Azure DDoS Protection fundamental best practices

This article provides best practices for building DDoS-resilient services on Azure. Use this guidance to protect your applications with Azure DDoS Protection across the areas of tier selection, security design, scalability, multi-layered defense, monitoring, testing, and response planning.

Choose the right protection tier

Azure DDoS Protection offers two tiers to match different protection needs:

• DDoS IP Protection: Per-IP protection for a small number of public IP addresses. Best for small deployments that need core DDoS protection without advanced features.
• DDoS Network Protection: Enhanced protection for virtual network resources with additional features including DDoS Rapid Response (DRR) support, cost protection guarantees, and web application firewall (WAF) discounts.

Evaluate your requirements based on the number of public IP resources, the need for DDoS Rapid Response support, and cost protection needs. For a detailed comparison of features, limitations, and pricing between the two tiers, see About Azure DDoS Protection tier comparison.

Design for security

Ensure that security is a priority throughout the entire lifecycle of an application, from design and implementation to deployment and operations. Applications can have bugs that allow a relatively low volume of requests to use an excessive amount of resources, resulting in a service outage.

To protect your service on Azure:

• Understand your application architecture: Focus on the five pillars of software quality. Know your typical traffic volumes, the connectivity model between your application and other applications, and the service endpoints exposed to the public internet.
• Plan for denial of service: Ensure that an application is resilient enough to handle a denial of service targeted at the application layer, such as HTTP floods.
• Apply security development practices: Security and privacy are built into the Azure platform, beginning with the Security Development Lifecycle (SDL). The SDL addresses security at every development phase and ensures that Azure is continually updated to make it even more secure.
• Follow Azure security baselines: Review the Azure security baseline for DDoS Protection to align your configuration with the Microsoft cloud security benchmark.

Design for scalability

Scalability is how well a system can handle increased load. Design your applications to scale horizontally to meet the demand of an amplified load, specifically in the event of a DDoS attack. If your application depends on a single instance of a service, it creates a single point of failure. Provisioning multiple instances makes your system more resilient and more scalable.

Consider the following scalability strategies:

• Azure App Service: Select an App Service plan that offers multiple instances. Configure autoscale rules to automatically scale out based on metrics like CPU usage or request count.
• Azure Virtual Machines: Ensure that your virtual machine architecture includes more than one virtual machine and that each virtual machine is included in an availability set. Use Virtual Machine Scale Sets for autoscaling capabilities.
• Caching and load distribution: Use Azure Front Door for global load balancing, SSL offloading, and caching of static content. Caching reduces the load on backend resources and minimizes the impact of traffic spikes.
• Azure Load Balancer: Distribute traffic across multiple instances to prevent any single resource from being overwhelmed.

For recommended DDoS protection architectures for common workload types, see DDoS Protection reference architectures.

Implement multi-layered defense

A defense in depth strategy uses multiple layers of security to reduce the risk of a successful attack. Use the built-in capabilities of the Azure platform to implement secure designs for your applications.

Reduce the attack surface

Reduce your exposure by minimizing the publicly accessible surface area:

• Use Azure Private Link to access Azure PaaS services over a private endpoint in your virtual network, eliminating exposure to the public internet.
• Use an allow list to restrict the exposed IP address space and listening ports that aren't needed on load balancers (Azure Load Balancer and Azure Application Gateway).
• Use network security groups (NSGs) to restrict traffic.
• Use service tags and application security groups to simplify creating security rules and configure network security as a natural extension of an application's structure.
• Deploy Azure services in a virtual network whenever possible so that service resources communicate through private IP addresses. Use service endpoints to switch service traffic to use virtual network private addresses as source IP addresses.

Protect the network layer (L3/L4)

Azure DDoS Protection provides automatic protection against network-layer (L3/L4) volumetric, protocol, and resource-layer attacks. Key capabilities include:

• Always-on traffic monitoring: DDoS Protection monitors your application traffic patterns to detect anomalies. Protection activates automatically when traffic exceeds thresholds.
• Adaptive real-time tuning: DDoS Protection profiles your application traffic over time and selects the mitigation profile best suited for your service.
• Azure Firewall integration: Combine Azure Firewall with DDoS Protection in a virtual network to provide additional network-layer filtering and threat intelligence. For architecture guidance, see Azure Firewall and DDoS Protection reference architectures.

