capture.

237
00:08:03,560 --> 00:08:07,160
When a client hits a sensitive endpoint, WAF challenges them.

238
00:08:07,160 --> 00:08:08,840
A real browser passes the challenge,

239
00:08:08,840 --> 00:08:11,000
but a bot usually fails.

240
00:08:11,000 --> 00:08:13,000
So the simple way to think about it is this.

241
00:08:13,000 --> 00:08:16,040
DDoS protection handles the flood and WAF handles the fakes.

242
00:08:16,040 --> 00:08:17,720
You need both for complete coverage.

243
00:08:17,720 --> 00:08:20,040
Now let's talk about what everyone asks about next,

244
00:08:20,040 --> 00:08:23,040
the real cost and what you actually get for your money.

245
00:08:23,040 --> 00:08:25,320
What you actually get for your money.

246
00:08:25,320 --> 00:08:27,320
Let's start with the network protection tier

247
00:08:27,320 --> 00:08:29,520
since it includes the most features.

248
00:08:29,520 --> 00:08:32,200
First up is DDoS Rapid Response Support,

249
00:08:32,200 --> 00:08:35,360
a team of Microsoft engineers you can call during an active attack.

250
00:08:35,360 --> 00:08:38,440
They help investigate manually adjust thresholds if needed

251
00:08:38,440 --> 00:08:40,280
and assist with post-attack analysis.

252
00:08:40,280 --> 00:08:42,400
This is only available with the network protection tier,

253
00:08:42,400 --> 00:08:44,400
so if you go with IP protection, you don't get it.

254
00:08:44,400 --> 00:08:45,440
Then there's cost protection.

255
00:08:45,440 --> 00:08:47,920
If an attack causes your resources to auto scale,

256
00:08:47,920 --> 00:08:51,280
say your application gateway spins up extra instances to handle the flood,

257
00:08:51,280 --> 00:08:53,880
Microsoft gives you service credits for that extra cost.

258
00:08:53,880 --> 00:08:57,000
You document the attack, submit a claim, and get the overage back.

259
00:08:57,000 --> 00:08:59,280
It's a financial safety net on top of the technical one.

260
00:08:59,280 --> 00:09:00,920
There's also a WAF discount.

261
00:09:00,920 --> 00:09:03,560
For application gateway running inside a protected V-net,

262
00:09:03,560 --> 00:09:06,280
the WAF part of the cost is 100% discounted,

263
00:09:06,280 --> 00:09:09,040
so you only pay the standard application gateway price.

264
00:09:09,040 --> 00:09:12,400
If you're already using WAF, that's real money back in your pocket.

265
00:09:12,400 --> 00:09:14,600
Now, let's look at the features both tier share.

266
00:09:14,600 --> 00:09:17,200
With metrics and alerts, you can see real-time thresholds

267
00:09:17,200 --> 00:09:19,720
know when you're under attack and set up alerts.

268
00:09:19,720 --> 00:09:21,560
No more guessing whether something happened.

269
00:09:21,560 --> 00:09:22,960
You get a clear signal.

270
00:09:22,960 --> 00:09:24,720
Login gives you three categories.

271
00:09:24,720 --> 00:09:28,080
DDoS protection notifications tell you when an attack starts and stops.

272
00:09:28,080 --> 00:09:30,720
Mitigation flow logs give you sample traffic data,

273
00:09:30,720 --> 00:09:32,560
what was dropped and what was forwarded.

274
00:09:32,560 --> 00:09:35,920
Mitigation reports give you aggregate summaries like total packets,

275
00:09:35,920 --> 00:09:38,040
top source countries, and attack duration.

276
00:09:38,040 --> 00:09:40,960
All of this is useful for post-attack investigation.

277
00:09:40,960 --> 00:09:44,720
And then there's adaptive tuning, which is the core intelligence of the service.

278
00:09:44,720 --> 00:09:48,640
It learns your normal traffic patterns and adjusts thresholds automatically

279
00:09:48,640 --> 00:09:52,280
across three thresholds per IP, TCP, TCP, Syn and UDP.

280
00:09:52,280 --> 00:09:54,920
No manual configuration is needed beyond enabling the service.

281
00:09:54,920 --> 00:09:55,760
It just works.

282
00:09:55,760 --> 00:09:59,000
Before the IP protection tier, you lose the rapid response support,

283
00:09:59,000 --> 00:10:00,560
cost protection, and WAF discount,

284
00:10:00,560 --> 00:10:03,200
but you keep the adaptive tuning, metrics, and logging.

285
00:10:03,200 --> 00:10:05,360
Same core protection, just fewer extras.

