Skip to content

Cloud DDoS Protection — AWS Shield, Azure DDoS & Cloud Armor Guide

DodaTech Updated 2026-06-24 4 min read

In this tutorial, you'll learn about Cloud DDoS Protection. We cover key concepts, practical examples, and best practices to help you understand and apply this topic effectively.

Cloud DDoS protection defends applications against volumetric, protocol, and application-layer attacks using services like AWS Shield, Azure DDoS Protection, and GCP Cloud Armor with Always On detection and automated mitigation.

What You Will Learn

How to layer DDoS protection at the network edge and application layer, configure auto-mitigation rules, and design resilient architectures that absorb attack traffic.

Why It Matters

DDoS attacks have grown to over 3 Tbps. Without protection, a single attack can take your application offline for hours, costing revenue and customer trust.

Real-World Use

A gaming company uses AWS Shield Advanced with automatic cost protection. When a 500 Gbps UDP flood hits their infrastructure, Shield mitigates the attack at the network edge and AWS automatically refunds the resulting infrastructure scaling costs.

DDoS Attack Layers

flowchart TD
  subgraph Layer 3-4 Attacks
    L3[Volumetric\nUDP floods\nAmplification]
    L34[Protocol\nSYN floods\nPing of Death]
  end
  subgraph Layer 7 Attacks
    L7[Application\nHTTP floods\nSlowloris\nDNS query floods]
  end
  
  L3 --> Mitigation[Cloud DDoS Mitigation]
  L34 --> Mitigation
  L7 --> Mitigation
  
  Mitigation --> Clean[Clean Traffic]
  Mitigation --> Scrubbed[Scrubbed Traffic]
  
  style Mitigation fill:#f90,color:#fff

AWS Shield

AWS Shield Standard is free and included with all AWS services. Shield Advanced costs $3,000 per month and includes enhanced detection, 24/7 DRT access, and cost protection.

# Enable Shield Advanced on a resource
aws shield associate-health-check \
  --protection-id abc123 \
  --health-check-arn arn:aws:route53:::healthcheck/abcdef12-3456-7890-abcd-ef1234567890

# List active protections
aws shield list-protections --query 'Protections[*].[Name,ResourceArn]' --output table
# Output:
# ------------------------------------------------------------------
# |                         ListProtections                         |
# +--------------+--------------------------------------------------+
# | prod-alb     | arn:aws:elasticloadbalancing:...:loadbalancer/app/... |
# | prod-cf      | arn:aws:cloudfront::...:distribution/E123456          |
# +--------------+--------------------------------------------------+

# Check for ongoing attacks
aws shield describe-attack \
  --attack-id attack-12345678
# Output:
# {
#   "Attack": {
#     "StartTime": "2026-06-24T10:00:00Z",
#     "EndTime": "2026-06-24T10:15:00Z",
#     "SubResources": [
#       {"Type": "IP", "Id": "203.0.113.0"}
#     ]
#   }
# }

Azure DDoS Protection

Azure DDoS Protection uses adaptive tuning to learn normal traffic patterns. It has two tiers: Basic (free, always on) and Standard (per-subscription, enhanced detection).

# Enable DDoS Protection Standard on a virtual network
az network ddos-protection create \
  --resource-group prod-rg \
  --name prod-ddos-protection \
  --vnets prod-vnet

# View DDoS attack alerts
az monitor metrics list \
  --resource /subscriptions/.../resourceGroups/prod-rg/providers/Microsoft.Network/ddosProtectionPlans/prod-ddos-protection \
  --metric "UnderDDoSAttack" \
  --interval 5m
# Output:
# [
#   {"name": {"value": "UnderDDoSAttack"}, "timeseries": [{"data": [{"timeStamp": "2026-06-24T10:00:00Z", "average": 1.0}]}]}
# ]

GCP Cloud Armor

GCP Cloud Armor provides DDoS protection at the edge of Google's network. The Managed Protection Plus tier includes automated DDoS detection and mitigation.

# Enable Cloud Armor with DDoS protection
gcloud compute security-policies create ddos-protection-policy \
  --description "DDoS protection policy"

# Add rate limiting for HTTP floods
gcloud compute security-policies rules create 1000 \
  --security-policy ddos-protection-policy \
  --expression "evaluatePreconfiguredExpr('http-flood-v33-stable')" \
  --action deny-429

# Enable adaptive protection
gcloud compute security-policies update ddos-protection-policy \
  --enable-adaptive-protection

gcloud compute security-policies list --format="table(name, adaptiveProtectionConfig)"
# Output:
# NAME                   ADAPTIVE_PROTECTION_CONFIG
# ddos-protection-policy enabled

Defense in Depth Architecture

Layer your DDoS defenses: use edge services (CloudFront, Cloudflare, Google Front End) for volumetric attacks, WAF for application-layer attacks, and auto-scaling to absorb residual traffic.

Common Mistakes

  1. Only using free tier DDoS protection: Free tiers detect and log but may not block large attacks. Upgrade to Advanced or Standard for production workloads.
  2. No health check integration: Shield Advanced uses health checks to distinguish real traffic from attacks. Without health checks, mitigation may not trigger correctly.
  3. Ignoring application-layer DDoS attacks: Volumetric attacks get attention, but slow and low HTTP floods can take down applications without triggering layer 3-4 thresholds.
  4. Single-region deployment: A DDoS attack targeting one region takes down the entire application. Use multi-region deployment with global Load Balancing.
  5. Not planning for cost impact: Auto-scaling during a DDoS attack can generate enormous bills. Enable cost protection features like AWS Shield Advanced cost protection.

Practice Questions

  1. What is the difference between AWS Shield Standard and Shield Advanced?
  2. How does Azure DDoS Protection adapt to your traffic patterns?
  3. What is adaptive protection in GCP Cloud Armor?
  4. Why should DDoS protection include both network-layer and application-layer defenses?
  5. How does multi-region deployment improve DDoS resilience?

Challenge

Design a DDoS-resilient architecture for a global e-commerce platform. Use AWS Shield Advanced for network-layer protection, CloudFront for edge Caching, and a multi-region ALB setup. Write the CLI commands to enable Shield Advanced, configure health checks, and set up CloudFront with WAF integration. Add equivalent configurations for Azure or GCP.

FAQ

What is a DDoS attack in the cloud?

A distributed denial-of-service attack overwhelms cloud resources with traffic from multiple sources, making applications unavailable.

Is AWS Shield Standard enough for production?

It provides baseline protection against common attacks. For production workloads handling sensitive data, Shield Advanced is recommended.

How does Azure DDoS Protection pricing work?

Standard tier charges per virtual network per month. It includes cost protection against auto-scaling charges during attacks.

Does GCP Cloud Armor block all DDoS attacks?

It blocks common attack patterns. For the largest volumetric attacks, Google's global infrastructure absorbs and scrubs traffic at the network edge.

What is cost protection in DDoS services?

A feature that refunds infrastructure scaling costs incurred during a confirmed DDoS attack.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro