Azure Networking System Overview

Azure provides a wide range of networking services, which can be used independently or together to suit your needs. Below is an overview of different Azure networking scenarios:

Networking Foundation: Azure networking services provide essential connectivity for resources in the cloud. These include Virtual Network (VNet), Private Link, Azure DNS, Azure Virtual Network Manager, Azure Bastion, Route Server, NAT Gateway, Traffic Manager, Azure Network Watcher, and Azure Monitor.

Load Balancing and Content Delivery: Azure's load balancing and content delivery services enable efficient distribution and management of applications and workloads. Key services include Load Balancer, Application Gateway, and Azure Front Door.

Hybrid Connectivity: Azure hybrid connectivity services ensure secure communication between your Azure resources and on-premises environments. These include VPN Gateway, ExpressRoute, Virtual WAN, and Peering Service.

Network Security: Azure network security services protect your web applications and infrastructure from DDoS attacks and malicious traffic. Key services include Firewall Manager, Firewall, Web Application Firewall (WAF), and DDoS Protection.

Network Security

Azure’s network security services protect your web applications and infrastructure from DDoS attacks and other threats. Key components include Firewall Manager, Azure Firewall, Web Application Firewall (WAF), and DDoS Protection.

Networking Foundation Details        

These services form the backbone of network design and architecture in Azure, with options like Virtual Network (VNet), Private Link, Azure DNS, Azure Bastion, and more.

Virtual Network

Azure Virtual Network is a core service that serves as the foundational component for your private network in Azure. It allows various Azure resources, such as virtual machines (VMs), to securely communicate with each other, the internet and on-premises networks.

While a virtual network functions similarly to a traditional network in your own data center, it also leverages Azure's infrastructure advantages, including scalability, high availability, and enhanced isolation.

Why Use an Azure Virtual Network?

An Azure virtual network enables several key scenarios, including:

• Secure communication between Azure resources and the internet.
• Interaction between Azure resources within the same network.
• Connectivity with on-premises resources.
• Network traffic filtering.
• Traffic routing within and across networks.
• Integration with various Azure services.

1. Communication Between Azure Resources: Virtual networks allow the deployment of virtual machines and other Azure resources, such as Azure App Service Environments, Azure Kubernetes Service (AKS), and Azure Virtual Machine Scale Sets. For a comprehensive list of Azure resources that can be deployed into a virtual network, please take a look at Virtual Network Service Integration.

Deploying services within a virtual network offers several capabilities:

• Private Communication: Resources within the virtual network can interact privately using private IP addresses. For example, you can directly transfer data between HDInsight and SQL Server running on virtual machines within the same network.
• On-Premises Access: On-premises resources can connect to virtual network resources using private IP addresses via a Site-to-Site VPN (VPN Gateway) or ExpressRoute.
• Network Peering: Virtual networks can be peered to allow resources in different virtual networks to communicate using private IP addresses.
• Subnet Deployment: Service instances are deployed into subnets within a virtual network. Inbound and outbound network access to these subnets must be managed through network security groups, following service-specific guidelines.
• Subnet Restrictions: Some services have restrictions on the subnet they can be deployed in. These restrictions may affect the application of policies, routes, or combining VMs and service resources within the same subnet. Examples include Azure NetApp Files, Dedicated HSM, Azure Container Instances, and App Service. Be sure to check each service for current restrictions, as they may change.
• Subnet Delegation: Optionally, some services may require a delegated subnet to explicitly designate that a subnet can host the service. Delegation provides the service with specific permissions to create service-related resources in the designated subnet.

2. Communication Between Virtual Networks: You can connect virtual networks using virtual network peering or Azure Virtual Network Manager, enabling resources within them to communicate. These virtual networks can be located in the same or different Azure regions. For more details, see Virtual Network Peering and Azure Virtual Network Manager.

2.1 Virtual Network Peering

Virtual network peering allows you to connect two or more virtual networks in Azure, making them appear as a single network for connectivity purposes. Traffic between virtual machines in peered virtual networks travels over Microsoft's backbone infrastructure, ensuring that it remains within Microsoft's private network, just like traffic within the same network.

Azure supports two types of peering:

1. Virtual Network Peering: Connects virtual networks within the same Azure region.
2. Global Virtual Network Peering: Connects virtual networks across different Azure regions.

