Exam AZ-500 topic 6 question 23 discussion

Answer E: is correct Note Although DDoS Protection Plan resources needs to be associated with a region, users can enable DDoS protection on Virtual Networks in different regions and across multiple subscriptions under a single Microsoft Entra tenant. Reference: https://learn.microsoft.com/en-us/azure/ddos-protection/manage-ddos-protection https://learn.microsoft.com/en-us/answers/questions/951433/how-to-protect-azure-webapp-from-denial-of-service https://www.examtopics.com/exams/microsoft/az-500/view/29/#

To support the answer: No, an Azure DDoS Protection Plan (like the one named DDoS1) cannot be directly added to an Azure Web App in the West US region or any other region. This is because Azure DDoS Protection is designed to protect resources deployed within virtual networks, such as virtual machines, load balancers, or application gateways. Azure Web Apps, on the other hand, are part of the App Service platform and do not reside within a virtual network by default. Answer: C

C. VNet1 and VNet2 only Explanation: Azure DDoS Protection is designed to protect Virtual Networks (VNets), not individual web applications like Azure Web Apps (App Services). DDoS Protection Plans can only be linked to VNets. Web App Services (like WebApp1) are PaaS services and are not directly protected by DDoS Protection Plans. Instead, Azure Web Apps are automatically protected by Azure’s built-in global DDoS protection, but they cannot be linked to a DDoS Protection Plan. VNets in any region can be linked to a DDoS Protection Plan, even if they are in different regions than the plan itself. So, even though DDoS1 is in West US, you can still add VNet2 from East US to it. Resource Analysis: VNet1 (West US) → ✅ Can be added. VNet2 (East US) → ✅ Can be added. WebApp1 (West US) → ❌ Cannot be added (Azure Web Apps are not VNet-dependent and are not protected by DDoS Protection Plans).

Tested in lab created a ddos plan and the only protected resources I could select are vnet, firewall, application gateway, bastion host, load balancer, NIC, VMSS, and vnet gateway. No option for a webapp directly, Only via the app gateway

Why wouldnt it be C then?

"A DDoS protection plan defines a set of virtual networks that have DDoS Network Protection enabled ... Although DDoS Protection Plan resources needs to be associated with a region, users can enable DDoS protection on Virtual Networks in different regions" https://learn.microsoft.com/en-us/azure/ddos-protection/manage-ddos-protection (For DDoS protection of a Web App, you need WAF, not a "DDoS Protection Plan".)

Answer E: is correct

I think here answer is C as in order to add DDOS protection to Web App we should have application gateway deployed to the vnet but here we can not talk about WAF deployed that is why I would go with C. Enable DDOS Protection Standard on the virtual network hosting your App Service's Web Application Firewall. Azure provides DDoS Basic protection on its network, which can be improved with intelligent DDoS Standard capabilities which learns about normal traffic patterns and can detect unusual behavior. DDoS Standard applies to a Virtual Network so it must be configured for the network resource in front of the app, such as Application Gateway or an NVA. https://learn.microsoft.com/en-us/security/benchmark/azure/baselines/app-service-security-baseline BR

Answer E: as per chiquito explanation

A DDoS protection plan defines a set of virtual networks that have DDoS Network Protection enabled, across subscriptions.