Understanding the Comparison
Azure DDoS Protection and Flowtriq serve different operational needs, and understanding those differences prevents you from buying the wrong product or, more commonly, from assuming one product covers what the other actually provides.
Azure DDoS Protection is a platform-level service that monitors and mitigates DDoS attacks targeting Azure Virtual Network resources. It operates at the Azure network edge, analyzing traffic patterns and automatically applying mitigation when attack traffic is detected. It is deeply integrated with the Azure platform — Azure Monitor, Azure Policy, Microsoft Defender for Cloud, and the Azure portal.
Flowtriq is a detection agent that runs on individual servers. It monitors traffic arriving at each server's network interface, classifies attacks, captures PCAP evidence, and sends real-time alerts. It works on Azure VMs, but also on AWS instances, GCP instances, bare-metal servers, VPS providers, and on-premises equipment. It does not mitigate attacks — it detects, classifies, and documents them.
The key difference: Azure DDoS Protection is a mitigation service scoped to Azure VNets. Flowtriq is a detection service scoped to wherever you install it. They overlap in detecting DDoS attacks, but their output, their scope, and their data are different.
Azure DDoS Protection: What It Provides
Azure offers two tiers of DDoS protection. Understanding what each tier provides — and does not provide — is essential for this comparison.
Azure DDoS Infrastructure Protection (formerly Basic)
This tier is automatically enabled for all Azure resources at no additional cost. It provides the same DDoS protection that Microsoft uses to protect its own Azure services. It monitors traffic at the Azure network edge and automatically mitigates common network-layer and transport-layer attacks — volumetric floods, protocol attacks, and resource-layer attacks.
What Infrastructure Protection does not provide:
- No alerting or notifications when attacks are detected and mitigated
- No attack logs or historical incident records
- No DDoS-specific metrics in Azure Monitor
- No access to Microsoft's DDoS Rapid Response (DRR) team
- No cost protection against DDoS-related Azure billing spikes
Infrastructure Protection is real protection — Microsoft's Azure backbone has enormous capacity and their automated mitigation handles a vast number of attacks silently. The problem is visibility: attacks are mitigated without any notification to you, and you have no data about what happened.
Azure DDoS Network Protection (formerly Standard)
This is the paid tier, priced at $2,944 per month per DDoS protection plan, which covers up to 100 public IP resources within a subscription. Additional public IPs beyond 100 incur overage charges. The price is fixed regardless of attack volume — Azure does not charge per-gigabit for mitigation.
DDoS Network Protection adds:
- Attack telemetry and metrics: Real-time DDoS metrics through Azure Monitor, including inbound packets, inbound bytes, DDoS trigger status (whether mitigation is active), and dropped vs. forwarded traffic ratios. These metrics are at the public IP level, not the individual VM level.
- Attack analytics: Post-attack reports with attack vectors detected, peak traffic rates, duration, and mitigation actions. Available through Azure Monitor workbooks and diagnostic logs.
- Alerting: Integration with Azure Monitor for alert rules. You can configure alerts for
Under DDoS attack or notmetric, which triggers when mitigation is active. Alerts can be sent via email, SMS, webhook, Azure Function, Logic App, or ITSM integration. - DDoS Rapid Response (DRR): Access to Microsoft's DDoS response team during active attacks. They can assist with custom mitigation tuning — similar to AWS Shield Response Team or Akamai's SOCC. Requires a Premier or Unified support plan.
- Cost guarantee: If a DDoS attack causes Azure resource scaling costs (VM scale sets, Application Gateway auto-scaling, bandwidth overages), Microsoft provides service credits. This financial protection is the primary justification for the $2,944/month cost for many enterprises.
- WAF integration: Works with Azure Web Application Firewall on Application Gateway and Azure Front Door for L7 protection.
Azure DDoS Network Protection's cost guarantee is its most compelling feature. If your Azure deployment includes auto-scaling resources that could generate large unexpected bills during a sustained DDoS attack, the $2,944/month is effectively insurance against five or six-figure surprise Azure invoices.
