How to implement effective EDoS Protection for Azure App Services that need to be exposed as HTTP Endpoint to the internet

I think Azure’s EDoS controls are to put Front Door WAF in front and set the App Service max‑instance low.　

Hello CH,

Welcome to the Microsoft Q&A and thank you for posting your questions here.

I understand that you would like to know how you can implement effective EDoS Protection for Azure App Services that need to be exposed as HTTP Endpoint to the internet.

Most of all, in my perspective as a solution architect your Architecture Design should be similar to:

• Client |
• Azure Front Door (WAF + Rate Limit + Cache) | (ONLY path allowed)
• App Service / Function (restricted access) |
• Private backend services

Then, implement as listed below:

1. Deploy Front Door with WAF and restrict App Service to AzureFrontDoor.Backend; enforce X-Azure-FDID header rules to block direct origin access https://learn.microsoft.com/en-us/azure/frontdoor/front-door-overview
2. Configure WAF managed rules and custom rate policies to block HTTP floods and bots: Rule: RateLimit, Threshold: 100 requests/10 sec/IP This protects at layer 7 where DDoS alone cannot mitigate.
3. Enable Front Door caching with TTL rules to serve repeated requests from edge nodes, lowering backend execution calls and scaling triggers - https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/frontdoor/front-door-ddos.md.
4. Create and attach a DDoS protection plan to your VNet: az network ddos-protection create -g rg1 -n ddosPlan This provides auto-mitigation and adaptive traffic tuning (overview). - https://learn.microsoft.com/en-us/azure/ddos-protection/ddos-protection-overview
5. Set execution concurrency and cap instances to prevent cost spikes: { "concurrency": { "dynamicConcurrencyEnabled": true } } Use Premium/App Service plans instead of unlimited Consumption.
6. Create budgets with thresholds and alerts using Cost Management: az consumption budget create --amount 5000 --time-grain Monthly Add alerts at 50%, 75%, 90%, and 100% to prevent billing shocks https://learn.microsoft.com/en-us/azure/cost-management-billing/ and https://inventivehq.com/knowledge-base/microsoft-azure/how-to-set-up-cost-alerts-and-budgets-in-azure
7. Configure Azure Monitor alerts for spikes in requests and execution counts, and enable WAF/log diagnostics to track abnormal patterns https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/
8. Use Private Link for backend services and restrict public endpoints to minimize exposure, allow only required ports and trusted sources for inbound traffic.

I hope this is helpful! Do not hesitate to let me know if you have any other questions or clarifications.

Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.

Hi @CH

Thank you for reaching out to Microsoft Q&A.

When Azure App Services are exposed directly to the internet as HTTP endpoints without proper traffic control layers, they are highly vulnerable to Economic Denial of Service (EDoS) attacks. Unlike traditional DDoS attacks that focus on availability, EDoS attacks exploit the cloud’s auto-scaling nature by sending large volumes of seemingly legitimate HTTP requests. These requests are processed as normal traffic, causing the App Service to scale out and consume more compute resources, which directly leads to unpredictable cost spikes. Native Azure platform protections (like default DDoS Basic) primarily operate at the network layer (L3/L4) and cannot differentiate between valid and malicious application-layer requests. Without implementing controls such as rate limiting, bot filtering, and entry-point protection, the system will continue to process abusive traffic and scale, accordingly, resulting in financial impact even if the application remains technically available.

Refer below points to resolve this issue or this is the workaround

1. Introduce Azure Front Door / Application Gateway with WAF (Do not expose App Service directly)

Place a reverse proxy in front of App Service:

• Azure Front Door (preferred for internet-facing global apps)
• Application Gateway (regional) This ensures all incoming requests are evaluated before reaching the backend. Reverse proxy enables routing, filtering, caching, and security enforcement before traffic hits your App Service.

2. Implement WAF with Rate Limiting (Most critical control for EDOs)

Configure custom WAF rules to limit requests per client IP. Example (conceptual):

• Allow 100–500 requests per minute per IP
• Block or throttle excess requests

Why important:

• Rate limiting detects and blocks abnormal request velocity
• Prevents auto scale from triggering due to malicious traffic

az network front-door waf-policy rule create \
  --name RateLimitRule \
  --rate-limit-threshold 100 \
  --rate-limit-duration-in-minutes 1 \
  --action Block

3. Enable Bot Protection (Block automated abuse traffic)

Enable WAF Bot Protection (Bot Manager ruleset)

• Blocks scrapers, brute-force bots, automated traffic
• Prevents unnecessary backend load

Without bot filtering, applications often scale due to automated requests leading to higher costs.

4. Enable Azure DDoS Protection (Network layer protection) Apply DDoS Protection on the virtual network hosting your entry layer

• Protects against volumetric attacks (L3/L4)
• Automatically detects and mitigates abnormal traffic patterns [Azure DDoS...soft Azure | Azure.Microsoft.com]

Note:

• This does not replace WAF or rate limiting
• It must be combined with application-layer controls4. Enable Azure DDoS Protection (Network layer protection) Apply DDoS Protection on the virtual network hosting your entry layer
  • Protects against volumetric attacks (L3/L4)
  • Automatically detects and mitigates abnormal traffic patterns
  Note:
  • This does not replace WAF or rate limiting
  • It must be combined with application-layer controls

5. Restrict Direct Access to App Service (Prevent bypass of security layer) Do not allow public direct access

Options:

• Use Private Endpoint (recommended)
• Or configure IP access restrictions

App Service supports inbound access restriction rules to allow/deny traffic based on IPs

6. Configure Autoscale Limits (Control cost exposure) Define strict autoscale rules:

• Set maximum instance count
• Avoid scaling purely on request count
• Use combined metrics (CPU + queue + response time)

This ensures the system does not scale infinitely under attack

7. Implement Azure Budgets and Alerts (Financial safeguard) Set up cost control mechanisms:

• Budget thresholds (e.g., 75%, 90%, 100%)
• Alerts and automated actions

Azure Budgets can trigger automated actions via action groups to control spending when limits are reached

8. Enable Monitoring and Alerts (Detect anomaly early) Configure:

• Azure Monitor
• Application Insights

Track:

• Requests/sec spikes
• Connection count
• HTTP 5xx errors

App Service supports metrics and alerts for proactive monitoring8. Enable Monitoring and Alerts (Detect anomaly early)

Configure:

• Azure Monitor
• Application Insights

Track:

• Requests/sec spikes
• Connection count
• HTTP 5xx errors

App Service supports metrics and alerts for proactive monitoring.