286
00:10:05,360 --> 00:10:08,240
Now let's look at something that puts all of this into perspective.

287
00:10:08,240 --> 00:10:10,680
The largest attack Azure has ever handled.

288
00:10:10,680 --> 00:10:12,160
The 15-terrabbit attack.

289
00:10:12,160 --> 00:10:15,600
Now let's talk about a massive attack that happened in late 2023.

290
00:10:15,600 --> 00:10:18,280
Microsoft blocked the largest DDoS attack in history.

291
00:10:18,280 --> 00:10:21,080
It peaked at 15.72 terabits per second

292
00:10:21,080 --> 00:10:22,840
to give you an idea of how big that is,

293
00:10:22,840 --> 00:10:26,280
imagine downloading the entire Netflix catalog in under two seconds.

294
00:10:26,280 --> 00:10:28,160
That's the kind of traffic we're talking about.

295
00:10:28,160 --> 00:10:31,160
The attack targeted a single endpoint in Australia.

296
00:10:31,160 --> 00:10:34,320
It came from over 500,000 unique IP addresses.

297
00:10:34,320 --> 00:10:37,560
The source, an IoT botnet made up of compromised home routers

298
00:10:37,560 --> 00:10:38,840
and security cameras.

299
00:10:38,840 --> 00:10:41,280
Devices like the ones you probably have in your own home,

300
00:10:41,280 --> 00:10:45,360
attackers took control of them and turned them into a coordinated flood of traffic.

301
00:10:45,360 --> 00:10:48,520
This was a multi-vector UDP flood with a high-packet rate

302
00:10:48,520 --> 00:10:50,320
designed to saturate the connection.

303
00:10:50,320 --> 00:10:51,640
But here's the key detail,

304
00:10:51,640 --> 00:10:54,400
Azure's global defense system absorbed it automatically.

305
00:10:54,400 --> 00:10:57,240
The customer experienced zero service interruption,

306
00:10:57,240 --> 00:10:58,840
not a single second of downtime.

307
00:10:58,840 --> 00:11:02,360
Microsoft processes over 2,000 DDoS attacks every single day

308
00:11:02,360 --> 00:11:04,000
across its global infrastructure.

309
00:11:04,000 --> 00:11:06,520
The reason this attack made headlines isn't that it succeeded,

310
00:11:06,520 --> 00:11:08,520
it's that it was the largest ever measured,

311
00:11:08,520 --> 00:11:11,600
it was notable for being the biggest, not for being the most damaging.

312
00:11:11,600 --> 00:11:12,640
This shows two things.

313
00:11:12,640 --> 00:11:14,800
First, attacks are getting bigger and more common.

314
00:11:14,800 --> 00:11:17,960
Second, Azure's infrastructure handles this scale routinely.

315
00:11:17,960 --> 00:11:20,600
The 15 terabit attack was absorbed without anyone noticing

316
00:11:20,600 --> 00:11:22,240
because the system was designed for it.

317
00:11:22,240 --> 00:11:23,520
But here's the honest truth.

318
00:11:23,520 --> 00:11:25,080
For most small to medium businesses,

319
00:11:25,080 --> 00:11:27,760
the threat isn't a 15 terabit attack from a botnet.

320
00:11:27,760 --> 00:11:29,960
It's something much closer to home.

321
00:11:29,960 --> 00:11:32,000
Why small businesses need to care?

322
00:11:32,000 --> 00:11:34,720
Let's look at the numbers because they tell a pretty clear story.

323
00:11:34,720 --> 00:11:38,800
In 2025, 43% of all cyber attacks targeted small businesses,

324
00:11:38,800 --> 00:11:40,800
not big enterprises, not government agencies,

325
00:11:40,800 --> 00:11:44,120
but small businesses that don't have a dedicated IT security team.

326
00:11:44,120 --> 00:11:47,200
SMBs absorbed nearly 900 million attacks that year,

327
00:11:47,200 --> 00:11:49,840
a 71% increase from the year before.

328
00:11:49,840 --> 00:11:53,280
And here's the thing, about 85% of those attacks were DDoS.

329
00:11:53,280 --> 00:11:55,440
Not ransomware, not data breaches, but DDoS,

330
00:11:55,440 --> 00:11:57,400
the attack we've been talking about this whole episode,

331
00:11:57,400 --> 00:12:01,520
the average cost to recover from a DDoS incident is about $120,000.

332
00:12:01,520 --> 00:12:02,520
Let that sink in.

333
00:12:02,520 --> 00:12:04,680
For a small business, that's not just a bad month.

