AzureAzure DDoS ProtectionNetworking

`azurerm_ddos_protection_plan` cost estimation

A network DDoS protection plan billed a flat ~$2,944/month — but it covers up to 100 public IPs across all your VNets, so the cost is meant to be shared.

An azurerm_ddos_protection_plan provides Azure DDoS Network Protection — always-on traffic monitoring and adaptive mitigation for public endpoints. The cost is a flat monthly fee of ~$2,944 (~$4.03/hour), and that single fee is the whole story: it's the same whether you protect one IP or a hundred.

That pricing model is the key insight. A DDoS Protection plan covers up to 100 public IP addresses across all the VNets in your tenant for the one flat fee (additional IPs beyond 100 bill a small per-IP overage). So the plan is designed to be created once and shared organization-wide — creating multiple plans, or treating it as a per-VNet resource, multiplies a $2,944/month charge needlessly.

The cost decision is really binary and organizational: do you need DDoS Network Protection at all (it's for internet-facing production workloads that warrant it), and if so, are you sharing one plan across everything it should cover?

c3x prices the plan at its flat monthly fee, so this substantial standing cost is visible before deployment.

Terraform example

A minimal but realistic configuration that C3X can estimate.

resource "azurerm_ddos_protection_plan" "main" {
  name                = "ddos-plan"
  location            = azurerm_resource_group.main.location
  resource_group_name = azurerm_resource_group.main.name
}

# Associate it with VNets that need protection (shares the one plan)
resource "azurerm_virtual_network" "prod" {
  # ...
  ddos_protection_plan {
    id     = azurerm_ddos_protection_plan.main.id
    enable = true
  }
}

Pricing dimensions

What you actually pay for when you provision azurerm_ddos_protection_plan.

Dimension	Unit	What's being charged
DDoS network protection plan	per month	Flat monthly fee covering up to 100 public IPs across all VNets in the tenant. Additional IPs over 100 bill a small per-IP overage. ~$4.03/hour ≈ $2,943.55/month (covers 100 IPs)

Sample C3X output

One DDoS Network Protection plan (covers up to 100 IPs org-wide):

azurerm_ddos_protection_plan.main
└─ DDoS network protection plan   730 hours   $2,943.55
                                  Monthly     $2,943.55

Optimization tips

Common ways to reduce azurerm_ddos_protection_plan cost without changing the workload.

Create one plan and share it tenant-wide

~$2,944/month per duplicate plan avoided

The flat ~$2,944/month fee covers up to 100 public IPs across all your VNets. Create a single plan and associate every VNet that needs protection with it — never create multiple plans or treat it as per-VNet, which multiplies the fee for nothing.

Confirm you need Network Protection

The entire plan fee when not warranted

DDoS Network Protection is for internet-facing production workloads that warrant always-on mitigation. Azure provides basic platform-level DDoS protection free; the paid plan adds adaptive tuning, metrics, and cost-protection guarantees. Don't buy it for workloads that don't need that.

Use IP Protection SKU for a single endpoint

Large for single-endpoint protection

If you only need to protect one or a few public IPs, the per-IP DDoS IP Protection SKU is far cheaper than the ~$2,944/month Network Protection plan. The plan only pays off when protecting many IPs.

FAQ

How much does Azure DDoS Protection cost?

The Network Protection plan is a flat ~$2,944/month (~$4.03/hour), covering up to 100 public IPs across all VNets in your tenant (small per-IP overage above 100). It's the same fee whether you protect one IP or a hundred — so it's meant to be shared.

Should I create one DDoS plan or several?

One. A single plan covers up to 100 public IPs across all your VNets for the flat fee. Creating multiple plans (or one per VNet) multiplies a ~$2,944/month charge for no benefit — associate every protected VNet with the same plan.

Is there a cheaper option for a single endpoint?

Yes — the DDoS IP Protection SKU bills per protected IP and is far cheaper than the Network Protection plan when you only need to cover one or a few endpoints. The plan only pays off across many IPs.

How does c3x estimate the cost?

It prices the plan at its flat monthly fee. Given the scale (~$2,944/month), seeing it before deployment — and catching duplicate plans — matters.

Related resources

Azure

azurerm_virtual_network

VNets associate with the shared plan to enable protection

Estimate this resource in your own Terraform

Free, open source, no API key. C3X parses your Terraform and shows line-item cost for every resource, including azurerm_ddos_protection_plan.

Get Started Star on GitHub

← Browse all Azure resources