Azure Network Defence: DDoS, Firewall & WAF
Three layers of Azure network protection — how DDoS Protection absorbs floods, Azure Firewall filters traffic, and WAF blocks web exploits like SQL injection.
Why does Azure need three layers of network defence?
Think of a bank with three security checkpoints.
DDoS Protection is the crowd-control barrier on the street. If a thousand people rush the building at once to block the entrance, the barrier absorbs the crowd so legitimate customers can still walk in.
Azure Firewall is the security desk in the lobby. It checks every person’s purpose: “Are you here to visit the vault? Denied. Are you here for a bank account? Proceed to floor 2.”
WAF is the teller window’s bulletproof glass. Even if someone gets inside, the glass stops them from reaching through and grabbing cash — it blocks specific attack techniques targeting the teller (the web application).
Each checkpoint stops a different type of threat. You need all three.
Azure DDoS Protection
A Distributed Denial of Service (DDoS) attack floods your resources with so much traffic that legitimate users cannot get through. Imagine millions of fake phone calls jamming a company’s switchboard — real callers get a busy signal.
Azure provides two tiers of DDoS protection:
| Feature | DDoS Infrastructure Protection | DDoS Protection |
|---|---|---|
| Cost | Free, automatic for all Azure services | Paid, enabled per virtual network |
| Protection level | Basic threshold-based mitigation | Advanced adaptive tuning per application |
| Monitoring | No per-customer telemetry | Real-time attack metrics and diagnostics |
| Alerts | None | Configurable alerts during attacks |
| Cost protection | None | Credits for resource scale-out during attacks |
| Rapid Response | Not included | Access to the DDoS Rapid Response team |
Key exam point: DDoS Infrastructure Protection is always on for every Azure resource at no extra cost. DDoS Protection adds application-specific tuning, telemetry, and cost guarantees.
Scenario: Alex defends SecureBank from a DDoS flood
SecureBank’s online banking portal suddenly receives 50x its normal traffic volume. The attack is coming from thousands of compromised devices worldwide.
With DDoS Infrastructure Protection (free): Azure’s global network absorbs common volumetric attacks automatically. Basic mitigation kicks in, but there’s no visibility into attack specifics and no custom tuning for SecureBank’s traffic patterns.
With DDoS Network Protection (paid): Azure has already learned SecureBank’s normal traffic profile. It detects the anomaly within seconds, applies per-application mitigation policies, sends Alex an alert with attack telemetry, and SecureBank is covered for any auto-scaling costs caused by the attack.
Alex reports to Director Reyes: “The attack peaked at 12 Gbps. DDoS Protection absorbed it without any user impact. Here’s the full diagnostic report.”
Azure Firewall
Azure Firewall is a cloud-native, fully managed, stateful firewall that protects your Azure virtual network resources. “Stateful” means it tracks the full context of a connection — not just individual packets.
What Azure Firewall does
- Centralised network traffic filtering — one set of rules across all your virtual networks, instead of managing rules on every individual resource
- Threat intelligence-based filtering — automatically blocks traffic from known malicious IP addresses and domains, updated by Microsoft’s threat intelligence feed
- Application rules — allows or denies outbound traffic to specific domain names (for example, allow access to
*.microsoft.combut block social media) - Network rules — filters traffic based on source/destination IP, port, and protocol
- Built-in high availability — no load balancers needed, Azure manages the infrastructure
- DNAT (Destination NAT) — translates inbound traffic to private IP addresses in your virtual network
Azure Firewall vs NSGs — what’s the difference?
| Aspect | Azure Firewall | Network Security Groups (NSGs) |
|---|---|---|
| Scope | Entire virtual network (centralised) | Individual subnet or network interface |
| Threat intelligence | Yes — blocks known malicious IPs/domains | No |
| Application-layer filtering | Yes — can filter by domain name (FQDN) | No — IP and port only |
| Statefulness | Fully stateful | Stateful |
| Cost | Paid service | Free |
| Use case | Centralised enterprise traffic control | Basic allow/deny rules per resource |
Think of it this way: NSGs are the door locks on individual rooms. Azure Firewall is the security desk that controls who enters the building.
Exam tip: Azure Firewall exam patterns
When the exam asks about centralised network filtering or threat intelligence-based filtering, the answer is Azure Firewall.
When the exam asks about filtering traffic to a specific subnet or NIC, the answer is usually NSGs.
When the question mentions FQDN (domain name) filtering for outbound traffic — Azure Firewall. NSGs cannot filter by domain name.
Web Application Firewall (WAF)
WAF sits in front of your web applications and inspects every HTTP/HTTPS request for malicious patterns. It protects against the OWASP Top 10 — the ten most critical web application security risks, including:
- SQL injection — attacker inserts database commands into input fields
- Cross-site scripting (XSS) — attacker injects malicious scripts into web pages viewed by other users
- Request smuggling, HTTP floods, bot attacks
Where WAF is deployed
WAF is not a standalone service — it runs on top of these Azure services:
| Deployment option | Best for |
|---|---|
| Azure Application Gateway | Protecting web apps in a single Azure region |
| Azure Front Door | Protecting globally distributed web apps with CDN and load balancing |
| Azure Front Door | Global edge protection for applications and APIs |
WAF modes
- Detection mode — logs malicious requests but does not block them (good for testing rules)
- Prevention mode — actively blocks detected attacks
Comparing all three: DDoS vs Firewall vs WAF
| Feature | DDoS Protection | Azure Firewall | WAF |
|---|---|---|---|
| Threat type | Volumetric floods (overwhelm with traffic) | Network-level threats (unauthorized traffic flows) | Web application exploits (SQL injection, XSS) |
| OSI layer | Layer 3/4 (network/transport) | Layer 3/4/7 (network through application) | Layer 7 (application) |
| What it protects | Azure resources from being overwhelmed | Virtual network traffic (inbound and outbound) | Web applications from targeted attacks |
| Analogy | Crowd-control barrier | Building security desk | Bulletproof teller window |
| Deployment | Per virtual network | Centralised in a hub VNet | On Application Gateway or Front Door |
| Managed by | Azure platform (auto-tuned) | Admin defines rules | Admin selects rule sets (OWASP) |
🎬 Video walkthrough
🎬 Video coming soon
Azure Network Defence — DDoS, Firewall & WAF Explained (SC-900)
Azure Network Defence — DDoS, Firewall & WAF Explained (SC-900)
~10 minFlashcards
Knowledge check
SecureBank's online banking portal is experiencing a massive traffic flood from thousands of IP addresses worldwide. The portal is becoming unreachable for real customers. Alex needs an Azure service that automatically absorbs this attack. Which service should Alex prioritise?
James, the SOC lead at SecureBank, wants to ensure all outbound traffic from the company's Azure virtual network is filtered — specifically, he wants to block employees from accessing social media domains while allowing access to Microsoft services. Which Azure service is best suited for this requirement?
A penetration test reveals that SecureBank's customer-facing web application is vulnerable to SQL injection attacks. Which Azure service should Alex deploy to protect the application from these specific attacks?