| title | Azure Policy built-in definitions for Azure DDoS Protection |
|---|---|
| description | Lists Azure Policy built-in policy definitions for Azure DDoS Protection. These built-in policy definitions provide common approaches to managing your Azure resources. |
| services | ddos-protection |
| author | duongau |
| ms.service | azure-ddos-protection |
| ms.date | 03/17/2026 |
| ms.author | duau |
| ms.custom | subject-policy-reference |
| ms.topic | include |
This page is an index of Azure Policy built-in policy definitions for Azure DDoS Protection. For additional Azure Policy built-ins for other services, see Azure Policy built-in definitions.
The name of each built-in policy definition links to the policy definition in the Azure portal. Use the link in the Version column to view the source on the Azure Policy GitHub repo.
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Virtual networks should be protected by Azure DDoS Protection | Protect your virtual networks against volumetric and protocol attacks with Azure DDoS Protection. For more information, visit https://aka.ms/ddosprotectiondocs. | Modify, Audit, Disabled | 1.0.0 |
| Public IP addresses should have resource logs enabled for Azure DDoS Protection | Enable resource logs for public IP addresses in diagnostic settings to stream to a Log Analytics workspace. Get detailed visibility into attack traffic and actions taken to mitigate DDoS attacks via notifications, reports and flow logs. | AuditIfNotExists, DeployIfNotExists, Disabled | 1.0.0 |
- See the built-ins on the Azure Policy GitHub repo.
- Review the Azure Policy definition structure.
- Review Understanding policy effects.