What Azure DDoS Protection Does Not Provide
Azure Only
Azure DDoS Protection protects Azure Virtual Network resources exclusively. If your infrastructure includes servers at AWS, GCP, bare-metal providers like Hetzner or OVH, VPS providers like Vultr or DigitalOcean, or on-premises equipment, those resources are completely outside Azure DDoS Protection's scope. For organizations running multi-cloud or hybrid architectures — which is increasingly the norm, not the exception — Azure DDoS Protection covers one cloud provider's slice.
No Per-VM Visibility
Azure DDoS Protection's metrics operate at the public IP resource level, not the individual VM level. If you have 25 VMs behind a load balancer sharing a public IP, you see aggregate mitigation metrics for that public IP. You do not see which VM the attack is targeting, how traffic is distributed across VMs, or what each individual VM is experiencing. For a VM scale set that auto-scales during attacks, you cannot determine whether the scaling was caused by attack traffic leaking through or by legitimate load.
No PCAP Forensics
Azure DDoS Protection does not provide packet captures of attack traffic. The diagnostic logs include flow information — source IPs, destination IPs, protocols, and byte counts — aggregated into 5-minute windows. This is useful for trend analysis but is not forensic-grade data. You cannot download a PCAP to analyze exact packet contents, extract payload signatures, or provide packet-level evidence to upstream providers, law enforcement, or compliance auditors.
Azure does offer Network Watcher Packet Capture as a separate service, but it is not integrated with DDoS Protection and requires manual triggering or pre-configuration. Capturing a PCAP during an attack requires that you know the attack is happening and manually initiate a capture — which defeats the purpose of automated forensics.
Limited Attack Classification
Azure DDoS Protection's metrics show whether mitigation is active and what the traffic volume is, but the attack-type classification is less granular than dedicated detection tools provide. The diagnostic logs include protocol and port information, but do not automatically classify attacks as "SYN flood" vs "DNS amplification" vs "NTP reflection" with confidence scoring. You see traffic data; you interpret the attack type yourself.
Alerting Latency
Azure Monitor alert rules evaluate on configurable intervals — typically 1 to 5 minutes. This means there can be a delay between when Azure's DDoS Protection activates mitigation and when your team receives an alert. For the Under DDoS attack or not metric, the alert fires when mitigation becomes active, but the evaluation interval and action group processing add latency. Sub-10-second detection-to-alert delivery is not achievable through Azure Monitor's native alerting pipeline.
What Flowtriq Provides
Flowtriq addresses each of the gaps listed above:
- Cloud agnostic: Runs on Azure VMs, AWS EC2, GCP Compute Engine, bare metal, VPS, on-premises — any Linux server. One detection platform across your entire infrastructure.
- Per-VM visibility: Each VM runs its own agent and reports independently. In a 25-VM deployment, you see per-VM traffic baselines, per-VM incident alerts, and per-VM forensic data. You know exactly which VM is targeted.
- Automatic PCAP capture: The first 60 seconds of every detected attack are captured as a downloadable PCAP file. No manual triggering required — it happens automatically on detection.
- Attack classification: Automatic classification with confidence scoring — SYN flood, UDP flood, DNS amplification, NTP amplification, ICMP flood, HTTP flood, TCP ACK flood, and multi-vector combinations.
- Sub-5-second alerting: Detection to alert delivery in under 5 seconds through Discord, Slack, email, SMS, PagerDuty, OpsGenie, and custom webhooks. No Azure Monitor evaluation intervals.
- Source analysis: Top source IPs, source AS numbers, source country distribution, and source diversity scoring for every incident.
- Per-second time series: PPS and Mbps metrics at per-second granularity, not 5-minute aggregates.
Per-VM detection across your entire infrastructure
Flowtriq gives you the per-server visibility that Azure DDoS Protection cannot. Attack classification, PCAP forensics, and instant alerts on any server, any cloud. 7-day free trial.
Start Free Trial →Side-by-Side: Same Attack, Different Data
Scenario: a 90-second DNS amplification attack at 380,000 PPS targets a public IP address associated with a VM scale set running 8 instances. The attack uses open DNS resolvers to amplify traffic by a factor of 50x.
