Do we need extra DDoS protection or is the standard enough?
AWS Shield Standard, Azure DDoS Protection Basic and GCP Cloud Armor Standard are included and absorb volumetric network-layer attacks. Plenty for most SMBs. Layer 7 (HTTP flood) is a different story.
Try this first
- 1Standard protection covers SYN floods, UDP reflection and most network attacks. No action needed, it's always on.
- 2For application-layer attacks (HTTP flood, slowloris, Layer 7) you need a WAF with per-IP rate limiting and bot detection.
- 3AWS Shield Advanced (~3,000 USD per month) is only worth it if you run millions in revenue through a public endpoint, or want SLA protection and cost protection during large attacks.
- 4Azure DDoS Protection Standard (per-IP or per-VNet tier) is useful for public load balancers with customer impact. Cloud Armor Managed Protection Plus for GCP similarly.
- 5For SMB with a public-facing site, Cloudflare Pro or Business at the DNS layer is often cheaper and more effective than native Advanced.
When to bring us in
If you get an extortion email or an ongoing attack, this is not a DIY moment. Bring in cloud support and possibly a DDoS vendor immediately.
See also
- Everyone logs in with the AWS root accountRoot is for emergencies and billing. Day-to-day work belongs in IAM users or SSO.
- Every developer has AdministratorAccessAdministratorAccess everywhere is convenient now, painful later. Start with role-based policies.
- Everyone has individual IAM users with their own passwordIdentity Center (formerly AWS SSO) links to your IdP and issues temporary credentials per session.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.