manage-ddos-protection.md

title	Quickstart: Create and configure Azure DDoS Network Protection using the Azure portal
description	Learn how to use Azure DDoS Network Protection to mitigate an attack.
author	duongau
ms.author	duau
ms.service	azure-ddos-protection
ms.topic	quickstart
ms.date	01/26/2026

Quickstart: Create and configure Azure DDoS Network Protection using the Azure portal

In this Quickstart, you create a DDoS protection plan and link it to a virtual network.

A DDoS protection plan defines a set of virtual networks that have DDoS Network Protection enabled, across subscriptions. You can configure one DDoS protection plan for your organization and link virtual networks from multiple subscriptions under a single Microsoft Entra tenant to the same plan.

:::image type="content" source="./media/manage-ddos-protection/ddos-network-protection-diagram-simple.png" alt-text="Diagram of DDoS Network Protection." lightbox="./media/manage-ddos-protection/ddos-network-protection-diagram-simple.png":::

Prerequisites

• If you don't have an Azure subscription, create a free account before you begin.
• Sign in to the Azure portal. Ensure that your account is assigned to the network contributor role or to a custom role that is assigned the appropriate actions listed in the how-to guide on Permissions.

Create a DDoS protection plan

1. Select Create a resource in the upper left corner of the Azure portal.

2. Search the term DDoS. When DDoS protection plan appears in the search results, select it.

3. Select Create.

4. Enter or select the following values.

   Setting	Value
   Subscription	Select your subscription.
   Resource group	Select Create new and enter MyResourceGroup.
   Name	Enter MyDdosProtectionPlan.
   Region	Enter East US.

5. Select Review + create then Create

[!INCLUDE DDoS-Protection-region-requirement.md]

Enable DDoS protection for a virtual network

New virtual network

1. Select Create a resource in the upper left corner of the Azure portal.

2. Select Networking, and then select Virtual network.

3. Enter or select the following values then select Next.

   Setting	Value
   Subscription	Select your subscription.
   Resource group	Select Use existing, and then select MyResourceGroup
   Name	Enter MyVnet.
   Region	Enter East US.

4. In the Security pane, select Enable on the Azure DDoS Network Protection radio.

5. Select MyDdosProtectionPlan from the DDoS protection plan pane or create a new plan. The plan you select can be in the same, or different subscription than the virtual network, but both subscriptions must be associated to the same Microsoft Entra tenant.

6. Select Next. In the IP addresses pane, update the IP address space with the following values.

   Setting	Value
   IPv4 address space	Enter 10.1.0.0/16.
   Subnet name	Under Subnets, select the default link and update the name to mySubnet.
   Starting address	Enter 10.1.0.0.
   Size	Select /24.

7. Select Save > Review + create > Create.

[!INCLUDE DDoS-Protection-virtual-network-relocate-note.md]

Existing virtual network

1. Create a DDoS protection plan by completing the steps in Create a DDoS protection plan, if you don't have an existing DDoS protection plan.
2. Enter the name of the virtual network in the Search resources, services, and docs box at the top of the Azure portal. When it appears in the search results, select it.
3. Under Settings, select DDoS protection.
4. Select Enable. Under DDoS protection plan, choose an existing plan or the one you created in step 1, then select Save. The plan can be in the same or a different subscription than the virtual network, but both must be associated with the same Microsoft Entra tenant.

Existing DDoS protection plan

You can also enable the DDoS protection plan for an existing virtual network from the DDoS Protection plan itself. This is useful if you have multiple virtual networks to protect with the same plan.

1. Search for DDoS protection plans in the Search resources, services, and docs box at the top of the Azure portal. When it appears, select it.
2. Select the desired DDoS protection plan from the list.
3. Under Settings, select Protected resources.
4. Select Add, choose the subscription, resource group, and virtual network, then select Add again.

---

Configure an Azure DDoS Protection Plan using Azure Firewall Manager

Azure Firewall Manager is a platform to manage and protect your network resources at scale. You can associate your virtual networks with a DDoS protection plan within Azure Firewall Manager. See Configure an Azure DDoS Protection Plan using Azure Firewall Manager.

Enable DDoS protection for all virtual networks

This built-in policy detects virtual networks within a defined scope that don't have DDoS Network Protection enabled. It can then optionally create a remediation task to enable protection for the virtual network. See Azure Policy built-in definitions for Azure DDoS Network Protection for full list of built-in policies.

View protected resources

First, check the details of your DDoS protection plan:

1. Search for DDoS protection plans in the Search resources, services, and docs box at the top of the Azure portal. When it appears, select it.
2. Select your DDoS protection plan from the list.
3. Under Settings, select Protected resources.
4. In the Protected resources page, you can view the resources that are protected by this DDoS protection plan.

Disable for a virtual network:

You can disable DDoS protection for a virtual network while keeping it enabled on other virtual networks. To disable DDoS protection for a virtual network, follow these steps.

1. Search for Virtual Network in the Search resources, services, and docs box at the top of the Azure portal. When it appears, select it.
2. Under Settings, select DDoS Protection.
3. Select Disable for DDoS Network Protection.

Note

Disabling DDoS protection for a virtual network won't delete the protection plan. You'll still incur costs if you only disable DDoS protection without deleting the plan. To avoid unnecessary charges, you need to delete the DDoS protection plan resource. See Clean up resources.

Clean up resources

You can keep your resources for the next tutorial. If no longer needed, delete the MyResourceGroup used in this example. When you delete the resource group, you also delete the DDoS protection plan and all its related resources. If you don't intend to use this DDoS protection plan, you should remove resources to avoid unnecessary charges.

Warning

This action is irreversible.

1. In the Azure portal, search for and select Resource groups, or select Resource groups from the Azure portal menu.

2. Filter or scroll down to find the MyResourceGroup resource group.

3. Select the resource group, then select Delete resource group.

4. Type the resource group name to verify, and then select Delete.

Note

To delete a DDoS protection plan, first dissociate all virtual networks from it.

Next steps

To learn how to configure metrics alerts through Azure Monitor, continue to the tutorials.

[!div class="nextstepaction"] Configure Azure DDoS Protection metric alerts through portal