Guarding the Gates: Exploring Supported Scenarios for Azure DDoS Protection and Public IP Prefixes

Guarding the Gates: Exploring Supported Scenarios for Azure DDoS Protection and Public IP Prefixes


In the face of an ever-evolving digital landscape, businesses are constantly under the threat of Distributed Denial of Service (DDoS) attacks. These relentless assaults have the potential to overwhelm network resources, disrupt services, compromise sensitive data, and lead to significant financial losses. As these threats become increasingly common, the need for a robust defense mechanism has never been more critical.


In this blog post we are showing you the scenarios where Azure DDoS Protection can help protect Public IP Prefixes from these attacks.


What is Azure DDoS Protection?

Azure DDoS Protection is a cloud-based service provided by Microsoft Azure that provides automatic detection and mitigation of DDoS attacks for Azure resources. Key features and benefits of Azure DDoS Protection include:

  • Adaptive tuning of the DDoS mitigation policy thresholds based on the traffic patterns and characteristics of each application.
  • Automatic detection and mitigation of DDoS attacks without requiring any user intervention or configuration changes.
  • Detailed monitoring and reporting of DDoS attack incidents and mitigation actions.


Azure DDoS Protection protects resources using Public IPs and Public IP Prefixes in ARM based VNETs, such as:


  • IaaS Virtual Machines
  • Load Balancers
  • Application Gateway (including WAF)
  • Azure Firewall
  • Bastion
  • VPN Gateway
  • IaaS based Network Virtual Appliance (NVA)
  • Others as described here


What is Public IP Prefix?

A public IP address prefix is a reserved range of public IP addresses in Azure. Public IP prefixes are assigned from a pool of addresses in each Azure region. You create a public IP address prefix in an Azure region and subscription by specifying a name and prefix size. The prefix size is the number of addresses available for use. Public IP address prefixes consist of IPv4 or IPv6 addresses. In regions with Availability Zones, Public IP address prefixes can be created as zone-redundant or associated with a specific availability zone. After the public IP prefix is created, you can create public IP addresses. A Public IP Prefix can be used in different scenarios as described here.


Protecting Public IP Prefixes from DDoS attacks

Upon the creation and assignment of a Public IP Prefix to a resource, it becomes exposed and potentially susceptible to DDoS attacks. To prevent these attacks from disrupting services or rendering applications unresponsive, the use of Azure DDoS Protection is highly recommended. However, it is important to know what to expect when you are protecting a Public IP Prefix. Below you will find the supported scenarios using a PIP from a Prefix and a Public IP Prefix.


PIP from a Public IP Prefix:



Public IP Prefix:



The only SKU available to protect an IP Prefix is DDoS Network Protection. Once the DDoS protection plan is enabled at VNET level the IP Prefix attached to a resource in the same VNET is protected. Next, we need to create a Diagnostic Setting, enabling all 3 DDoS log categories, so we can get visibility of attacks when they occur.




Through the IP Prefix Metrics blade, we can also gain visibility of all the DDoS metrics such as “Inbound TCP packets to trigger DDoS mitigation”, “Under DDoS attack or not”, and others.





The digital landscape is fraught with threats, and DDoS attacks are among the most disruptive. The exposure of Azure resources using Public IPs and Public IP Prefixes can make them vulnerable to such attacks. However, with Azure DDoS Protection, organizations can fortify their defenses, ensuring the continuity of services and the responsiveness of applications keeping in mind each scenario discussed in this blog.



Published on:

Learn more
Azure Network Security Blog articles
Azure Network Security Blog articles

Azure Network Security Blog articles

Share post:

Related posts

Recovery options for Azure Virtual Machines (VM) affected by CrowdStrike Falcon agent

We are aware of an issue that started on 19 July 2024 at 04:09UTC, which resulted in customers experiencing unresponsiveness and startup failu...

6 hours ago

Use cases of Advanced Network Observability for your Azure Kubernetes Service clusters

Introduction  Advanced Network Observability is the inaugural feature of the Advanced Container Networking Services (ACNS) suite bringing...

18 hours ago

Azure Update Manager to support CIS hardened images among other images

What’s coming in by end of July 2024: Azure Update Manager will add support for 35 CIS hardened images. This is the first time that Update Man...

1 day ago

Mastering your cloud journey: Essentials to Innovating, Migrating and Modernizing, on Azure

We are living during a time of rapid growth in AI technologies and seeing cloud complexity increase as a result of those advanced workloads, w...

1 day ago

Announcing the stable release of Azure Event Grid Namespaces HTTP client libraries

This post announces stable release of the HTTP Azure Event Grid Namespaces client libraries in .NET, Java, JavaScript, Python, and Go. The pos...

1 day ago

Portal extension for Azure Firewall with DDoS protection

Introduction In the ever-evolving landscape of network security, Azure Firewall has emerged as a key player. As a managed, cloud-based network...

2 days ago

Generative AI with Azure Cosmos DB

Leverage Azure Cosmos DB for generative AI workloads for automatic scalability, low latency, and global distribution to handle massive data vo...

2 days ago

Enhancing Document Extraction with Azure AI Document Intelligence and LangChain for RAG Workflows.

Overview. The broadening of conventional data engineering pipelines and applications to include document extraction and preprocessing for ...

2 days ago
Stay up to date with latest Microsoft Dynamics 365 and Power Platform news!
* Yes, I agree to the privacy policy