2.2 Azure Virtual Network Manager

Azure Virtual Network Manager is a management service that allows you to group, configure, deploy, and oversee virtual networks across multiple subscriptions. Using Virtual Network Manager, you can create network groups to organize and logically segment your virtual networks. You can then set and apply connectivity and security configurations uniformly across all virtual networks within these groups.

3. Communication with the Internet: By default, all resources within a virtual network can communicate outbound to the Internet. To enable inbound communication, you can assign a public IP address or use a public Load Balancer. These can also manage outbound connections using Public IP addresses or public Load Balancers.

3.1 When you assign a public IP address to an Azure resource, you enable the following operations:

• Inbound communication from the Internet to the resource, such as Azure Virtual Machines (VM), Azure Application Gateways, Azure Load Balancers, Azure VPN Gateways, and others.
• Outbound connectivity to the Internet using a predictable IP address.

3.2 Azure Load Balancer

Azure Load Balancer operates at Layer 4 of the Open Systems Interconnection (OSI) model, serving as the single point of contact for clients. It distributes inbound traffic that arrives at its front end to backend pool instances based on configured load-balancing rules and health probes. These backend pool instances can include Azure Virtual Machines or instances in a Virtual Machine Scale Set.

• Public Load Balancer: Provides outbound connectivity for virtual machines (VMs) within your virtual network by translating their private IP addresses to public IP addresses. It is used to balance internet traffic directed at your VMs.
• Internal (Private) Load Balancer: Used for scenarios requiring private IP addresses at the front end only. It balances traffic within a virtual network and can also be accessed from an on-premises network in hybrid scenarios.

4. Communication with On-Premises Networks: On-premises computers and networks can be connected to a virtual network via VPN Gateway or ExpressRoute.

4.1 Azure VPN Gateway

Azure VPN Gateway is a service designed to facilitate encrypted traffic between an Azure virtual network and on-premises locations over the public internet. It can also be used to encrypt traffic between Azure virtual networks over the Microsoft network. The service utilizes a specific type of Azure virtual network gateway known as a VPN gateway. Multiple connections can be established to the same VPN gateway, with all VPN tunnels sharing the available gateway bandwidth.

Why Use VPN Gateway?

1. Encrypted Traffic Between Azure Virtual Networks and On-Premises Locations:

• Site-to-Site Connection: Establishes an IPsec/IKE VPN tunnel between the VPN gateway and an on-premises VPN device.
• Point-to-Site Connection: Uses VPN protocols like OpenVPN, IKEv2, or SSTP to connect from a remote location, such as a conference or home, to your virtual network.

2. Encrypted Traffic Between Virtual Networks:

• VNet-to-VNet Connection: An IPsec/IKE VPN tunnel between the VPN gateway and another Azure VPN gateway, specifically designed for VNet-to-VNet connectivity.
• Site-to-Site Connection: An IPsec/IKE VPN tunnel used within a VNet-to-VNet architecture, allowing connections between VPN gateways and cross-premises connections.

3. Secure Failover Path for ExpressRoute:

• ExpressRoute + VPN Gateway: Combines ExpressRoute with VPN Gateway for coexistence and failover.
• Connecting Sites Not Through ExpressRoute: Use a combination of ExpressRoute and VPN Gateway connections for additional connectivity options.

4.2 ExpressRoute

ExpressRoute allows you to extend your on-premises networks into the Microsoft cloud via a private connection facilitated by a connectivity provider. This service enables connections to Microsoft cloud services, including Microsoft Azure and Microsoft 365.

You can connect through various methods, such as an any-to-any (IP VPN) network, a point-to-point Ethernet network, or a virtual cross-connection via a connectivity provider at a colocation facility. ExpressRoute connections offer enhanced reliability, faster speeds, consistent latencies, and greater security compared to typical internet connections, as they do not traverse the public internet.

Express Route Cheat Sheet        

5. Encryption of Traffic Between Resources: Virtual network encryption can be used to secure traffic between resources within a virtual network.

5.1 Azure Virtual Network Encryption

Azure Virtual Network encryption is a feature that allows for the seamless encryption and decryption of traffic between Azure Virtual Machines by establishing a DTLS tunnel.

This feature enables the encryption of traffic between Virtual Machines and Virtual Machine Scale Sets within the same virtual network. It also supports encrypting traffic between virtual networks that are peered regionally or globally. For more details on virtual network peering, see the section on Virtual Network Peering.

