Architecture: Where Each Product Operates

Azure DDoS Protection comes in two tiers. The Infrastructure Protection tier (formerly Basic) is automatically enabled for all Azure resources at no additional cost. It provides always-on monitoring and automatic mitigation for common network-layer attacks, protecting all public IP addresses in Azure. The Network Protection tier (formerly Standard) adds enhanced mitigation capabilities, adaptive tuning, attack analytics, DDoS Rapid Response team access, and cost protection.

Both tiers operate at the Azure network edge, monitoring and filtering traffic before it reaches your Virtual Network (VNet). Azure DDoS Protection analyzes traffic flows to public IP addresses associated with your resources — Virtual Machines, Application Gateways, Azure Front Door backends, and Azure Firewall — and applies mitigation rules when volumetric or protocol attacks are detected.

Flowtriq operates on each Azure VM, monitoring the network interface at the OS level. It sees every packet that arrives at the VM regardless of path, protocol, or whether Azure DDoS Protection flagged it as an attack.

Internet Traffic
    |
    v
Azure Edge Network
    |
    v
Azure DDoS Protection (Infrastructure or Network tier)
    |-- Volumetric L3/L4 absorption
    |-- Protocol attack mitigation (SYN floods, etc.)
    |-- Always-on monitoring at Azure edge
    |
    v
Virtual Network (VNet) + NSGs
    |
    v
Azure VM
    |-- Flowtriq agent (per-VM monitoring)
    |-- Per-second PPS/BPS detection
    |-- Attack classification + confidence scoring
    |-- PCAP capture on detection
    |-- Alerts: Discord, Slack, PagerDuty, etc.
    |
    v
Application Stack

Azure DDoS Protection operates at the VNet public IP boundary. Flowtriq operates at the VM's network interface. Traffic that Azure absorbs at the edge never reaches Flowtriq. Traffic that passes through Azure's filtering — either because it was not detected or because it is a type Azure does not filter — is detected and classified by Flowtriq on the VM.

What Flowtriq Adds to Azure DDoS Protection

Per-VM Detection Granularity

Azure DDoS Protection monitors traffic to public IP addresses. If you have 15 VMs behind an Application Gateway, Azure sees the aggregate traffic to the Application Gateway's public IP. It does not break down which backend VMs are receiving what traffic, how attack traffic distributes across your pool, or whether a specific VM is being disproportionately targeted.

Flowtriq monitors each VM individually. You get per-second PPS and BPS metrics for every VM, letting you see exactly which VMs are receiving attack traffic, how much, and of what type. This granularity is essential for understanding attack targeting and impact at the application tier.

PCAP Forensics

Azure DDoS Protection provides attack analytics through Azure Monitor, diagnostic logs, and the Azure Portal's DDoS Protection dashboard. These include mitigation reports with top source countries, top source IPs, attack vectors, and traffic graphs. This data is useful for post-attack analysis but is aggregated and summarized — it is not raw packet data.

Flowtriq captures PCAP data at the network interface level when an incident is detected. The capture includes full packet headers, source IPs, protocol details, payload data, and microsecond timing. This raw packet evidence can be opened in Wireshark, ingested by your SIEM, or used for compliance documentation. For incident response teams that need to analyze exactly what hit a server, PCAP data is indispensable.

Attack Classification Depth

Azure DDoS Protection Network tier provides attack vector classification in its mitigation reports — identifying whether an attack was a SYN flood, UDP flood, or reflection attack. Infrastructure tier provides minimal classification information.

Flowtriq classifies attacks within its 2-second detection window, identifying specific vectors with confidence scores: SYN floods, ACK floods, UDP amplification (DNS, NTP, CLDAP, memcached, SSDP, Chargen), ICMP floods, GRE floods, HTTP floods, slowloris, slow-read, and more. Classification happens in real time at the VM level, giving your team immediate actionable information.

Multi-Channel Alerting

Azure DDoS Protection alerting uses Azure Monitor alert rules and action groups. You can route notifications to email, SMS, Azure Functions, Logic Apps, webhooks, and ITSM connectors. Setting up alerting requires configuring diagnostic settings, metric alert rules, and action groups in the Azure Portal or via ARM templates.

