🔒 Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided AZ-700 Domain 1
Domain 1 — Module 7 of 7 100%
7 of 26 overall

AZ-700 Study Guide

Domain 1: Core Networking Infrastructure

  • Virtual Networks: Your Cloud Foundation Free
  • IP Addressing: Public, Private & Prefixes Free
  • Name Resolution: Azure DNS Free
  • Routing: UDRs, Route Server & NAT Gateway Free
  • VNet Peering and Connectivity
  • Network Monitoring and Diagnostics
  • DDoS Protection and Security Posture

Domain 2: Connectivity Services

  • Site-to-Site VPN: Connecting On-Premises
  • Point-to-Site VPN: Remote Access
  • ExpressRoute Fundamentals
  • ExpressRoute: Advanced Features
  • Azure Virtual WAN
  • Choosing Your Hybrid Connection

Domain 3: Application Delivery Services

  • Azure Load Balancer: Layer 4
  • Traffic Manager: DNS-Based Routing
  • Application Gateway: Layer 7
  • Azure Front Door: Global Delivery
  • Choosing the Right Load Balancer

Domain 4: Private Access to Azure Services

  • Private Link and Private Endpoints
  • Private Endpoint DNS
  • Service Endpoints: When and How

Domain 5: Network Security Services

  • NSGs and Application Security Groups
  • Flow Logs, IP Flow Verify & Network Manager Security
  • Azure Firewall: SKUs and Deployment
  • Azure Firewall Manager and Policies
  • Web Application Firewall (WAF)

AZ-700 Study Guide

Domain 1: Core Networking Infrastructure

  • Virtual Networks: Your Cloud Foundation Free
  • IP Addressing: Public, Private & Prefixes Free
  • Name Resolution: Azure DNS Free
  • Routing: UDRs, Route Server & NAT Gateway Free
  • VNet Peering and Connectivity
  • Network Monitoring and Diagnostics
  • DDoS Protection and Security Posture

Domain 2: Connectivity Services

  • Site-to-Site VPN: Connecting On-Premises
  • Point-to-Site VPN: Remote Access
  • ExpressRoute Fundamentals
  • ExpressRoute: Advanced Features
  • Azure Virtual WAN
  • Choosing Your Hybrid Connection

Domain 3: Application Delivery Services

  • Azure Load Balancer: Layer 4
  • Traffic Manager: DNS-Based Routing
  • Application Gateway: Layer 7
  • Azure Front Door: Global Delivery
  • Choosing the Right Load Balancer

Domain 4: Private Access to Azure Services

  • Private Link and Private Endpoints
  • Private Endpoint DNS
  • Service Endpoints: When and How

Domain 5: Network Security Services

  • NSGs and Application Security Groups
  • Flow Logs, IP Flow Verify & Network Manager Security
  • Azure Firewall: SKUs and Deployment
  • Azure Firewall Manager and Policies
  • Web Application Firewall (WAF)
Domain 1: Core Networking Infrastructure Premium ⏱ ~11 min read

DDoS Protection and Security Posture

Protect your Azure networks with DDoS Protection tiers and assess your overall security posture using Microsoft Defender for Cloud.

DDoS Protection and Security Posture

DDoS attacks flood your public endpoints with traffic until they collapse. Azure provides multiple tiers of protection. Alongside DDoS, Microsoft Defender for Cloud helps you identify security weaknesses before attackers do.

🎬 Video coming soon

DDoS Protection and Security Posture

DDoS Protection and Security Posture

~11:00
☕ Simple explanation

A DDoS attack is like a thousand people trying to squeeze through a single door at once — legitimate customers can’t get in. Azure DDoS Protection detects these floods of fake traffic and filters them before they reach your resources. Basic protection is always on and free; Network Protection adds smarter detection tuned to your specific resources.

Azure DDoS Protection defends against volumetric, protocol, and application-layer attacks. DDoS Network Protection provides enhanced mitigation tuned to your resources, applied per VNet, with adaptive tuning, attack analytics, cost protection guarantee, and rapid response. DDoS IP Protection is a lighter per-IP option.

DDoS Protection Tiers

Azure DDoS Protection Tiers
FeatureInfrastructure ProtectionIP ProtectionNetwork Protection
CostFree (always on)Per protected public IPPer-VNet plan (protects up to 100 IPs)
ScopeAll Azure customers automaticallyIndividual public IPsAll public IPs in protected VNets
Adaptive tuningGeneric thresholdsPer-IP tuningPer-IP tuning based on traffic patterns
Metrics and alertsBasic platform metricsAttack metrics and alertsAttack metrics, alerts, and diagnostics
Cost protectionNoNoYes — service credit during attack-related scale-out
DDoS Rapid ResponseNoNoYes — access to Microsoft's DDoS response team
WAF discountNoNoYes — Application Gateway WAF included at no extra cost
Attack reportsNoPost-attack reportsReal-time and post-attack reports

Choosing the right tier:

  • Infrastructure Protection: Automatic for everyone. Handles volumetric attacks at the Azure edge. No configuration needed.
  • IP Protection: Good for individual public IPs when you don’t need cost protection or rapid response. Pay per IP.
  • Network Protection: Enterprise choice. One plan protects all VNets and up to 100 public IPs. Includes cost protection (Azure credits you if DDoS causes autoscaling costs), rapid response team access, and WAF discount.

Configuring DDoS Protection

🔒 Aisha’s setup: Sentinel Banking needs maximum DDoS protection for their customer-facing services.

