Cloud DDoS Protection — AWS Shield, Azure DDoS & Cloud Armor Guide
In this tutorial, you'll learn about Cloud DDoS Protection. We cover key concepts, practical examples, and best practices to help you understand and apply this topic effectively.
Cloud DDoS protection defends applications against volumetric, protocol, and application-layer attacks using services like AWS Shield, Azure DDoS Protection, and GCP Cloud Armor with Always On detection and automated mitigation.
What You Will Learn
How to layer DDoS protection at the network edge and application layer, configure auto-mitigation rules, and design resilient architectures that absorb attack traffic.
Why It Matters
DDoS attacks have grown to over 3 Tbps. Without protection, a single attack can take your application offline for hours, costing revenue and customer trust.
Real-World Use
A gaming company uses AWS Shield Advanced with automatic cost protection. When a 500 Gbps UDP flood hits their infrastructure, Shield mitigates the attack at the network edge and AWS automatically refunds the resulting infrastructure scaling costs.
DDoS Attack Layers
flowchart TD
subgraph Layer 3-4 Attacks
L3[Volumetric\nUDP floods\nAmplification]
L34[Protocol\nSYN floods\nPing of Death]
end
subgraph Layer 7 Attacks
L7[Application\nHTTP floods\nSlowloris\nDNS query floods]
end
L3 --> Mitigation[Cloud DDoS Mitigation]
L34 --> Mitigation
L7 --> Mitigation
Mitigation --> Clean[Clean Traffic]
Mitigation --> Scrubbed[Scrubbed Traffic]
style Mitigation fill:#f90,color:#fff
AWS Shield
AWS Shield Standard is free and included with all AWS services. Shield Advanced costs $3,000 per month and includes enhanced detection, 24/7 DRT access, and cost protection.
# Enable Shield Advanced on a resource
aws shield associate-health-check \
--protection-id abc123 \
--health-check-arn arn:aws:route53:::healthcheck/abcdef12-3456-7890-abcd-ef1234567890
# List active protections
aws shield list-protections --query 'Protections[*].[Name,ResourceArn]' --output table
# Output:
# ------------------------------------------------------------------
# | ListProtections |
# +--------------+--------------------------------------------------+
# | prod-alb | arn:aws:elasticloadbalancing:...:loadbalancer/app/... |
# | prod-cf | arn:aws:cloudfront::...:distribution/E123456 |
# +--------------+--------------------------------------------------+
# Check for ongoing attacks
aws shield describe-attack \
--attack-id attack-12345678
# Output:
# {
# "Attack": {
# "StartTime": "2026-06-24T10:00:00Z",
# "EndTime": "2026-06-24T10:15:00Z",
# "SubResources": [
# {"Type": "IP", "Id": "203.0.113.0"}
# ]
# }
# }
Azure DDoS Protection
Azure DDoS Protection uses adaptive tuning to learn normal traffic patterns. It has two tiers: Basic (free, always on) and Standard (per-subscription, enhanced detection).
# Enable DDoS Protection Standard on a virtual network
az network ddos-protection create \
--resource-group prod-rg \
--name prod-ddos-protection \
--vnets prod-vnet
# View DDoS attack alerts
az monitor metrics list \
--resource /subscriptions/.../resourceGroups/prod-rg/providers/Microsoft.Network/ddosProtectionPlans/prod-ddos-protection \
--metric "UnderDDoSAttack" \
--interval 5m
# Output:
# [
# {"name": {"value": "UnderDDoSAttack"}, "timeseries": [{"data": [{"timeStamp": "2026-06-24T10:00:00Z", "average": 1.0}]}]}
# ]
GCP Cloud Armor
GCP Cloud Armor provides DDoS protection at the edge of Google's network. The Managed Protection Plus tier includes automated DDoS detection and mitigation.
# Enable Cloud Armor with DDoS protection
gcloud compute security-policies create ddos-protection-policy \
--description "DDoS protection policy"
# Add rate limiting for HTTP floods
gcloud compute security-policies rules create 1000 \
--security-policy ddos-protection-policy \
--expression "evaluatePreconfiguredExpr('http-flood-v33-stable')" \
--action deny-429
# Enable adaptive protection
gcloud compute security-policies update ddos-protection-policy \
--enable-adaptive-protection
gcloud compute security-policies list --format="table(name, adaptiveProtectionConfig)"
# Output:
# NAME ADAPTIVE_PROTECTION_CONFIG
# ddos-protection-policy enabled
Defense in Depth Architecture
Layer your DDoS defenses: use edge services (CloudFront, Cloudflare, Google Front End) for volumetric attacks, WAF for application-layer attacks, and auto-scaling to absorb residual traffic.
Common Mistakes
- Only using free tier DDoS protection: Free tiers detect and log but may not block large attacks. Upgrade to Advanced or Standard for production workloads.
- No health check integration: Shield Advanced uses health checks to distinguish real traffic from attacks. Without health checks, mitigation may not trigger correctly.
- Ignoring application-layer DDoS attacks: Volumetric attacks get attention, but slow and low HTTP floods can take down applications without triggering layer 3-4 thresholds.
- Single-region deployment: A DDoS attack targeting one region takes down the entire application. Use multi-region deployment with global Load Balancing.
- Not planning for cost impact: Auto-scaling during a DDoS attack can generate enormous bills. Enable cost protection features like AWS Shield Advanced cost protection.
Practice Questions
- What is the difference between AWS Shield Standard and Shield Advanced?
- How does Azure DDoS Protection adapt to your traffic patterns?
- What is adaptive protection in GCP Cloud Armor?
- Why should DDoS protection include both network-layer and application-layer defenses?
- How does multi-region deployment improve DDoS resilience?
Challenge
Design a DDoS-resilient architecture for a global e-commerce platform. Use AWS Shield Advanced for network-layer protection, CloudFront for edge Caching, and a multi-region ALB setup. Write the CLI commands to enable Shield Advanced, configure health checks, and set up CloudFront with WAF integration. Add equivalent configurations for Azure or GCP.
FAQ
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro