Microsoft Certified: Azure Fundamentals (AZ-900) Practice Exam

DDoS protection is the correct choice because it specifically addresses the risk of distributed denial-of-service (DDoS) attacks, which are designed to overwhelm and exhaust resources on a public-facing website. This service detects and mitigates such attacks by absorbing the attack traffic and ensuring that legitimate users can still access the website.

Using DDoS protection helps safeguard your applications by providing automatic scaling and predefined thresholds, which allow it to respond quickly to sudden spikes in traffic that may be indicative of an attack. It operates at the network layer and does not require manual intervention, making it an effective solution for maintaining availability and performance against DDoS threats.

While other options can contribute to overall security and resource management, they do not specifically target the issue of resource exhaustion caused by DDoS attacks. Azure Firewall provides protection at the application level, but it does not have the same capabilities in specifically mitigating large-scale attacks like DDoS. Network Security Groups control inbound and outbound traffic to Azure resources but are primarily focused on access control. Application Gateway serves as a web traffic manager and includes web application firewall features, but again, it does not specialize in DDoS mitigation.