Flowtriq sends alerts natively to Discord, Slack, PagerDuty, OpsGenie, email, SMS, and custom webhooks. Each alert includes full incident context — attack type, confidence, PPS/BPS, source IP analysis, and a direct link to the incident. Setup takes minutes from the Flowtriq dashboard.

Azure DDoS Protection is the shield at the VNet boundary. Flowtriq is the sensor on each VM. The shield absorbs volumetric attacks. The sensor detects, classifies, and captures evidence for everything that reaches the VM — including attacks the shield did not catch.

Step 1: Install the Flowtriq Agent on Azure VMs

Install the Flowtriq agent on each Azure VM you want to monitor. The agent supports all Linux distributions available in the Azure Marketplace.

# Install the Flowtriq agent
pip install ftagent --break-system-packages

# Run the setup wizard
sudo ftagent --setup

Configure the agent with Azure-specific tags for dashboard organization:

# /etc/ftagent/config.yaml
api_key: "ft_your_api_key_here"
server: "https://flowtriq.com/api/v1"
interface: "eth0"

detection:
  pps_threshold: auto
  bps_threshold: auto
  sensitivity: medium
  detection_window: 2s

pcap:
  enabled: true
  max_size: 100MB
  capture_duration: 30s

tags:
  role: "web-server"
  provider: "azure"
  resource_group: "rg-production"
  region: "eastus2"
  vnet: "vnet-production"

For VM Scale Sets (VMSS), include the agent installation in your custom script extension or cloud-init configuration:

#!/bin/bash
# Azure custom script extension — install Flowtriq agent
pip install ftagent

mkdir -p /etc/ftagent
cat > /etc/ftagent/config.yaml <<EOF
api_key: "ft_your_api_key_here"
server: "https://flowtriq.com/api/v1"
interface: "eth0"

detection:
  pps_threshold: auto
  bps_threshold: auto
  sensitivity: medium
  detection_window: 2s

pcap:
  enabled: true
  max_size: 100MB
  capture_duration: 30s

tags:
  role: "web-server"
  provider: "azure"
  resource_group: "rg-production"
  region: "$(curl -s -H Metadata:true 'http://169.254.169.254/metadata/instance/compute/location?api-version=2021-02-01&format=text')"
  vm_name: "$(curl -s -H Metadata:true 'http://169.254.169.254/metadata/instance/compute/name?api-version=2021-02-01&format=text')"
  vmss: "$(curl -s -H Metadata:true 'http://169.254.169.254/metadata/instance/compute/vmScaleSetName?api-version=2021-02-01&format=text')"
EOF

systemctl enable ftagent
systemctl start ftagent

The script uses Azure Instance Metadata Service (IMDS) to automatically populate region, VM name, and VMSS name tags. This makes it easy to identify and filter VMs in your Flowtriq dashboard.

Step 2: NSG Considerations

The Flowtriq agent communicates outbound to flowtriq.com/api/v1 on port 443 (HTTPS). Azure Network Security Groups (NSGs) allow all outbound traffic by default, so no NSG changes are needed in most deployments.

If your NSGs restrict outbound traffic, add an outbound security rule:

# Azure CLI: Allow outbound HTTPS for Flowtriq agent
az network nsg rule create \
  --resource-group rg-production \
  --nsg-name nsg-production \
  --name AllowFlowtriqOutbound \
  --priority 200 \
  --direction Outbound \
  --access Allow \
  --protocol Tcp \
  --destination-port-ranges 443 \
  --destination-address-prefixes Internet \
  --description "Allow Flowtriq agent outbound HTTPS"

No inbound NSG rules are required. The agent initiates all connections outbound. No Azure RBAC roles, managed identities, or service principals are needed — the Flowtriq agent does not interact with Azure APIs.

Step 3: Configure Alerting and Detection

Set up your alert channels in the Flowtriq dashboard. A recommended configuration for Azure environments:

# Slack for Azure operations team
Channel: Slack
Webhook URL: https://hooks.slack.com/services/T.../B.../xxx
Alert types: All incidents
Severity: Medium and above

# PagerDuty for critical incident escalation
Channel: PagerDuty
Integration Key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Alert types: Critical incidents only
Severity: Critical

# Custom webhook for SIEM integration
Channel: Webhook
URL: https://your-siem.example.com/api/events
Headers: {"Authorization": "Bearer xxx"}
Alert types: All incidents

Coordinated Alert Strategy

With both Azure DDoS Protection and Flowtriq active, route alerts to complement each other:

  • Azure DDoS Protection alerts (via Azure Monitor) — route to your infrastructure team. These cover VNet-level events: large volumetric attacks absorbed at the Azure edge, mitigation activations and deactivations, and attack analytics summaries.
  • Flowtriq alerts — route to your application/security team. These cover VM-level events: attacks that reached individual VMs, application-layer anomalies, traffic patterns affecting specific services, and any detection Flowtriq makes that Azure DDoS did not flag.

