Azure DDoS Protection Standard is configured at the virtual network (VNet) level. When a DDoS protection plan is associated with a VNet, all resources within that VNet that have a public IP address are automatically protected. This includes resources such as virtual machines, load balancers, and application gateways. The protection is not applied to logical management containers like resource groups or identity services such as Azure Active Directory users or applications.

Microsoft Learn, Azure DDoS Protection Documentation: In the "Overview of Azure DDoS Protection" section, it states, "You can enable DDoS protection on any new or existing virtual network, and it requires no application or resource changes. It has several advantages over the Basic service, including telemetry, alerting, and tuning through machine learning algorithms." This confirms that the service is enabled on virtual networks.

Source: Microsoft Corporation. (2024). What is Azure DDoS Protection? Retrieved from Microsoft Learn. (See Section: "Azure DDoS Protection tiers")

Microsoft Learn, Quickstart: Create and configure Azure DDoS Protection Standard: The tutorial steps explicitly demonstrate this process. Step 2 is "Create a DDoS protection plan," and Step 4 is "Enable DDoS protection for a virtual network." The procedure involves associating the created plan directly with a VNet.

Source: Microsoft Corporation. (2024). Quickstart: Create and configure Azure DDoS Protection Standard using the Azure portal. Retrieved from Microsoft Learn. (See Section: "Enable DDoS protection for a virtual network")