expanded pricing guide.

Author: AbdullahBell

articles/ddos-protection/ddos-optimization-guide.md

@@ -5,7 +5,7 @@ services: ddos-protection
 author: AbdullahBell
 ms.service: azure-ddos-protection
 ms.topic: concept-article
-ms.date: 07/24/2025
+ms.date: 07/28/2025
 ms.author: abell
 # Customer intent: As a cloud architect or IT administrator, I want to optimize costs for Azure DDoS Protection, so that I can maintain effective security protection while controlling expenses and maximizing return on investment.
 ---

articles/ddos-protection/ddos-pricing-guide.md

@@ -5,7 +5,7 @@ services: ddos-protection
 author: AbdullahBell
 ms.service: azure-ddos-protection
 ms.topic: concept-article
-ms.date: 07/24/2025
+ms.date: 07/28/2025
 ms.author: abell
 # Customer intent: As a cloud architect, I want to compare the pricing of Azure DDoS Protection tiers, so that I can choose the most cost-effective solution for protecting my virtual network and public IP addresses.
 ---
@@ -27,131 +27,74 @@ When IP Protection is enabled for a public IP resource and a DDoS protection pla
 
 ## Example scenarios
 
+This section provides example scenarios to illustrate cost differences between Network Protection and IP Protection. The scenarios are designed to help you understand how to evaluate costs based on your specific environment and requirements.
 
 ### Scenario 1: Small application with 10 Public IP addresses
 
 In this example, we compare the cost of Network Protection and IP Protection for a virtual network with 10 Public IP addresses. 
 
 #### Network Protection
 
+With Network Protection, you create one plan that covers all subscriptions under the tenant. This shared protection model means you pay a single monthly Network Protection plan fee that covers up to 100 IP addresses across all subscriptions within your Azure Active Directory tenant, regardless of how those IPs are distributed among different subscriptions. 
+
 Let's assume you have only one subscription in your tenant. If you create a Network Protection plan, the plan includes protection for 100 IP addresses. The subscription is billed for the Network Protection plan, which covers up to 100 resources. 
 
 #### IP Protection 
 
 In this same scenario with 10 Public IP addresses, if you enable IP Protection for each Public IP address, you're billed per protected IP resource.
 
-Under this scenario, its more cost effective to enable IP Protection for each Public IP address. For environments with more than 15 Public IP addresses, it's more cost effective to create a Network Protection plan. 
+Under this scenario, its more cost effective to enable IP Protection for each Public IP address.
 
 **Cost comparison analysis:**
-- Network Protection: Fixed monthly cost for up to 100 IP addresses
-- IP Protection: Per-IP monthly cost × 10 resources  
-- **Result: IP Protection provides cost savings for smaller deployments**
+
+- Network Protection: Fixed monthly cost for up to 100 IP addresses.
+- IP Protection: Per-IP monthly cost × 10 resources.
+- Result: IP Protection provides cost savings for smaller deployments.
 
 ### Scenario 2: Enterprise multi-subscription environment
 
 This scenario illustrates cost benefits for large organizations with multiple subscriptions sharing a DDoS protection plan.
 
-#### Multiple subscriptions with Network Protection
-
-An enterprise has three subscriptions with the following public IP distribution:
+An enterprise has three subscriptions with 48 public IPs across three subscriptions.
 - Subscription A: 25 public IPs (production workloads)
 - Subscription B: 15 public IPs (staging environment)  
 - Subscription C: 8 public IPs (development environment)
-- **Total: 48 public IPs across three subscriptions**
 
-With Network Protection, you create one plan that covers all subscriptions under the tenant:
-- Cost: Single monthly Network Protection plan fee (covers up to 100 IPs across all subscriptions)
-- Effective per-IP cost: Significantly lower due to shared plan coverage
+#### Multiple subscriptions with Network Protection
+
+The cost efficiency becomes apparent when you consider the effective per-IP cost: instead of paying individually for each of the 48 public IPs, the enterprise pays one fixed monthly fee that could protect up to 100 IPs. This shared plan coverage significantly reduces the effective per-IP cost compared to individual IP Protection, making Network Protection an economical choice for organizations with multiple subscriptions and substantial public IP requirements. The protection seamlessly extends across subscription boundaries, simplifying both management and billing while providing comprehensive coverage for the entire tenant's public facing resources.
 
 #### Multiple subscriptions with IP Protection
 
-If using IP Protection for the same 48 public IPs:
-- Cost: Per-IP monthly rate × 48 resources across all subscriptions
+If using IP Protection for the same 48 public IPs, the cost structure changes significantly. Under this model, each public IP address requires individual protection billing, resulting in a per-IP monthly rate multiplied by 48 resources across all subscriptions. This means the enterprise would pay separately for protection on each of the 25 production IPs, 15 staging IPs, and 8 development IPs, with costs accumulating linearly across all subscription boundaries.
 
-**Cost comparison analysis:**
-- Network Protection: Single plan fee regardless of IP count (up to 100)
-- IP Protection: Linear cost scaling with each protected IP
-- **Result: Network Protection provides substantial savings for enterprise environments with many IPs**
+IP Protection follows a linear cost scaling model where expenses increase proportionally with each protected IP address. For the 48 public IPs in this enterprise scenario, this means paying individual protection fees for each resource across all subscriptions, resulting in substantially higher total costs compared to the shared Network Protection plan.
 