334
00:12:04,680 --> 00:12:07,680
It's potentially the difference between staying open and closing your doors.

335
00:12:07,680 --> 00:12:11,280
In fact, 12% of small businesses hit by a major DDoS event

336
00:12:11,280 --> 00:12:13,760
shut down permanently, not temporarily.

337
00:12:13,760 --> 00:12:16,880
Even temporary downtime is brutally expensive.

338
00:12:16,880 --> 00:12:21,160
Industry estimates put the average cost at about $5,600 per minute,

339
00:12:21,160 --> 00:12:23,320
over $300,000 an hour.

340
00:12:23,320 --> 00:12:27,280
For a small business, a four hour outage can cost tens of thousands of dollars

341
00:12:27,280 --> 00:12:30,440
in lost sales, recovery costs, and reputational damage.

342
00:12:30,440 --> 00:12:32,040
And that's if you recover quickly.

343
00:12:32,040 --> 00:12:35,000
API targeted, DDoS attacks on SMBs,

344
00:12:35,000 --> 00:12:38,080
surged over 1,100% in a single year.

345
00:12:38,080 --> 00:12:40,640
That's not a typo, over 1,100%.

346
00:12:40,640 --> 00:12:43,160
Attackers have figured out that APIs are the weak link.

347
00:12:43,160 --> 00:12:45,040
They're the front door to your backend systems,

348
00:12:45,040 --> 00:12:47,840
and most small businesses don't have them properly protected.

349
00:12:47,840 --> 00:12:51,600
This isn't just a problem for big enterprises with large IT teams.

350
00:12:51,600 --> 00:12:53,560
It's a problem for anyone who runs a website,

351
00:12:53,560 --> 00:12:57,120
an online store, a SaaS product, or any internet-facing service.

352
00:12:57,120 --> 00:12:59,240
And here's the part that catches most people of God.

353
00:12:59,240 --> 00:13:02,400
Many SMBs don't realize Azure's free protection leaves them exposed

354
00:13:02,400 --> 00:13:05,160
to moderate attacks, specifically targeting their workload.

355
00:13:05,160 --> 00:13:07,080
They think they're covered because it's Azure,

356
00:13:07,080 --> 00:13:09,840
but the free tier is designed to protect Azure's platform,

357
00:13:09,840 --> 00:13:11,440
not your specific application.

358
00:13:11,440 --> 00:13:14,120
A moderate attack that Azure's infrastructure,

359
00:13:14,120 --> 00:13:17,520
barely notices, can take your server down completely.

360
00:13:17,520 --> 00:13:18,560
So here's the math.

361
00:13:18,560 --> 00:13:22,640
Using IP protection at $200 per month is far cheaper

362
00:13:22,640 --> 00:13:25,400
than the average cost of a single attack, $200 a month,

363
00:13:25,400 --> 00:13:27,880
versus $120,000 per incident.

364
00:13:27,880 --> 00:13:29,600
That's a 600 to 1 ratio.

365
00:13:29,600 --> 00:13:32,360
You'd have to be attacked once every 50 years for it to not be worth it.

366
00:13:32,360 --> 00:13:36,200
The common misconception is why would anyone attack my small business?

367
00:13:36,200 --> 00:13:37,960
The answer is rarely personal.

368
00:13:37,960 --> 00:13:40,920
It's automated botnet scanning the internet for vulnerable targets.

369
00:13:40,920 --> 00:13:42,400
Your business isn't being singled out.

370
00:13:42,400 --> 00:13:45,000
It's just an IP address that responded to a scan.

371
00:13:45,000 --> 00:13:47,560
And once the botnet finds you, it doesn't care how small you are.

372
00:13:47,560 --> 00:13:48,720
So what should you actually do?

373
00:13:48,720 --> 00:13:50,880
Let's put together a practical starting point.

374
00:13:50,880 --> 00:13:53,440
Where to start and how to layer your defenses?

375
00:13:53,440 --> 00:13:56,120
A complete DDoS strategy isn't just one product.

376
00:13:56,120 --> 00:13:59,240
It's a set of layers, each one blocking a different kind of attack.

377
00:13:59,240 --> 00:14:00,960
Let's build them from the ground up.

378
00:14:00,960 --> 00:14:03,240
Layer one is the default infrastructure protection.

379
00:14:03,240 --> 00:14:04,560
It's always on and always free.

380
00:14:04,560 --> 00:14:07,360
It handles huge attacks against Azure's platform itself.

381
00:14:07,360 --> 00:14:08,320
But here's the thing.

382
00:14:08,320 --> 00:14:11,320
It doesn't protect your specific workload from moderate attacks.

