The Multi-Cloud Reality
Most organizations no longer run on a single cloud provider. A typical production environment might have web frontends on AWS, data processing on GCP, machine learning workloads on Azure, and legacy systems on bare metal in a colocation facility. Each platform was chosen for specific strengths: AWS for its ecosystem breadth, GCP for data analytics, Azure for enterprise integration, and on-prem for latency-sensitive or regulated workloads.
This multi-cloud, hybrid architecture makes operational sense. But it creates a fundamental problem for DDoS protection: each cloud provider's native DDoS tool only sees traffic within its own platform. There is no built-in mechanism for cross-cloud visibility, correlation, or coordinated response.
When an attacker targets your infrastructure, they do not care which cloud provider hosts each service. They target IP addresses. A sophisticated attacker might hit your AWS load balancers, your GCP API endpoints, and your on-prem database servers simultaneously. On each platform, the native DDoS tool sees what looks like a moderate attack. But in aggregate, it is a coordinated multi-vector campaign designed to overwhelm your entire infrastructure.
The Visibility Gap
Each cloud provider's DDoS protection service operates within a walled garden. AWS Shield monitors traffic flowing through AWS networking. Google Cloud Armor inspects traffic hitting GCP load balancers. Azure DDoS Protection watches Azure virtual network traffic. None of them have any visibility into what is happening on the other platforms, and none of them can see your on-premises infrastructure at all.
This creates several concrete problems:
No cross-cloud correlation
A multi-vector attack hitting AWS and GCP simultaneously appears as two separate, unrelated events. AWS Shield sees a SYN flood and triggers its own mitigation. Cloud Armor sees a UDP amplification flood and triggers its own mitigation. Neither system knows the other is under attack. Your operations team sees two separate alerts from two separate dashboards with no correlation.
Without correlation, you cannot see the attack for what it is: a coordinated campaign. You waste time investigating each event independently. You might mitigate on one platform and assume the problem is solved, while the attack continues on the other. You cannot make informed decisions about the overall threat level because you are looking at fragments, not the whole picture.
Inconsistent detection capabilities
The native DDoS tools across cloud providers vary significantly in their detection capabilities, and those capabilities depend heavily on the tier you are paying for.
- AWS Shield Standard: Free, automatic, but only protects against L3/L4 volumetric attacks on CloudFront, Route 53, and ELB. No custom detection thresholds. No visibility into what was mitigated.
- AWS Shield Advanced: $3,000 per month per account (plus data transfer fees). Adds L7 detection, custom health checks, DDoS Response Team access, and cost protection. Meaningful protection, but expensive at scale.
- Google Cloud Armor: Standard tier includes basic rate limiting and WAF rules. Adaptive Protection (ML-based L7 detection) is available at higher tiers. No native L3/L4 visibility below the load balancer level.
- Azure DDoS Protection: Standard tier is approximately $2,944 per month per virtual network, plus overage charges. Provides L3/L4 volumetric protection. L7 protection requires pairing with Application Gateway WAF.
The result is that your detection capabilities are inconsistent across platforms. An attack pattern that triggers mitigation on AWS might go undetected on GCP if you are using a lower protection tier there. An attacker who studies your infrastructure can exploit these gaps deliberately.
Running Shield Advanced on 5 AWS accounts, Azure DDoS Protection Standard on 3 virtual networks, and Cloud Armor Premium on GCP means spending over $24,000 per month on native DDoS protection alone, with no unified visibility across the three platforms.
The On-Premises Blind Spot
Cloud DDoS tools protect cloud workloads. They provide zero protection for on-premises infrastructure. If you have servers in a colocation facility, a private data center, or bare-metal hosting, those machines are invisible to AWS Shield, Cloud Armor, and Azure DDoS Protection.
Many hybrid architectures use on-premises infrastructure for their most critical or latency-sensitive workloads: databases, real-time processing, financial systems, and gaming servers. These are often the most valuable targets for attackers, and they have the least protection in a cloud-native DDoS strategy.
Traditional solutions for on-premises DDoS protection involve hardware appliances (expensive, capacity-limited, requires expertise) or manual configuration of BGP-based mitigation (complex, slow to deploy, no automation). Neither approach integrates with your cloud DDoS tools, adding another silo to your fragmented visibility.
Bare-metal and VPS hosting
Beyond traditional on-premises data centers, many organizations use bare-metal hosting providers like Hetzner, OVH, or Leaseweb for cost-effective compute. These providers offer varying levels of built-in DDoS protection, but it is typically basic and not configurable. You have no visibility into what is being filtered, no control over thresholds, and no integration with your other DDoS tools.
# Typical hybrid infrastructure map: AWS (us-east-1): Web frontends, CDN origin, API Gateway GCP (us-central1): Data pipeline, BigQuery, ML inference Azure (westeurope): Active Directory, enterprise apps OVH (BHS): Game servers, media encoding Colocation (Equinix): Primary database cluster, real-time processing # DDoS visibility per environment: AWS: Shield Standard (basic, free) or Shield Advanced ($3K/mo) GCP: Cloud Armor (basic WAF rules) Azure: DDoS Protection Standard (~$3K/mo) OVH: Built-in VAC (no visibility, no control) Colocation: Nothing (unless you buy a hardware appliance)
The Cost Problem
Native cloud DDoS protection at the advanced tiers is expensive, and costs multiply across accounts and platforms. For organizations running multi-cloud infrastructure at scale, the numbers add up fast.
- AWS Shield Advanced: $3,000/month per AWS account. An organization with 10 AWS accounts pays $30,000/month before data transfer charges.
- Azure DDoS Protection Standard: ~$2,944/month per protected virtual network. Multiple VNets multiply the cost.