Network Security Groups (NSGs)        

You can use an Azure Network Security Group (NSG) to filter network traffic between Azure resources within a virtual network. An NSG contains security rules that control inbound and outbound traffic to and from various Azure resources. Each rule allows you to specify the source and destination, as well as the port and protocol, to either allow or deny traffic.

Service Endpoints

A Virtual Network (VNet) service endpoint offers secure and direct connectivity to Azure services through an optimized route over the Azure backbone network. Service endpoints enable you to restrict access to your critical Azure service resources to only your virtual networks. With service endpoints, private IP addresses within the VNet can access the Azure service endpoint without requiring a public IP address on the VNet.

Azure Private Link

Azure Private Link allows you to access Azure PaaS services, such as Azure Storage and SQL Database, as well as customer-owned or partner-hosted services, through a private endpoint in your virtual network.

Traffic between your virtual network and the service travels over the Microsoft backbone network, eliminating the need to expose your service to the public internet. You can also create and deliver your private link service within your virtual network to your customers. Azure Private Link offers a consistent setup and usage experience across Azure PaaS services, customer-owned services, and partner services.

Azure DNS

Azure DNS offers DNS hosting and resolution using Microsoft's Azure infrastructure. It consists of three key services:

• Azure Public DNS: A hosting service for DNS domains, allowing you to manage your DNS records with the same credentials, APIs, tools, and billing used for other Azure services.
• Azure Private DNS: A DNS service designed for virtual networks, managing and resolving domain names internally without the need for a custom DNS solution.
• Azure DNS Private Resolver: This service enables seamless DNS queries between Azure DNS private zones and on-premises environments without the need for VM-based DNS servers.
• Azure Traffic Manager: A DNS-based traffic load balancer that distributes traffic to your public-facing applications across global Azure regions.

With Azure DNS, you can host and resolve public domains, manage DNS resolution within virtual networks, and facilitate name resolution between Azure and on-premises resources.

Azure Virtual Network Manager

Azure Virtual Network Manager is a management service that allows you to group, configure, deploy, and manage virtual networks across multiple subscriptions globally. Using Virtual Network Manager, you can create network groups to organize and logically segment your virtual networks. You can then set and apply connectivity and security configurations uniformly across all virtual networks within these groups.

Azure Bastion

Azure Bastion is a service that you can deploy within a virtual network to securely connect to virtual machines through your browser and the Azure portal. It also supports connections using the native SSH or RDP clients installed on your local computer. As a fully managed PaaS service, Azure Bastion is deployed directly inside your virtual network and provides secure, seamless RDP/SSH connectivity to virtual machines via the Azure portal over TLS. With Azure Bastion, your virtual machines do not require a public IP address, special client software, or agents.

Azure Bastion is available in multiple SKUs (tiers), and the tier you choose determines the available features.

Azure Route Server

Azure Route Server streamlines dynamic routing between your network virtual appliance (NVA) and your virtual network. It enables the automatic exchange of routing information using the Border Gateway Protocol (BGP) between any BGP-compatible NVA and the Azure Software Defined Network (SDN) within an Azure Virtual Network (VNet). This eliminates the need for manual configuration or maintenance of route tables, simplifying network management.

The following diagram illustrates how Azure Route Server works with an SDWAN NVA and a security NVA in a virtual network. Once you establish the BGP peering, Azure Route Server receives an on-premises route (10.250.0.0/16) from the SDWAN appliance and a default route (0.0.0.0/0) from the firewall. These routes are then automatically configured on the VMs in the virtual network. As a result, all traffic destined for the on-premises network is sent to the SDWAN appliance, while all internet-bound traffic is sent to the firewall. In the opposite direction, Azure Route Server sends the virtual network address (10.1.0.0/16) to both NVAs. The SDWAN appliance can propagate it further to the on-premises network.

NAT Gateway

Azure NAT Gateway is a fully managed, highly resilient Network Address Translation (NAT) service. It enables instances within a private subnet to connect outbound to the internet while maintaining their privacy. NAT Gateway does not allow unsolicited inbound connections from the internet; only response packets from outbound connections can pass through.

NAT Gateway offers dynamic SNAT (Source Network Address Translation) port functionality, which automatically scales outbound connectivity and helps mitigate the risk of SNAT port exhaustion.