Azure DDoS Infrastructure Protection (free tier): The attack is detected and mitigated automatically at the Azure edge. No notification is sent. No metrics are recorded. No logs are generated. Your team discovers the attack only if they notice unusual latency or if independent monitoring detects the impact. The mitigation was real — Azure absorbed the volumetric traffic — but you have zero operational data about what happened.
Azure DDoS Network Protection ($2,944/mo): The Under DDoS attack or not metric transitions to 1. After the Azure Monitor evaluation interval (1-5 minutes), an alert fires via configured action group. Diagnostic logs show: mitigation active from 11:02 to 11:03:30 UTC, inbound traffic peak of approximately 18 Gbps, protocol UDP, source IPs aggregated into 5-minute flow records. No per-VM breakdown across the 8 instances. No PCAP. Attack type is inferred from protocol/port data but not explicitly classified as "DNS amplification."
Flowtriq (on each of the 8 VMs): VM-3 fires an alert at second 2 — it received the highest share of residual traffic that passed through Azure's mitigation. Incident record: DNS Amplification (confidence 97%), 90-second duration, peak 4,200 PPS post-mitigation on VM-3 (the pre-mitigation volume was absorbed by Azure), 312 unique source IPs (the DNS resolvers used as amplifiers), source AS concentration in 4 major hosting ASNs, target port 53, average response packet size 3,400 bytes (typical of DNS amplification). 60-second PCAP captured on VM-3 showing the amplified DNS responses. Other 7 VMs show minimal impact. Alert delivered to Slack at second 3.
The three products provided three different views of the same event. Azure Infrastructure Protection handled it silently. Azure DDoS Network Protection provided aggregate metrics after a delay. Flowtriq provided per-VM detail, attack classification, source analysis, and PCAP forensics in real time. Each view has value; none alone gives the complete picture.
Pricing Comparison
Azure DDoS Protection pricing:
- Infrastructure Protection (free): Automatic, no configuration, no data. Protection without visibility.
- Network Protection: $2,944/month per DDoS protection plan. Covers up to 100 public IP resources in one subscription. Overage for additional public IPs is $29.50/resource/month. Annual commitment not required but plan is billed monthly.
- IP Protection (per-IP option): $199/month per protected public IP. Includes the same features as Network Protection but without DRR access or cost guarantee. Designed for smaller deployments where $2,944/month for a full plan is not justified.
Flowtriq pricing:
- $9.99/node/month on monthly billing
- $7.99/node/month on annual billing ($95.88/node/year)
- An 8-VM Azure deployment: $79.92/month (monthly) or $63.92/month (annual)
- 7-day free trial
The pricing gap is dramatic. Azure DDoS Network Protection costs $2,944/month regardless of how many VMs you protect (up to 100 public IPs). Flowtriq for the same 8-VM deployment costs $79.92/month. But the comparison is misleading without context: Azure DDoS Protection mitigates attacks with Microsoft's global network capacity and provides a cost guarantee against DDoS-induced Azure billing. Flowtriq detects and documents attacks but does not scrub traffic.
The $2,944/month makes financial sense when your Azure deployment includes auto-scaling resources where a sustained DDoS attack could generate $10,000+ in unexpected Azure charges. The cost guarantee alone pays for the plan if it prevents one major billing event per year. If your deployment is fixed-size VMs without auto-scaling exposure, the cost-benefit calculation is different.
For many Azure customers, the most practical approach is to rely on the free Infrastructure Protection for mitigation (which is genuine protection), skip the $2,944/month Network Protection tier, and run Flowtriq on each VM for detection visibility and alerting. The combined cost is under $100/month for an 8-VM deployment, and you get per-VM detection data, PCAP forensics, and real-time alerting that the free Azure tier lacks. If you need the cost guarantee, add Azure DDoS Network Protection and run Flowtriq alongside it.