This ensures each team receives alerts relevant to their scope and tools. Infrastructure handles VNet-level events in the Azure Portal. Application/security handles VM-level events with Flowtriq's detection data and PCAP forensics.

Add VM-level detection to your Azure DDoS stack

Deploy Flowtriq on your Azure VMs for per-second detection, PCAP forensics, and instant multi-channel alerting. Works alongside Azure DDoS Protection Infrastructure and Network tiers.

Start your free 7-day trial →

Layered Defense Scenarios

Scenario 1: Multi-Vector Attack on an Application Gateway

  1. Azure DDoS absorbs volumetric — A 25 Gbps SYN flood targets the Application Gateway's public IP. Azure DDoS Protection Network tier detects the attack, activates mitigation policies, and absorbs the volumetric component at the Azure edge. Azure Monitor fires an alert to the infrastructure team.
  2. Application layer persists — The attacker simultaneously runs a low-rate HTTP POST flood using legitimate-looking requests. This traffic passes through Azure DDoS Protection because it falls below volumetric thresholds and uses valid HTTP.
  3. Flowtriq detects on backend VMs — The Flowtriq agent on each backend VM detects elevated request rates and abnormal connection patterns within 2 seconds. It classifies the traffic as an HTTP flood and begins PCAP capture.
  4. Team responds — The security team receives Flowtriq alerts on PagerDuty, reviews the PCAP data, identifies the attack pattern, and configures Azure WAF or Application Gateway rules to block the malicious requests.

Scenario 2: Attack on a Non-HTTP Service

  1. Azure DDoS handles basic protection — A UDP flood targets a custom application running on port 9000 on an Azure VM. Azure DDoS Protection Infrastructure tier provides basic volumetric mitigation.
  2. Flowtriq detects and classifies — The Flowtriq agent detects the UDP flood within 2 seconds, classifies the attack vector, captures PCAP, and identifies top source IP ranges.
  3. Alerts fire — Discord and PagerDuty alerts reach the operations team with full incident context.
  4. Response — The team uses Flowtriq's source IP analysis to create NSG rules blocking the attack sources. The PCAP data confirms the attack vector and provides evidence for any upstream provider communication.

Scenario 3: Sub-Threshold Attack

Not all attacks are massive. A 5,000 PPS targeted attack against a single Azure VM may be well below Azure DDoS Protection's detection thresholds (which are tuned for the VNet's traffic profile) but high enough to degrade your application's performance.

Flowtriq's per-VM baseline detection catches these sub-threshold attacks because it monitors each VM's traffic individually. A 5,000 PPS spike on a VM that normally receives 200 PPS is a clear anomaly at the VM level, even though it is invisible at the VNet level.

What Each Layer Catches

Azure DDoS Protection catches:

  • Volumetric L3/L4 attacks that would overwhelm your VNet or VM bandwidth
  • Protocol attacks (SYN floods, fragmented packets, reflection/amplification) at scale
  • Attacks absorbed at the Azure edge before traffic reaches your VNet
  • Network tier adds: adaptive tuning, attack analytics, DDoS Rapid Response team access

Flowtriq catches:

  • Attacks that pass through Azure DDoS Protection and reach individual VMs
  • Application-layer attacks below Azure's volumetric thresholds
  • Sub-threshold attacks that are too small for VNet-level detection but impact individual VMs
  • Attacks on non-HTTP services and arbitrary ports
  • Traffic anomalies between VMs within the same VNet (internal attacks)

Together:

  • VNet-level mitigation (Azure) plus VM-level detection (Flowtriq)
  • Infrastructure-grade absorption (Azure) plus application-grade forensics (Flowtriq)
  • Azure Monitor alerting for infrastructure team plus Flowtriq alerting for security/app team
  • Flowtriq's PCAP data supplements Azure's attack analytics with packet-level evidence

Cost Comparison

Azure DDoS Protection Network tier costs approximately $2,944/month per DDoS Protection Plan, which covers up to 100 public IP resources in a subscription. Additional resources incur per-resource charges. This is a significant investment, but it provides Azure-native volumetric protection with SLA guarantees and cost protection.