Traffic Manager

Azure Traffic Manager is a DNS-based load balancer that optimizes traffic distribution to services across global Azure regions, ensuring high availability and responsiveness. It supports various traffic-routing methods, including priority, weighted, performance, geographic, multi-value, and subnet-based routing.

The following diagram illustrates endpoint priority-based routing with Traffic Manager:

Azure Traffic Manager offers six traffic-routing methods to direct network traffic to various service endpoints. Each Traffic Manager profile uses its specified routing method to handle DNS queries and determine which endpoint is returned in the DNS response.

The available traffic-routing methods are:

• Priority: Use Priority routing to designate a primary service endpoint for all traffic, with multiple backup endpoints available if the primary or any backup endpoint becomes unavailable.
• Weighted: Use Weighted routing to distribute traffic among a set of endpoints based on assigned weights. Set equal weights to distribute traffic evenly across all endpoints.
• Performance: Use Performance routing to direct traffic to the endpoint with the lowest network latency, based on the geographic locations of your endpoints.
• Geographic: Use Geographic routing to direct users to specific endpoints (Azure, External, or Nested) based on the geographic origin of their DNS queries. This method helps comply with data sovereignty requirements and regional content localization.
• Multivalue: Use MultiValue routing for profiles with only IPv4/IPv6 addresses as endpoints. All healthy endpoints are returned when a query is received.
• Subnet: Use Subnet routing to map IP address ranges to specific endpoints. The endpoint returned corresponds to the IP address range of the request’s source IP address.

Azure Network Watcher

Azure Network Watcher offers a comprehensive set of tools to monitor, diagnose, view metrics, and manage logs for Azure IaaS (Infrastructure-as-a-Service) resources. It helps ensure the health of network components like virtual machines (VMs), virtual networks (VNets), application gateways, and load balancers. However, Network Watcher is not designed for PaaS monitoring or web analytics.

Network Watcher provides three primary sets of tools and capabilities:

• Monitoring
• Network diagnostic tools
• Traffic analysis

Azure Monitor

Azure Monitor is a comprehensive solution designed to collect, analyze, and respond to monitoring data from both cloud and on-premises environments. It helps optimize the availability and performance of your applications and services by providing insights into their operations and enabling both manual and automated responses to system events.

Azure Monitor gathers and consolidates data from all layers and components of your system, spanning multiple Azure and non-Azure subscriptions and tenants. This data is stored in a unified platform, accessible through a set of tools that can correlate, analyze, visualize, and respond to it. Additionally, Azure Monitor integrates with other Microsoft and non-Microsoft tools for enhanced functionality.

Load Balancing and Content Delivery          

This section covers Azure networking services that aid in delivering applications and workloads, including Azure Load Balancer, Application Gateway, and Azure Front Door.

Azure Load Balancer

Load balancing involves efficiently distributing incoming network traffic across a set of backend servers or resources.

Azure Load Balancer functions at layer 4 of the Open Systems Interconnection (OSI) model and serves as the single point of contact for clients. It directs inbound traffic that reaches its front end to backend pool instances based on configured load-balancing rules and health probes. These backend pool instances can include Azure Virtual Machines or instances within a Virtual Machine Scale Set.

• A public load balancer provides outbound connections for virtual machines (VMs) within your virtual network by translating their private IP addresses to public IP addresses. This type of load balancer is used to manage internet traffic to your VMs.
• An internal (or private) load balancer is used when only private IP addresses are required at the front end. It balances traffic within a virtual network and can be accessed from an on-premises network in hybrid scenarios.

Application Gateway

Azure Application Gateway is a web traffic load balancer that operates at OSI layer 7, allowing you to manage traffic to your web applications. Unlike traditional load balancers that work at the transport layer (OSI layer 4) and route traffic based on source and destination IP addresses and ports, Application Gateway makes routing decisions based on additional attributes of an HTTP request, such as URI path or host headers.

For example, you can configure Application Gateway to route traffic based on specific elements of the incoming URL. If the URL contains /images, traffic can be directed to a pool of servers optimized for handling image requests. Similarly, if the URL includes /video, the traffic can be routed to a different pool tailored for video content.

This type of routing is known as application layer (OSI layer 7) load balancing. Azure Application Gateway can do URL-based routing and more.

Azure Front Door

Whether you're delivering content, and files, or building global applications and APIs, Azure Front Door enhances your ability to provide higher availability, lower latency, greater scalability, and more secure experiences for users everywhere.