Hybrid Deployment: Azure DDoS Protection + Flowtriq
The defense-in-depth approach for Azure deployments:
Azure DDoS Protection handles:
- Volumetric attack absorption at the Azure network edge — leveraging Microsoft's global infrastructure capacity
- Automatic mitigation without operator intervention — always-on for VNet resources
- Cost protection against DDoS-induced Azure billing spikes (Network Protection tier)
- DDoS Rapid Response team access during complex attacks (Network Protection + Premier support)
- Integration with Azure WAF for L7 protection on Application Gateway and Front Door
Flowtriq handles:
- Per-VM detection — knowing exactly which server is impacted and how much residual traffic it receives
- Attack classification with confidence scoring — not just "under attack" but what type of attack
- PCAP forensics — automatic packet capture for every incident, downloadable for analysis
- Real-time multi-channel alerting — Discord, Slack, PagerDuty, OpsGenie, SMS within seconds
- Detection on non-Azure infrastructure — bare metal, other clouds, on-premises servers
- Independent verification — confirming Azure's mitigation is effective by observing what VMs actually receive
- Source IP analysis — identifying botnet infrastructure, amplification reflectors, and attack attribution data
For organizations using the free Azure DDoS Infrastructure Protection, Flowtriq is especially valuable. Infrastructure Protection mitigates silently — you have no idea attacks are happening. Flowtriq gives you the alerting and visibility that the free tier lacks, at a fraction of the Network Protection tier's cost.
When to Use Each Product
Azure DDoS Network Protection is the right choice when:
- Your Azure deployment includes auto-scaling resources (VM scale sets, Application Gateway) where DDoS-induced scaling could generate large unexpected Azure bills. The cost guarantee is the primary financial justification.
- You need managed DDoS response support from Microsoft's DRR team during active attacks.
- Regulatory or compliance requirements mandate platform-provider DDoS protection with SLA backing.
- You have 50+ public IP resources, making the per-plan pricing ($2,944/month for up to 100 IPs) more economical than per-IP alternatives.
Flowtriq alone is sufficient when:
- Your infrastructure spans multiple providers (Azure + AWS, Azure + bare metal, etc.) and you need a single detection platform that works everywhere.
- You need per-VM detection data, PCAP forensics, and attack classification — data that neither Azure DDoS tier provides.
- Your Azure deployment uses fixed-size VMs without auto-scaling, so the cost guarantee is not relevant.
- Your budget does not accommodate $2,944/month for Azure DDoS Network Protection, but you need better visibility than the free Infrastructure Protection tier provides.
- You need real-time alerts through Discord, Slack, PagerDuty, or OpsGenie without building Azure Monitor alert pipelines.
Use both when:
- You need both mitigation capacity (Azure DDoS) and detection granularity (Flowtriq).
- You want to verify that Azure's mitigation is effective by independently monitoring what each VM receives.
- Your incident response process requires PCAP-level forensics that Azure does not provide.
- Your infrastructure includes Azure VMs alongside servers in other environments.
The Bottom Line
Azure DDoS Protection is a solid platform-level service. The free Infrastructure Protection provides genuine mitigation for common attack types without any configuration. The $2,944/month Network Protection tier adds telemetry, alerting, DRR access, and — most importantly — cost protection against DDoS-induced Azure billing. For enterprises with significant auto-scaling exposure, Network Protection's cost guarantee alone can justify the spend.
What Azure DDoS Protection does not provide is server-level detection granularity. You do not get per-VM traffic data. You do not get automatic PCAP captures. You do not get sub-5-second alerting through operational channels. You do not get attack classification with confidence scoring. And you do not get coverage for anything outside Azure.
Flowtriq fills those gaps at $9.99/node/month. For Azure-only deployments, it adds the detection depth that Azure's telemetry lacks. For multi-cloud deployments, it provides a single detection platform that works consistently across providers. For organizations on the free Azure DDoS tier, it adds the alerting and visibility that makes the difference between silent mitigation and informed response.
The two products are not competitors. Azure DDoS Protection operates at the platform network edge. Flowtriq operates at the server network interface. They monitor different points in the traffic path, produce different data, and serve different operational needs. The strongest deployments use both.
Add detection depth to your Azure deployment
Flowtriq gives Azure customers per-VM visibility, PCAP forensics, and real-time multi-channel alerting — with or without Azure DDoS Network Protection. $9.99/node/month with a 7-day free trial.
Start your free 7-day trial →