Why is our web app down or super slow to load all of a sudden?! Traffic numbers are through the roof! What is going on? Did we go viral?

An illustration of a virtual network inside a blue bubble forcefield that is protecting the network from red laser shots. The network consists of several nodes connected by blue lines. The laser shots are coming from different directions and are bouncing off the bubble forcefield. The background is black. This is to illustrate Azure DDoS Protection.

And that is how a denial of service attack looks. An attacker tries to bring down your app by generating so much traffic to it that it can’t serve legitimate users. Attackers can use plenty of amplification techniques to do this without significant costs to them. And it can be even worse if they are leveraging an established DDoS service.

Thankfully there are ways to protect yourself from DDoS attacks. One great way is to leverage the Azure DDoS service. This service wraps all of your public endpoints in Azure in a layer of protection to prevent these attacks. Microsoft will even credit back the cost of Azure services that result from a DDoS attack (like additional VMs or container instances). Microsoft has successfully thwarted some of the largest attacks in history at about 3.5 Terabits per second (Tb/s)! Check out this article about it.

Azure DDoS Costs

The cost structure for Azure DDoS Network Protection is really simple, but also pretty far out of reach for smaller organizations. It is a flat $2,944/mo for the entire tenant (up to 100 public IPs). It doesn’t matter how many subscriptions or VNETs you have, it covers all of them. Though there is an overage fee if you have more than 100 public IPs. That sounds great at scale, but for a company that only has a couple public IPs, that is a pretty steep barrier to entry.

Thankfully, Microsoft recently released their Azure DDoS IP Protection SKU which allows you to pay per public IP address at $199/mo. This new SKU dramatically reduces the barrier to entry and puts this service in reach of smaller organizations. You can find more information about the different SKUs here.

Azure DDoS WAF Savings

What if I told you turning on Azure DDoS Network Protection at almost $3k/mo might actually reduce your overall Azure spend? I know that sounds crazy and I’m not even talking about the cost savings in the event of an attack (which could be significant). There is a little known footnote in the DDoS pricing related to Azure WAF. Your Azure WAF pricing is billed at the lower Application Gateway rate if you have DDoS enabled for your VNET. You can read the details here on the pricing page.

For example, WAF_v2 is $.0558/hr, but with DDoS Network Protection enabled it would be billed at $0.31/hr. The break even point on this is about 15 WAFs in your entire tenant where you would actually get DDoS Network Protection essentially for free. Above that number of WAFs, and it actually saves you money to enable DDoS Network Protection.

Conclusion

So, Azure DDoS protection is a great service to protect your virtual networks from DDoS style attacks and now it is in reach of smaller organizations. If you are a large organization you might even save money by enabling the service. Did you already know about the WAF cost savings? Are you using DDoS already? Subscribe to get updates when I make new blog posts!

Share this content: