Monthly Azure DDoS protection costs $2,943 per month and provides protection for a maximum of 100 resources.
However, the query that arises the majority of the time is whether or not an investment is necessary if two or three public IP addresses are in use.?
Undoubtedly, the response is NO. Microsoft offers an IP protection feature that can be purchased per IP address for approximately $199 per month. This is an ideal solution for organizations with a limited number of public IP addresses.
As soon as the DDoS protection strategy is established, Network Protection costs start.
Once the Public IP address is configured with IP Protection and its associated virtual network is not protected by a DDoS protection plan, IP Protection costs start.
Details regarding the cost of IP protection are occasionally overlooked; the tab referenced in the image below may be overlooked from this URL Azure DDoS Protection Pricing | Microsoft Azure
The below table provides key difference between Network Protection vs IP protection
| Feature | DDoS IP Protection | DDoS Network Protection |
|---|---|---|
| Active traffic monitoring & always on detection | Yes | Yes |
| L3/L4 Automatic attack mitigation | Yes | Yes |
| Automatic attack mitigation | Yes | Yes |
| Application based mitigation policies | Yes | Yes |
| Metrics & alerts | Yes | Yes |
| Mitigation reports | Yes | Yes |
| Mitigation flow logs | Yes | Yes |
| Mitigation policies tuned to customers application | Yes | Yes |
| Integration with Firewall Manager | Yes | Yes |
| Microsoft Sentinel data connector and workbook | Yes | Yes |
| Protection of resources across subscriptions in a tenant | Yes | Yes |
| Public IP Standard tier protection | Yes | Yes |
| Public IP Basic tier protection | No | Yes |
| DDoS rapid response support | Not available | Yes |
| Cost protection | Not available | Yes |
| WAF discount | Not available | Yes |
| Price | Per protected IP | Per 100 protected IP addresses |
Know limitation for DDoS Network protection
DDoS Network Protection and DDoS IP Protection have the following limitations:
- PaaS services (multi-tenant), which includes Azure App Service Environment for Power Apps, Azure API Management in deployment modes other than APIM with virtual network integration (For more information see https://techcommunity.microsoft.com/t5/azure-network-security-blog/azure-ddos-standard-protection-now-supports-apim-in-vnet/ba-p/3641671), and Azure Virtual WAN aren’t currently supported.
- Protecting a public IP resource attached to a NAT Gateway isn’t supported.
- Virtual machines in Classic/RDFE deployments aren’t supported.
- VPN gateway or Virtual network gateway is protected by a fixed DDoS policy. Adaptive tuning isn’t supported at this stage.
- Disabling DDoS protection for a public IP address is currently a preview feature. If you disable DDoS protection for a public IP resource that is linked to a virtual network with an active DDoS protection plan, you’ll still be billed for DDoS Network Protection. However, the following functionalities will be suspended: mitigation of DDoS attacks, telemetry, and logging of DDoS mitigation events.
- Partially supported: the Azure DDoS Protection service can protect a public load balancer with a public IP address prefix linked to its frontend. It effectively detects and mitigates DDoS attacks. However, telemetry and logging for the protected public IP addresses within the prefix range are currently unavailable.
DDoS IP Protection is similar to Network Protection, but has the following additional limitation:
- Public IP Basic tier protection isn’t supported.
Refer this Microsoft article that explains more scenarios Compare pricing between Azure DDoS Protection tiers | Microsoft Learn
