Building the Foundations of Azure DDoS Defense

Andrew Posted on 7:03 am

Building the Foundations of Azure DDoS Defense

Today we start a journey into the heart of Azure’s DDoS protection capabilities—not just to check a box, but to build a resilient, observable, and defensible cloud perimeter.

DDoS attacks are no longer rare anomalies.  They’re persistent, evolving threats that target everything from public-facing APIs to mission-critical web apps; and while Azure offers built-in protection, the real value comes when you configure it with intention—enabling diagnostics, routing telemetry, and preparing your environment to respond intelligently.

In this first installment, we’ll walk through the foundational steps required to activate and operationalize Azure’s DDoS protection. You’ll learn how to:

  • Enable diagnostic logging on Public IP resources
  • Create and configure a DDoS protection plan
  • Associate that plan with your virtual networks
  • Set up a Log Analytics workspace to collect and query attack data

This isn’t just a technical checklist—it’s a strategic blueprint.

Each configuration step is explained in detail, with guidance on what to click, what to select, and why it matters.  Whether you’re an Azure Engineer securing a production workload or an Architect designing for scale, this guide will help you build a defense posture that’s proactive, not reactive.

🧠 Pro Tip: Think of this phase as installing the sensors and wiring before turning on the security system.  Without it, you won’t know what’s happening—or how to respond.

Now, let’s get your environment ready to see, understand, and withstand what’s coming.

🔍 Step 1: Enable Diagnostic Logging on Public IP Resources

Why it matters: Diagnostic logs are the first line of defense in understanding traffic patterns and identifying anomalies.  Without them, you’re flying blind.

How to do it:

  1. Go to the Azure Portal and navigate to Public IP addresses.
  2. Select the Public IP resource you want to monitor.
  3. In the left-hand menu, click Diagnostic settings.
  4. Click + Add diagnostic setting.
  5. Name your setting (e.g., DDoS-IP-Logging).
  6. Under Category details, select:
    • DDoSProtectionNotifications
    • DDoSMitigationReports
    • DDoSMitigationFlowLogs
  7. Choose your destination:
    • Log Analytics workspace (recommended)
    • Storage account
    • Event Hub
  8. Click Save.

💡 Pro Tip: Always send logs to a Log Analytics workspace.  It unlocks powerful querying and visualization capabilities later on.  As an example, we can use the Public IP logs to analyze information about DDoS Mitigations and actions:
A screenshot of a computer AI-generated content may be incorrect.

The DDoS log entries show in different ways, but we can see the ReportType_s column represents the current state of the action:

🧰 Step 2: Configure Your DDoS Protection Plan

Why it matters: Azure’s basic DDoS protection is automatic, but the Standard tier offers enhanced mitigation, telemetry, and support.

How to do it:

  1. In the Azure Portal, search for DDoS protection plans.
  2. Click + Create.
  3. Fill in the details:
    • Name: Enterprise-DDoS-Plan
    • Subscription: Select your active subscription.
    • Resource group: Create or select one.
    • Region: Choose the region closest to your workloads.
  4. Click Review + Create, then Create.

🧠 AzureTracks Insight: DDoS protection plans are not applied directly to resources—they’re linked to virtual networks.

As an example of the logs generated ty the DDoS service on Public Ips informs us of actions and reasons:
A screen shot of a computer AI-generated content may be incorrect.

We can see the mitigation taken against a risk:

🔗 Step 3: Associate the DDoS Plan with Your Virtual Network

  1. Navigate to your Virtual Network.
  2. In the left-hand menu, click DDoS protection.
  3. Click Enable, then select the DDoS protection plan you just created.
  4. Click Save.

📌 Pro Tip: You can associate the same DDoS plan with multiple virtual networks across subscriptions.

📊 Step 4: Connect to a Log Analytics Workspace

  1. In the Azure Portal, search for Log Analytics workspaces.
  2. Click + Create.
  3. Fill in the workspace details:
    • Name: DDoS-Insights-Workspace
    • Subscription and Resource group: Match your DDoS plan.
    • Region: Same as your resources.
  4. Click Review + Create, then Create.

Next:
Once the DDoS plan is created, return to your Diagnostic settings and ensure logs are routed to this workspace.

🧩 Summary: Building the Foundation for Resilient Azure Infrastructure

In today’s cloud-first world, uptime isn’t just a metric—it’s a mandate.  As organizations increasingly rely on Azure to host critical workloads, the threat of Distributed Denial of Service (DDoS) attacks looms large.  These attacks can cripple services, disrupt user experience, and erode trust.  Fortunately, Azure offers a robust suite of tools to mitigate these risks—but they require thoughtful configuration and visibility.

Part 1 of this series is all about laying the groundwork.  Before you can analyze threats or visualize attack patterns, you need to ensure your environment is instrumented correctly. That means enabling diagnostic logging on your Public IP resources, configuring a DDoS protection plan, associating it with your virtual networks, and setting up a Log Analytics workspace to collect and query telemetry.

This isn’t just checkbox compliance—it’s strategic readiness.  Each step builds toward a more resilient architecture:

  • Diagnostic logging gives you the raw data needed to detect and respond to threats.
  • DDoS protection plans unlock enhanced mitigation capabilities and Microsoft’s global threat intelligence.
  • Virtual network association ensures your workloads are actually protected.
  • Log Analytics provides the analytical horsepower to turn logs into insights.

Throughout this guide, we’ve emphasized not just what to do, but why it matters.  We’ve walked through every click and configuration with clarity, so even teams new to Azure can follow along confidently.  Layered in best practices and pro tips to help seasoned architects optimize their setup.

🧠 AzureTracks Insight: Think of this phase as installing the sensors and wiring before turning on the security system. Without it, you won’t know what’s happening—or how to respond.

In Part 2, we’ll move from setup to strategy. You’ll learn how to visualize DDoS events using Azure Workbooks, interpret mitigation reports, and leverage Microsoft’s GitHub resources to extend your visibility across services like Azure Front Door and WAF.