Azure Front Door is Microsoft's advanced cloud Content Delivery Network (CDN) that ensures fast, reliable, and secure access to both static and dynamic web content. Leveraging Microsoft's extensive global edge network, Azure Front Door delivers content through hundreds of points of presence (PoPs) distributed worldwide, bringing your applications closer to both enterprise and consumer end users.

Hybrid Connectivity        

This section describes network connectivity services that provide secure communication between your on-premises network and Azure - VPN Gateway, ExpressRoute, Virtual WAN, and Peering Service.

VPN Gateway

Azure VPN Gateway is a service that facilitates encrypted traffic between an Azure virtual network and on-premises locations over the public Internet. It can also be used to secure traffic between Azure virtual networks through the Microsoft network. This service relies on a specialized type of Azure virtual network gateway known as a VPN gateway and supports multiple connections to the same gateway. When multiple connections are configured, all VPN tunnels share the available bandwidth of the gateway.

Key Scenarios for Using VPN Gateway:

1. Encrypting Traffic Between Azure Virtual Networks and On-Premises Locations:

• Site-to-Site Connection: Establish an IPsec/IKE VPN tunnel between the VPN gateway and an on-premises VPN device.Point-to-Site Connection: Connect to your virtual network from a remote location, such as from home or a conference, using OpenVPN, IKEv2, or SSTP.

2. Encrypting Traffic Between Virtual Networks:

• VNet-to-VNet Connection: Set up an IPsec/IKE VPN tunnel between your VPN gateway and another Azure VPN gateway specifically for VNet-to-VNet connections.
• Site-to-Site Connection: Use an IPsec/IKE VPN tunnel between your VPN gateway and another Azure VPN gateway, which supports both cross-premises and VNet-to-VNet connections.

3. Configuring Site-to-Site VPN as a Secure Failover Path for ExpressRoute:

• ExpressRoute + VPN Gateway: Combine ExpressRoute with VPN Gateway for coexistence and enhanced connectivity.

4. Connecting Sites Not Through ExpressRoute:

• ExpressRoute + VPN Gateway: Utilize this combination to connect sites that are not linked via ExpressRoute.

ExpressRoute

Express-Route allows you to extend your on-premises networks into the Microsoft Cloud through a private connection provided by a connectivity partner. With ExpressRoute, you can establish direct connections to Microsoft cloud services, including Microsoft Azure and Microsoft 365.

You can connect using various methods, such as an any-to-any (IP VPN) network, a point-to-point Ethernet connection, or a virtual cross-connection via a provider at a colocation facility. ExpressRoute connections offer greater reliability, faster speeds, consistent latency, and enhanced security compared to standard Internet connections, as they do not traverse the public Internet.

Virtual WAN

Azure Virtual WAN is a comprehensive networking service that integrates various networking, security, and routing functionalities into a unified operational interface. Key features include:

- Branch connectivity through automated setups with Virtual WAN Partner devices such as SD-WAN or VPN CPE.

• Site-to-site VPN connectivity.
• Remote user VPN connectivity (point-to-site).
• Private connectivity via ExpressRoute.
• Intra-cloud connectivity, allowing transitive connectivity between virtual networks.
• VPN and ExpressRoute interconnectivity.
• Routing, Azure Firewall, and encryption for private connections.

You can begin using Virtual WAN with any one of these features and expand as your network needs grow.

The Virtual WAN architecture is built on a hub-and-spoke model, optimized for performance and scalability. It supports connections from branches (via VPN/SD-WAN devices), users (through Azure VPN/OpenVPN/IKEv2 clients), ExpressRoute circuits, and virtual networks. This design facilitates a global transit network where the cloud-hosted network 'hub' enables transitive connectivity among endpoints distributed across various 'spokes.'

Azure regions function as hubs that you can select to connect. In a Standard Virtual WAN setup, all hubs are interconnected in a full mesh, allowing seamless use of the Microsoft backbone for any-to-any connectivity.

For connecting spoke networks with SD-WAN/VPN devices, you can either configure it manually in Azure Virtual WAN or use the Virtual WAN CPE (SD-WAN/VPN) partner solution for automated connectivity setup. A list of partners supporting connectivity automation is available, enabling easy integration with Azure Virtual WAN.

