Technical Lab: Activate and monitor distributed denial-of-service (DDoS) protection
Questionsβ
Question 1 β Multiple Choiceβ
An organization has three distinct virtual networks in Azure, each in a different region, and wants to apply DDoS protection to all of them. The security team needs to ensure consistent coverage with the least possible administrative effort.
Which approach best meets this requirement?
A) Create a DDoS Network Protection plan and associate it with each of the three virtual networks individually.
B) Enable DDoS IP Protection directly on each public IP address of the virtual networks.
C) Create a DDoS Network Protection plan per region and associate each plan with the corresponding virtual network.
D) Activate Azure default protection, which already covers all virtual networks automatically without additional configuration.
Question 2 β Technical Scenarioβ
A network engineer configured an alert in Azure Monitor to trigger when the Under DDoS attack resource returns the value 1 on a protected public IP. During a simulated test, the attack was detected by Azure, but the alert did not fire.
Consider the configuration below:
Monitored resource : Public IP (pip-frontend)
Metric : Under DDoS attack
Condition : Greater than 0
Evaluation period: 1 minute
Aggregation : Maximum
What is the most likely cause of the alert failure?
A) The Under DDoS attack metric is not compatible with Azure Monitor metric-based alerts.
B) The 1-minute evaluation period is insufficient; the minimum required by the metric is 5 minutes.
C) The monitored public IP is not associated with a virtual network linked to an active DDoS Network Protection plan.
D) The Maximum aggregation is incompatible with binary metrics; Count should be used.
Question 3 β True or Falseβ
DDoS IP Protection offers the same adaptive mitigation policies and real-time attack telemetry as DDoS Network Protection, differing only in scope of application: IP Protection covers individual public IP addresses, while Network Protection covers all IPs of an entire virtual network.
True or False?
Question 4 β Technical Scenarioβ
A company hosts a critical application behind an Azure Application Gateway with WAF enabled. The security team activated DDoS Network Protection on the virtual network where the Application Gateway is deployed. During an incident, the team notices that DDoS mitigation policies are not being optimally adjusted for the application's traffic.
Which action corrects this behavior?
A) Replace the Application Gateway with an Azure Load Balancer, as DDoS does not integrate adaptive policies with WAF.
B) Create and associate a DDoS policy with the Application Gateway resource, allowing mitigation thresholds to be adjusted to the specific traffic profile of that resource.
C) Move the Application Gateway to a dedicated subnet and apply a restrictive Network Security Group to complement mitigation.
D) Enable flow diagnostics on DDoS Protection and wait for the system to learn the traffic profile automatically without additional configuration.
Question 5 β Multiple Choiceβ
An analyst needs to investigate a DDoS attack that occurred the previous week. They want to view metrics such as dropped packets, forwarded packets, and attack vectors used during the event.
Which Azure resource should be consulted to obtain this information?
A) Microsoft Defender for Cloud, in the network security alerts section.
B) Azure Network Watcher, through NSG flow logs associated with the affected subnet.
C) Azure Monitor, querying the metrics available on the public IP resource protected by the DDoS plan.
D) Log Analytics Workspace, through DDoS Network Protection plan diagnostic logs exported via Diagnostic Settings.
Answer Key and Explanationsβ
Answer Key β Question 1β
Answer: A
A single DDoS Network Protection plan can be associated with multiple virtual networks, including in different regions. This is exactly the administrative advantage of the plan-based model: centralizing coverage without multiplying resources.
Alternative C represents a common misconception: believing that the plan is restricted to the region where it was created. In practice, the plan is a global resource that can be linked to VNets in any Azure region.
Alternative B describes DDoS IP Protection, which is applied per individual IP and does not offer the same level of centralized management. Alternative D is false: Azure default protection offers only basic infrastructure mitigation, without granular coverage per VNet or resource.
Answer Key β Question 2β
Answer: C
The Under DDoS attack metric is only emitted by public IPs that are effectively covered by an active DDoS Network Protection plan or DDoS IP Protection. If the public IP pip-frontend is not associated with a VNet linked to an active plan, the metric simply will not be populated, and the alert will never fire, regardless of the Azure Monitor configuration.
Alternative A is false: this metric is natively supported by Azure Monitor. Alternative B is incorrect because there is no minimum period restriction of this nature for this metric. Alternative D is also wrong: the Maximum aggregation is suitable for binary metrics (0 or 1), as it captures the peak in the evaluated period.
Answer Key β Question 3β
Answer: False
DDoS IP Protection and DDoS Network Protection are not equivalent in features. Network Protection offers additional capabilities that IP Protection does not include, such as support for custom DDoS policies per resource, access to Microsoft's DDoS Rapid Response team, and more detailed mitigation reports.
Claiming that the only difference is the scope of application ignores these relevant functional distinctions, which can lead to an inadequate SKU choice for critical production environments. The decision between the two models should consider SLA, support, and visibility requirements, not just IP coverage.
Answer Key β Question 4β
Answer: B
DDoS Network Protection learns the traffic profile of each public IP individually. When a resource like Application Gateway concentrates large volumes of legitimate traffic, the default mitigation thresholds may not accurately reflect this profile. Creating a DDoS policy associated with the resource allows adjusting mitigation thresholds to the actual behavior of that IP, reducing false positives and increasing protection effectiveness.
Alternative A is incorrect: DDoS integrates normally with Application Gateway and WAF. Alternative C addresses network segmentation, which is a valid practice but does not solve the described policy adjustment problem. Alternative D is imprecise: adaptive learning already occurs automatically, but without an explicit policy, default thresholds may remain inadequate for high-scale traffic.
Answer Key β Question 5β
Answer: C
DDoS attack metrics, including dropped packets, forwarded packets, and vectors used, are exposed directly as Azure Monitor metrics on the protected public IP resource. This is the native and immediate way to inspect behavior during and after an event.
Alternative D describes a valid path for long-term retention and advanced analysis via Log Analytics, but requires that Diagnostic Settings had been configured previously to export the logs. If this configuration did not exist before the attack, historical data will not be available in that destination. Alternative B is inadequate because NSG flow logs record accepted or denied connections, not DDoS mitigation metrics. Alternative A is incorrect because Defender for Cloud is not the primary tool for granular DDoS event telemetry.