383
00:14:11,320 --> 00:14:12,960
It's a safety net, not a full solution.

384
00:14:12,960 --> 00:14:14,840
Layer two is Azure DDoS protection.

385
00:14:14,840 --> 00:14:18,360
This gives you Layer three and Layer four protection tailored to your application.

386
00:14:18,360 --> 00:14:22,480
If you have 15 or more critical public IPs and want rapid response support,

387
00:14:22,480 --> 00:14:24,120
go with network protection.

388
00:14:24,120 --> 00:14:28,000
If you have fewer IPs and want the lowest cost entry point, go with IP protection,

389
00:14:28,000 --> 00:14:34,360
enable it on public IPs attached to load balancers, application gateways as your firewalls and virtual machines.

390
00:14:34,360 --> 00:14:37,320
Any resource that faces the internet needs coverage.

391
00:14:37,320 --> 00:14:39,320
Layer three is application layer protection.

392
00:14:39,320 --> 00:14:41,880
This is where you stop Layer seven attacks using WAF.

393
00:14:41,880 --> 00:14:46,080
Enable the HTTP DDoS rule set on application gateway or Azure front door.

394
00:14:46,080 --> 00:14:50,200
Add rate limiting for specific endpoints, like login pages or expensive APIs.

395
00:14:50,200 --> 00:14:53,160
Use bot protection with JavaScript challenges or capture

396
00:14:53,160 --> 00:14:54,960
to filter automated traffic.

397
00:14:54,960 --> 00:14:56,080
Think of it this way.

398
00:14:56,080 --> 00:14:59,480
DDoS protection handles the flood and WAF handles the fakes.

399
00:14:59,480 --> 00:15:01,200
Layer four is monitoring and response.

400
00:15:01,200 --> 00:15:04,440
Enable diagnostic settings on your protected public IPs.

401
00:15:04,440 --> 00:15:08,080
At minimum, turn on DDoS protection notifications and mitigation reports.

402
00:15:08,080 --> 00:15:11,000
Set up alerts so you know when an attack starts and stops.

403
00:15:11,000 --> 00:15:14,240
Consider the DDoS workbook for monitoring multiple IPs at scale.

404
00:15:14,240 --> 00:15:16,200
You can't respond to what you can't see.

405
00:15:16,200 --> 00:15:19,040
So here's a practical starting point for most small businesses.

406
00:15:19,040 --> 00:15:22,440
First, identify your critical internet facing public IPs.

407
00:15:22,440 --> 00:15:24,640
The ones that actually matter to your business.

408
00:15:24,640 --> 00:15:29,000
Second, enable DDoS IP protection on each one at $200 per month per IP.

409
00:15:29,000 --> 00:15:30,840
Third, if you have an application gateway,

410
00:15:30,840 --> 00:15:34,760
enable WAF with the default rule set and the HTTP DDoS rule set.

411
00:15:34,760 --> 00:15:37,840
Fourth, set up diagnostic logging and a basic alert.

412
00:15:37,840 --> 00:15:40,960
That's not expensive and it covers most common attack scenarios.

413
00:15:40,960 --> 00:15:44,240
That's your DDoS defense strategy, layered, practical,

414
00:15:44,240 --> 00:15:46,240
and built for what you actually run.

415
00:15:46,240 --> 00:15:47,640
Let's tie it all together.

416
00:15:47,640 --> 00:15:51,400
You now understand what DDoS attacks are and how Azure protects against them.

417
00:15:51,400 --> 00:15:53,520
The free infrastructure layer is a safety net,

418
00:15:53,520 --> 00:15:56,920
but it won't protect your specific workload from moderate attacks.

419
00:15:56,920 --> 00:16:00,440
Azure DDoS protection adds adaptive tuning, visibility,

420
00:16:00,440 --> 00:16:02,200
and application specific defense.

421
00:16:02,200 --> 00:16:04,680
IP protection is your low cost entry point.

422
00:16:04,680 --> 00:16:08,920
Network protection adds rapid response and cost protection for larger deployments.

423
00:16:08,920 --> 00:16:11,520
For application layer attacks, WAF fills the gap

424
00:16:11,520 --> 00:16:13,720
that network layer defenses just can't see.

425
00:16:13,720 --> 00:16:16,480
The layered approach isn't optional for critical workloads.

426
00:16:16,480 --> 00:16:19,720
It's the difference between a successful attack and an unnoticed blip.

427
00:16:19,720 --> 00:16:22,920
Start by protecting your most important public IPs.

428
00:16:22,920 --> 00:16:24,920
That single step puts you ahead of most people.