Exclude Public IP addresses in Azure DDOS network protection

Azure DDOS network protection provides security for services deployed in virtual networks against volumetric attacks by way of always-on traffic monitoring and adaptive real time tuning. This may be achieved by applying DDOS protection plans to the different virtual networks in the different architectural tiers such as the Hub and Spoke network, Windows N-tier and Paas Web App architectures.

Management of Azure services involves careful planning around available resources. One capability that is often requested by Azure DDoS protection customers is the ability to exclude certain public IP addresses from the protection plan to accommodate their prioritized workloads. For instance, public IPs attached to services in hybrid networking may be protected by DDoS plans in the hub or in the spoke virtual network depending on the type of architecture in use and the Public IP tier. A security administrator might also opt to use a DDoS IP protection SKU for certain workloads over DDoS Network protection.

The ability to exclude certain public addresses from the DDOS network protection plan is now available to customers. A security administrator can take advantage of this feature to enable or disable DDOS protection on specified public IP addresses in their virtual network. To use this feature,

Log on to Azure Portal through https://preview.portal.azure.com (This is only available in the Preview portal at this time.)
Go to the Public IP resource
Confirm Public IP SKU is Standard. (Available for Standard Public IP SKU)
On the Overview page, Click Protect (Protect IP address)

Configure the public IP DDOS protection status using the options as shown below. When disabled, a notification on the current safety status of your network resources with be displayed. Note that “Disable” option will only work in regions where IP Protection SKU is available.

For more updates and announcement on Azure DDoS protection or Azure Network Security products, subscribe to the announcement channel via Azure blog

Resources:

What’s new in Azure Network Security at Microsoft Ignite 2022 - Microsoft Community Hub

Public preview: IP Protection SKU for Azure DDoS Protection | Azure updates | Microsoft Azure

Azure DDoS Protection Overview | Microsoft Learn

Published on: November 14, 2022

Learn more

Azure Network Security Blog articles

Setting up Power BI Version Control with Azure Dev Ops

In this blog post is a way set up version control for Power BI semantic models (and reports) using the PBIP (Power BI Project) format, Azure D...

1 day ago

Azure Developer CLI (azd) – March 2026: Run and Debug AI Agents Locally, GitHub Copilot Integration, & Container App Jobs

Run, invoke, and monitor AI agents locally or in Microsoft Foundry with the new azd AI agent extension commands. Plus GitHub Copilot-powered p...

2 days ago

Blog image

Azure Network Security Blog articles

Learn more

Exclude Public IP addresses in Azure DDOS network protection

Related posts

Setting up Power BI Version Control with Azure Dev Ops

Azure Developer CLI (azd) – March 2026: Run and Debug AI Agents Locally, GitHub Copilot Integration, & Container App Jobs

Writing Azure service-related unit tests with Docker using Spring Cloud Azure

Azure SDK Release (March 2026)

Specifying client ID and secret when creating an Azure ACS principal via AppRegNew.aspx will be removed

Azure Firewall integration with Microsoft Sentinel and Defender XDR

Azure Developer CLI (azd): Run and test AI agents locally with azd

Microsoft Purview compliance portal: Endpoint DLP classification support for Azure RMS–protected Office documents

Azure Security - Build and Scale Securely on Microsoft's AI Platform

Introducing the Azure Cosmos DB Plugin for Cursor