Azure DDoS Protection Infrastructure tier is included at no additional cost with all Azure resources. It provides basic volumetric protection without the advanced features, analytics, or SLA guarantees of the Network tier.

Flowtriq is $9.99 per VM per month ($7.99 on annual billing). A 50-VM deployment costs $499.50/month, providing per-VM detection, PCAP forensics, attack classification, and multi-channel alerting. There is no minimum commitment and a 7-day free trial.

For many Azure environments, the practical combination is Azure DDoS Protection Infrastructure tier (free) plus Flowtriq on each VM. This gives you Azure's always-on volumetric mitigation at no cost, supplemented by Flowtriq's per-VM detection depth, PCAP forensics, and modern alerting at $9.99/node. Organizations with higher-risk workloads can add Azure DDoS Protection Network tier for enhanced mitigation and SLA coverage.

Azure DDoS Protection and Flowtriq are not either/or. Azure handles volumetric mitigation at the network edge. Flowtriq handles detection, classification, and forensics at the VM level. Running both gives you a complete DDoS defense stack at a fraction of the cost of enterprise-only solutions.

Frequently Asked Questions

Does Flowtriq require any Azure permissions?

No. The Flowtriq agent runs on the VM's OS and communicates outbound to Flowtriq's API. It does not use Azure APIs, managed identities, RBAC roles, or service principals. Installation requires root/sudo on the VM, but no Azure-level permissions.

Does Flowtriq conflict with Azure DDoS Protection?

No. Flowtriq is a passive detection agent. It monitors the network interface but does not modify traffic, inject packets, or interfere with Azure's network stack. Azure DDoS Protection operates at the Azure edge, upstream of the VM. The two systems are completely independent.

Can I use Flowtriq without Azure DDoS Protection Network tier?

Yes. Azure DDoS Protection Infrastructure tier is automatically active on all Azure resources. Flowtriq works alongside Infrastructure tier to add per-VM detection and forensics. You do not need to purchase Network tier to use Flowtriq, though Network tier provides additional volumetric protection capabilities.

How does Flowtriq handle Azure VM Scale Sets?

Include the Flowtriq agent installation in your VMSS custom script extension or cloud-init configuration. Each VM instance in the scale set registers as a separate node in Flowtriq. Use tags (vmss name, instance ID) to organize scale set instances in your dashboard. As instances scale in and out, they automatically appear and disappear from Flowtriq.

Deployment Checklist

  • Flowtriq agent installed on each Azure VM (manually or via custom script extension)
  • NSG rules verified — outbound HTTPS (443) allowed for Flowtriq API communication
  • Azure metadata tags configured in config.yaml (resource group, region, VNet)
  • Alert channels configured — at least one real-time channel (Discord, Slack, PagerDuty)
  • PCAP capture enabled in agent configuration
  • VMSS custom script updated if using VM Scale Sets
  • Azure DDoS Protection tier confirmed — Infrastructure (default) or Network tier active
  • Azure Monitor alerts configured for DDoS Protection events (infrastructure team)
  • Flowtriq alerts configured for VM-level events (security/application team)
  • Test alert verified — confirm end-to-end notification flow from Flowtriq

Deploy Flowtriq on Azure today

Per-VM detection, PCAP forensics, attack classification, and instant multi-channel alerting for your Azure infrastructure. Works alongside Azure DDoS Protection. $9.99/node/month with a 7-day free trial.

Start your free 7-day trial →
Back to Blog

Related Articles

Integrations

How to Use Google Cloud Armor with Flowtriq

Deploy Flowtriq alongside Google Cloud Armor for per-VM detection and PCAP forensics on GCP.
Integrations

How to Use AWS Shield with Flowtriq: layered DDoS defense

Deploy Flowtriq alongside AWS Shield for per-instance visibility and real-time alerting on EC2.
Comparisons

Cloud DDoS protection comparison: AWS, Cloudflare, and beyond

How the major cloud providers' DDoS protection stacks compare on coverage, data, and cost.