Protect the application layer (L7)

Azure DDoS Protection focuses on network-layer (L3/L4) attacks. For application-layer (L7) attacks like HTTP floods and slowloris, combine DDoS Protection with a web application firewall (WAF):

• Deploy Azure Web Application Firewall on Azure Front Door or Azure Application Gateway to protect against L7 attacks.
• Use WAF custom rules for rate limiting to detect and block malicious traffic automatically.
• Enable bot protection to block known malicious bots.
• Use geo-filtering to restrict traffic from regions where you don't expect legitimate users.

For detailed guidance on application-layer DDoS defense strategies, see Application DDoS protection.

Integrate with Microsoft Sentinel

Use the Azure DDoS Solution for Microsoft Sentinel to identify offending DDoS sources, correlate attack data with other security events, and prevent attackers from pivoting to other attack types, such as data exfiltration.

Protect hybrid environments

If you're connecting an on-premises environment to Azure, minimize exposure of on-premises resources to the public internet. Use the scale and advanced DDoS protection capabilities of Azure by deploying your well-known public entities in Azure. Because these publicly accessible entities are often a target for DDoS attacks, putting them in Azure reduces the impact on your on-premises resources.

Configure monitoring and alerting

Set up monitoring and alerting to detect DDoS attacks quickly and understand your protection status:

• Configure metric alerts: Create alerts on key DDoS Protection metrics, such as Under DDoS attack or not, Inbound packets dropped DDoS, and Inbound SYN packets to trigger DDoS mitigation. Alerts notify you immediately when an attack is detected. For step-by-step instructions, see Configure Azure DDoS Protection metric alerts.
• View alerts in Microsoft Defender for Cloud: DDoS Protection automatically sends mitigation alerts to Microsoft Defender for Cloud when an attack is detected. Use Defender for Cloud to get a unified view of DDoS alerts alongside other security alerts. For more information, see View Azure DDoS Protection alerts in Microsoft Defender for Cloud.
• Enable diagnostic logging: Enable diagnostic logs to capture DDoS mitigation reports, flow logs, and notifications. Use these logs for post-attack analysis and compliance auditing.
• Review DDoS Protection telemetry: Use the metrics and diagnostic logs to understand traffic patterns during attacks and evaluate the effectiveness of mitigation. For detailed monitoring guidance, see Monitor Azure DDoS Protection.
• Monitor application performance: Use Azure Application Insights to monitor your web application and detect performance anomalies. Understanding your application's normal behavior helps you identify degradation during a DDoS attack. For detailed guidance, see DDoS response strategy.

Test and validate your protection

Regularly test your DDoS protection to validate that your applications and alerting work as expected during an attack:

• Run simulation tests: Use Microsoft-approved testing partners to simulate DDoS attacks against your Azure endpoints. Simulations help validate your protection configuration, alerting setup, and response procedures.
• Review test results: After simulation, review DDoS Protection metrics and diagnostic logs to confirm that mitigation policies triggered correctly.

For testing partners, prerequisites, and step-by-step instructions, see Test through simulations.

Plan your DDoS response strategy

Establish a clear response plan before an attack occurs to ensure a fast and effective response:

• Build a DDoS response team: Assign team members responsible for coordinating the response to an attack. Include members from networking, application, and operations teams.
• Engage DDoS Rapid Response (DRR): With DDoS Network Protection, you can engage the DDoS Rapid Response team during an active attack for investigation and post-attack analysis.
• Document and rehearse: Create runbooks, define escalation paths, and rehearse your response to DDoS attacks. Review and update your response plan regularly.

For detailed guidance on building your response strategy, see DDoS response strategy.

Next steps

• About Azure DDoS Protection tier comparison
• DDoS Protection reference architectures
• Monitor Azure DDoS Protection
• Configure Azure DDoS Protection metric alerts
• Test through simulations
• DDoS response strategy
• Application DDoS protection