- Google Cloud Armor: Pricing varies by tier and rules. Enterprise-grade protection with Adaptive Protection and bot management can reach thousands per month.
- Total for a modest multi-cloud setup: $10,000 to $40,000+ per month for native DDoS protection across all platforms.
And for that spend, you get three separate dashboards, three separate alerting systems, three separate sets of detection logic, and zero cross-platform correlation. You are paying premium prices for fragmented visibility.
Cost aside, the operational overhead is significant. Your security team must learn three different DDoS tools, monitor three different dashboards, configure three different sets of thresholds, and respond to three different alerting formats. During an active attack, switching between platforms to understand the full picture wastes critical time.
What a Unified Approach Looks Like
The alternative to fragmented, per-platform DDoS protection is a unified detection layer that runs consistently across every environment. Instead of relying on each cloud provider's native tool, you deploy a single detection agent on every server, regardless of where it is hosted.
This is the approach Flowtriq takes. The Flowtriq agent is a lightweight process that runs on any Linux server. It analyzes network traffic at the host level, detects DDoS attacks using the same detection logic everywhere, and reports to a centralized dashboard. Whether the server is on AWS, GCP, Azure, OVH, Hetzner, or in a colocation rack, the agent provides identical detection capabilities.
Consistent detection everywhere
Because the agent runs on the server itself, it does not depend on cloud-specific networking features. It sees the same traffic on an AWS EC2 instance that it sees on a bare-metal Hetzner server. Detection thresholds, alerting rules, and mitigation triggers are configured once and apply uniformly. A SYN flood looks the same to the agent whether it arrives through an AWS VPC or a colocation switch.
# Install the Flowtriq agent on any Linux server curl -sL https://get.flowtriq.com | bash # Same agent, same detection, regardless of platform: # AWS EC2, GCP Compute Engine, Azure VM, # Hetzner bare metal, OVH VPS, colo rack server # All nodes report to the same dashboard # with unified alerting and correlation
Cross-cloud correlation
With agents reporting to a single centralized platform, Flowtriq can correlate events across your entire infrastructure. A simultaneous attack hitting your AWS frontends and your GCP API servers is identified as a single coordinated campaign, not two unrelated events. Alerts are deduplicated and presented in context, giving your team a complete picture of the threat.
Correlation also improves detection accuracy. A traffic pattern that looks benign on a single server might be clearly malicious when correlated across 50 servers. Distributed low-rate attacks that fly under per-host thresholds become visible when the aggregate is analyzed.
Platform-appropriate mitigation
Unified detection does not mean one-size-fits-all mitigation. Flowtriq triggers mitigation actions that are appropriate for each platform. On a server with BGP peering, it can push FlowSpec rules or RTBH announcements. On a cloud instance, it can deploy local iptables rules. On infrastructure with cloud scrubbing configured, it can activate the scrubbing service. The detection is unified; the response is tailored to each environment's capabilities.
Native Cloud Tools vs. Agent-Based Detection
This is not an either-or decision. Native cloud DDoS tools provide value, especially at the free tier. AWS Shield Standard is automatic and free; there is no reason to disable it. Cloud Armor's basic WAF rules protect against application-layer attacks. Azure DDoS Protection Basic is included with every virtual network.
The question is whether those free-tier tools are sufficient as your only DDoS protection. For most multi-cloud organizations, the answer is no. The free tiers provide limited detection, no cross-cloud visibility, and no automated mitigation beyond basic volumetric filtering.
An agent-based approach like Flowtriq complements native tools rather than replacing them. Let Shield Standard handle the obvious volumetric floods at the AWS edge. Let the Flowtriq agent handle everything else: cross-cloud correlation, consistent detection across all platforms, automated escalation, and on-premises coverage.
- Keep native free tiers active: They provide baseline L3/L4 protection at no cost.
- Skip expensive advanced tiers: A unified agent-based approach provides better visibility at a fraction of the cost of running Shield Advanced + Azure DDoS Standard + Cloud Armor Premium across all accounts.
- Cover on-premises and bare metal: The agent runs anywhere Linux runs. No blind spots.
- Single dashboard: One view of your entire infrastructure's DDoS posture, not three separate consoles.
Architecture Patterns for Multi-Cloud DDoS Protection
Pattern 1: Agent on every node
Deploy the Flowtriq agent on every server across all environments. This provides maximum visibility and per-host detection. Best for organizations where every server potentially faces internet traffic or where you need granular per-host metrics.
Pattern 2: Agent on edge nodes only
Deploy agents on internet-facing servers only: load balancers, reverse proxies, API gateways, and edge nodes. Internal servers that only receive traffic from edge nodes are covered indirectly. This reduces agent count while still providing detection at every ingress point.
Pattern 3: Agent plus flow collector
For environments with network devices that export NetFlow, sFlow, or IPFIX, combine host-level agents with flow collection. The agents cover cloud and bare-metal servers; the flow collector covers routed infrastructure where you cannot install an agent (network appliances, third-party managed devices).
The right pattern depends on your infrastructure. Most organizations start with agents on edge nodes and expand to full coverage as they gain confidence in the deployment.
Getting Started
Deploying unified DDoS detection across a multi-cloud environment does not require a large project. Start by identifying your internet-facing infrastructure across all platforms. Install the Flowtriq agent on those servers. Within minutes, you have cross-cloud visibility that none of the native tools can provide individually.
From there, configure detection thresholds based on your traffic patterns, set up alerting, and enable automated mitigation for critical infrastructure. The unified dashboard shows your entire infrastructure in one view, eliminating the context-switching that slows down incident response.
Stop paying for fragmented visibility. Try Flowtriq free for 7 days and get consistent DDoS detection across every cloud, every data center, and every bare-metal server in your infrastructure.
Back to Blog