Peering Service

Azure Peering Service is a networking solution that improves connectivity to Microsoft cloud services, including Microsoft 365, Dynamics 365, various SaaS offerings, and Azure. It also supports other Microsoft services available via the public internet. Microsoft collaborates with internet service providers (ISPs), internet exchange partners (IXPs), and software-defined cloud interconnect (SDCI) providers globally to ensure reliable and high-performance public connectivity with optimal routing from customers to the Microsoft network.

With Azure Peering Service, customers can choose a well-connected partner provider in their region. This service optimizes public connectivity to ensure high reliability and minimal latency between cloud services and end-user locations.

Customers can also choose Peering Service telemetry options, including user latency measurements to the Microsoft network and BGP route monitoring, by registering the Peering Service connection through the Azure portal.

To use Peering Service, customers do not need to register directly with Microsoft. Instead, they should contact a Peering Service partner to obtain the service. To enable Peering Service telemetry, customers must register for this feature in the Azure portal.

Network Security        

This section describes networking services in Azure that protect and monitor your network resources - Firewall Manager, Firewall, Web Application Firewall, and DDoS Protection.

Firewall Manager

Azure Firewall Manager is a security management service that centralizes the management of security policies and routes for cloud-based security perimeters.

Firewall Manager supports two types of network architectures:

• Secured Virtual Hub:

An Azure Virtual WAN Hub, managed by Microsoft, allows you to easily set up hub-and-spoke architectures. When security and routing policies are applied to this hub, it is referred to as a secured virtual hub.

• Hub Virtual Network:

This is a standard Azure virtual network that you create and manage yourself. When security policies are applied to this network, it is known as a hub virtual network. Currently, only Azure Firewall Policy is supported. You can connect spoke virtual networks containing your workload servers and services, and also manage firewalls in standalone virtual networks that are not peered with any spokes.

Azure Firewall

Azure Firewall is a cloud-native, intelligent network security service designed to provide top-tier threat protection for your Azure cloud workloads. As a fully stateful firewall service, it offers built-in high availability and unlimited cloud scalability, with capabilities for inspecting both east-west and north-south traffic. For more information on these types of traffic, see East-west and North-south traffic.

Azure Firewall is available in three SKUs: Standard, Premium, and Basic.

Azure Firewall Standard:

Azure Firewall Standard delivers Layer 3 to Layer 7 filtering and integrates threat intelligence feeds from Microsoft Cyber Security. This feature enables threat intelligence-based filtering to alert and block traffic from or to known malicious IP addresses and domains, with updates provided in real-time to guard against emerging threats.

Azure Firewall Premium

Azure Firewall Premium offers enhanced security features, including a signature-based Intrusion Detection and Prevention System (IDPS) for swift attack detection by identifying specific patterns. This includes byte sequences in network traffic or known malicious instruction patterns used by malware. With over 67,000 signatures across more than 50 categories, updated in real-time, it protects against a wide range of threats, including malware, phishing, coin mining, and Trojan attacks.

Azure Firewall Basic

Azure Firewall Basic is designed for small and medium-sized businesses (SMBs) to safeguard their Azure cloud environments. It offers essential security features at a cost-effective price, providing the fundamental protection SMBs require.

Web Application Firewall

Azure Web Application Firewall (WAF) shields your web applications from common web threats and vulnerabilities, including SQL injection and cross-site scripting. It offers built-in protection against the OWASP Top 10 vulnerabilities through managed rules. Additionally, customers can create custom rules to enhance security based on specific criteria, such as source IP ranges or request attributes like headers, cookies, form fields, or query string parameters.

Customers can deploy Azure WAF with Application Gateway for regional protection within both public and private address spaces, or with Front Door for edge protection of public endpoints.

DDoS Protection

Azure DDoS Protection offers robust defenses against sophisticated Distributed Denial of Service (DDoS) attacks. It enhances DDoS mitigation for your applications and resources within virtual networks and includes access to DDoS Rapid Response support for expert assistance during active attacks.

Azure DDoS Protection has two tiers:

1. DDoS Network Protection: This tier provides advanced DDoS mitigation features tailored to your Azure resources within a virtual network. It is automatically optimized to defend against DDoS attacks, supported by application design best practices.

2. DDoS IP Protection: This pay-per-protected IP service includes all core features of DDoS Network Protection but also offers additional benefits such as rapid response support, cost protection, and discounts on Web Application Firewall (WAF) services.