 ### Scenario 3: Application Gateway with WAF integration
 
-This scenario demonstrates the value-added benefits of Network Protection when using Azure Application Gateway with WAF.
+This scenario demonstrates the value-added benefits of Network Protection when using Azure Application Gateway with Web Application Firewall (WAF), highlighting how DDoS Protection can provide extra cost savings beyond basic attack mitigation.
 
 #### Without DDoS Network Protection
-- Application Gateway WAF v2: Standard WAF pricing rates apply
-- Total monthly cost: Application Gateway WAF fees
-
-#### With DDoS Network Protection  
-- Network Protection plan: Monthly plan fee
-- Application Gateway Standard v2 (WAF discount applied): Reduced pricing due to WAF discount benefit
-- Total monthly cost: Network Protection plan + reduced Application Gateway fees
-
-**WAF discount benefit: Significant monthly savings on Application Gateway costs when DDoS Network Protection is enabled**
-
-### Scenario 4: Seasonal workloads with variable IP requirements
 
-This scenario shows cost implications for applications with fluctuating public IP requirements.
+When deploying Application Gateway with WAF functionality without DDoS Network Protection, organizations pay the standard WAF pricing rates for their Application Gateway v2 instances. Under this configuration, the total monthly cost consists solely of the Application Gateway WAF fees, which include both the gateway compute costs and the premium WAF feature charges that provide web application security capabilities.
 
-Consider an e-commerce platform that scales during peak seasons:
-
-#### Regular operations (nine months)
-- 8 public IPs needed
-- IP Protection cost: Per-IP rate × eight resources × nine months
-
-#### Peak season (three months) 
-- 25 public IPs needed during holiday season
-- Two options:
-  1. **IP Protection**: Per-IP rate × 25 resources × three months
-  2. **Temporary Network Protection**: Monthly plan rate × three months
+#### With DDoS Network Protection  
 
-**Annual cost comparison analysis:**
-- IP Protection only: Higher total cost due to linear scaling during peak periods
-- IP Protection + seasonal Network Protection: Optimized cost through strategic switching
-- **Result: Hybrid approach provides cost savings for seasonal traffic patterns**
+When DDoS Network Protection is enabled on the virtual network containing the Application Gateway, the cost structure becomes more favorable due to the WAF discount benefit. The monthly expenses include the Network Protection plan fee, but the Application Gateway is automatically charged at the Standard v2 rate rather than the higher WAF rate. This reduced pricing occurs because the WAF discount benefit is automatically applied when Application Gateway with WAF is deployed in a DDoS Network Protection-enabled virtual network. The total monthly cost therefore becomes the Network Protection plan fee plus the reduced Application Gateway fees.
 
-To calculate your unique pricing scenarios, see the [pricing calculator](https://azure.microsoft.com/pricing/calculator/?service=ddos-protection).
+To learn more about Application Gateway WAF pricing, see [Application Gateway pricing](https://azure.microsoft.com/pricing/details/application-gateway/).
 
-> [!NOTE]
-> Network Protection includes valued-added benefits such as DDoS Rapid Protection, WAF Discount, and Cost Protection. For more information, see [Azure DDoS Protection SKU Comparison](ddos-protection-sku-comparison.md).
 
 ## Value-added benefits analysis
 
-Network Protection provides additional value beyond basic DDoS mitigation that should be considered in total cost of ownership calculations:
-
-### Cost Protection Guarantee
-Network Protection includes a cost protection guarantee that provides service credits for additional Azure costs incurred during a documented DDoS attack. This includes:
-- Data transfer costs from scale-out operations
-- Additional compute costs for autoscaling responses
-- Other documented Azure service costs directly attributable to DDoS attacks
-
-### DDoS Rapid Response (DRR)
-Network Protection customers have access to the DDoS Rapid Response team during active attacks, providing:
-- Real-time expert analysis and guidance
-- Custom mitigation recommendations  
-- Post-attack analysis and recommendations
-- Value: Equivalent to premium support services for incident response
-
-### WAF Discount Benefits
-When Application Gateway with WAF is deployed in a DDoS Network Protection-enabled virtual network:
-- Application Gateway is charged at the Standard (non-WAF) rate
-- Provides monthly savings per Application Gateway instance
-- Applies to both Application Gateway v1 and v2 SKUs
+Network Protection provides extra value beyond IP Protection that should be considered in total cost of ownership calculations. To learn more about the value-added benefits of Network Protection, see [DDoS Protection tier comparison](ddos-protection-sku-comparison.md).
 
 ## Cost optimization strategies
 
 For comprehensive cost optimization guidance, see [DDoS Protection cost optimization principles](ddos-optimization-guide.md).
 
-## Regional pricing considerations
-
-DDoS Protection pricing may vary by Azure region. Key considerations:
-
-- Review the [official pricing page](https://azure.microsoft.com/pricing/details/ddos-protection/) for your specific region
-
-
 ## Next steps
 
-- Use the [Azure pricing calculator](https://azure.microsoft.com/pricing/calculator/?service=ddos-protection) to estimate costs for your specific environment
+- Configure [DDoS Protection diagnostic logs](ddos-diagnostic-alert-templates.md) to monitor and analyze DDoS attack patterns.
 - Learn more about [DDoS Protection reference architectures](ddos-protection-reference-architectures.md)
-- Review [DDoS Protection cost optimization principles](ddos-optimization-guide.md) for detailed cost management strategies
-- Compare [DDoS Protection SKU features](ddos-protection-sku-comparison.md) to understand value-added benefits
 - Get started with [Network Protection](manage-ddos-protection.md) or [IP Protection](manage-ddos-ip-protection-portal.md) configuration