@Jozef Firstly, apologies for the delay in responding here and any inconvenience this issue may have caused.
All Public Endpoints within Azure have Basic DDoS Protection.
Every property in Azure is protected by Azure's infrastructure DDoS (Basic) Protection at no additional cost. The scale and capacity of the globally deployed Azure network provides defense against common network-layer attacks through always-on traffic monitoring and real-time mitigation. DDoS Protection Basic requires no user configuration or application changes. DDoS Protection Basic helps protect all Azure services, including PaaS services like Azure DNS.
Reference: https://learn.microsoft.com/en-us/azure/ddos-protection/ddos-protection-overview
Basic DDoS protection in Azure consists of both software and hardware components. A software control plane decides when, where, and what type of traffic should be steered through hardware appliances that analyze and remove attack traffic. The control plane makes this decision based on an infrastructure-wide DDoS Protection policy. This policy is statically set and universally applied to all Azure
For example, the DDoS Protection policy specifies at what traffic volume the protection should be triggered. (That is, the tenant’s traffic should be routed through scrubbing appliances.) The policy then specifies how the scrubbing appliances should mitigate the attack.
The Azure DDoS Protection Basic service is targeted at protection of the infrastructure and protection of the Azure platform. It mitigates traffic when it exceeds a rate that is so significant that it might affect multiple customers in a multitenant environment. It doesn’t provide alerting or per-customer customized policies.
You can upgrade to Standard DDoS if you want to. More granular control and visibility. Now, most of these resources like APIM, Web App can be placed behind WAF too. WAF is different from DDoS Protection. Layer 7 Attacks like SQL Injection etc. will be blocked by WAF.
So, if you want 100% protection, If you are looking to protect an AppService or other resources from attacks, it is ideal to have that App Service/other resources placed behind an Application Gateway with WAF.
Once you enable move the App Service behind and Application Gateway, enable WAF on the Application Gateway. You can enable DDoS protection on the virtual network where the application gateway is deployed. This setting ensures that the Azure DDoS Protection service also protects the application gateway virtual IP (VIP).
Hope this helps!
Kindly let us know if the above helps or you need further assistance on this issue.
---------------------------------------------------------------------------------------------
Please don’t forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.