In summary, if your environment has no ingress and the only resources in the DDoS plan are the Firewall’s public IPs, you may choose to rely on Azure’s basic DDoS protection, keeping in mind that it won’t provide the same level of protection, customization, and telemetry as the Standard plan.
Azure Basic DDoS
Azure Basic DDoS is a free DDoS protection solution from Microsoft Azure. This service detects and mitigates 2 Gbps attacks. This level of security is sufficient for tiny businesses and organizations at low DDoS risk.
Azure Standard DDoS
Azure Standard DDoS protects against larger and more sophisticated DDoS assaults for a fee. This mitigates 1 Tbps attacks. The number of protected public IP addresses and maximum traffic volume determine Azure Standard DDoS cost.
Consideration to buy DDoS for Azure firewall
If the Azure Firewall public IPs are not included in a DDoS protection plan, they will be protected by Azure’s basic DDoS protection. This basic protection is designed to handle common network layer attacks and comes at no additional cost. However, it does not have the same level of customization, mitigation policies, and attack telemetry as the Standard DDoS protection plan. If your network doesn’t require the additional features provided by the Standard DDoS protection plan, you may choose to rely on basic protection.
2. Azure Firewall has some built-in protections against DDoS attacks. It is a stateful firewall that automatically scales to handle changing network traffic. It can handle millions of flows simultaneously, and Azure’s basic DDoS protection will help mitigate common network layer attacks. However, for more advanced protection and features, the Standard DDoS protection plan is recommended.
3. There isn’t a strict recommendation that customers must use a DDoS protection plan when deploying an Azure Firewall. The decision depends on your specific requirements and risk tolerance. If your network is not exposed to the internet, and you don’t expect any high-profile or targeted attacks, you may decide that the basic protection is sufficient. However, for enhanced security, customization, and peace of mind, a Standard DDoS protection plan is recommended.