  1. Create a DDoS Protection plan (Network Protection tier)
  2. Associate the plan with VNets that contain public-facing resources
  3. Configure alerts on DDoS attack metrics:
    • Under DDoS attack or not — binary 0/1 metric
    • Inbound packets dropped — how much malicious traffic was mitigated
    • Inbound bytes dropped — volume of attack traffic stopped
  4. Enable diagnostic logs for detailed attack flow records

Exam Tip — DDoS Metrics: The exam tests that you know the metric “Under DDoS attack or not” is a simple 0/1 value. You create an alert rule that triggers when this metric equals 1. The “Inbound packets dropped” metric shows the mitigation in action. These metrics are only available with IP Protection or Network Protection tiers.

What DDoS Protection mitigates:

  • Volumetric attacks (flood bandwidth — UDP floods, amplification attacks)
  • Protocol attacks (exploit protocol weaknesses — SYN floods, ping of death)
  • Application layer attacks (require WAF for full protection — HTTP floods, slow attacks)

DDoS Protection handles L3/L4 attacks. For L7 (application layer) attacks, you also need a Web Application Firewall (WAF) on Application Gateway or Front Door (covered in Domain 5).

Microsoft Defender for Cloud — Network Security Posture

Defender for Cloud assesses your security posture across all Azure resources, including networking. It’s not a DDoS tool — it’s your security advisor.

Secure Score rates your overall security on a 0-100% scale based on how many recommendations you’ve implemented. Network-related recommendations include:

RecommendationWhat It Checks
NSG on all subnetsSubnets without associated NSGs
Restrict management portsRDP/SSH open to the internet
Enable DDoS ProtectionVNets without DDoS Protection enabled
Use private endpointsServices exposed via public endpoints
Enable network flow logsVNets or NSGs without flow logs
Apply just-in-time VM accessManagement ports open 24/7 instead of JIT

🔒 Aisha’s scenario: Sentinel Banking’s Secure Score is 68%. Defender shows 12 network recommendations. The highest-impact ones are:

  • 3 subnets without NSGs
  • 5 VMs with RDP open to internet (should use Bastion or JIT)
  • 2 storage accounts without private endpoints

Fixing these would raise her score to 82%.

Attack Path Analysis (Defender CSPM plan):

Attack path analysis maps how an attacker could chain vulnerabilities to reach sensitive resources:

🔒 Aisha’s example: Defender identifies a path: Internet to VM-Web (port 443 open, outdated OS) to VM-DB (no NSG on subnet, SQL exposed on 1433). The attack path shows that compromising the web server gives access to the database because the database subnet has no NSG.

Cloud Security Explorer lets you query your environment’s security graph:

  • “Show all VMs with public IPs that have critical vulnerabilities”
  • “Find all storage accounts accessible from the internet without private endpoints”
  • “List all subnets without NSGs in production subscriptions”
ℹ️ Defender for Cloud Pricing

Defender for Cloud has two tiers:

Free tier (Foundational CSPM):

  • Secure Score and basic recommendations
  • Always available for all Azure subscriptions
  • Good for basic posture assessment

Defender CSPM (paid):

  • Attack path analysis
  • Cloud Security Explorer
  • Agentless scanning
  • Governance rules for tracking remediation
  • Risk-based prioritisation

For the AZ-700 exam, focus on understanding what Defender for Cloud recommends for networking, not the pricing details. The exam tests your ability to identify the right security posture recommendations for network scenarios.

Key Takeaways

  • Infrastructure DDoS Protection is free and automatic for all Azure customers
  • Network Protection adds adaptive tuning, cost protection, and rapid response
  • DDoS handles L3/L4 attacks; WAF is needed for L7 application attacks
  • Defender for Cloud’s Secure Score tracks network security recommendations
  • Attack path analysis shows how attackers could chain vulnerabilities

Test Your Knowledge

Question

What are the three DDoS Protection tiers?

Click or press Enter to reveal answer

Answer

1. Infrastructure Protection (free, automatic). 2. IP Protection (per public IP, with metrics). 3. Network Protection (per VNet, includes cost protection, rapid response team, WAF discount).

Click to flip back
Question

What does DDoS 'cost protection' mean?

Click or press Enter to reveal answer

Answer

With Network Protection tier, if a DDoS attack causes your resources to scale out (autoscaling), Azure provides service credits to cover the additional costs. Only available with Network Protection.

Click to flip back
Question

What's the 'Under DDoS attack or not' metric?

Click or press Enter to reveal answer

Answer

A binary 0/1 metric that indicates whether a public IP is currently under active DDoS attack. Create an alert when it equals 1. Available with IP Protection and Network Protection tiers.

Click to flip back
Question

What does Defender for Cloud's Secure Score measure?

Click or press Enter to reveal answer

Answer

A percentage (0-100%) showing how many security recommendations have been implemented. Higher score means better security posture. Network recommendations include NSG coverage, private endpoints, flow logs, and JIT access.

Click to flip back
Knowledge Check

Aisha needs DDoS protection with cost protection and access to Microsoft's rapid response team. Which tier should she choose?
Knowledge Check

DDoS Protection Network tier is enabled on Ravi's VNet. An HTTP flood attack targets his web application. What additional protection does he need?

Next up: Site-to-Site VPN: Connecting On-Premises — Start Domain 2 by building VPN tunnels between Azure and your data centres.

← Previous

Network Monitoring and Diagnostics

Next →

Site-to-Site VPN: Connecting On-Premises

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.