24458 Update ALZ Portal Accelerator with DDoS Std Rename to DDoS Netw… (#1102)

* 24458 Update ALZ Portal Accelerator with DDoS Std Rename to DDoS Network Protection

* Added changes per https://github.com/Azure/Enterprise-Scale/pull/1102#pullrequestreview-1166035972

* Auto-update Portal experience [kausd1/6b9b9b5e]

* Made changes to what-is-enterprise-scale

Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com>

docs/ESLZ-Policies.md

@@ -114,7 +114,7 @@ The table below provides the specific **Custom** and **Built-in** **policy defin
 
 | Assignment Name                                                            | Definition Name                                                            | Policy Type                       | Description                                                                                                                                                               | Effect(s) | Version |
 | -------------------------------------------------------------------------- | -------------------------------------------------------------------------- | --------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------- | ------- |
-| **Virtual networks should be protected by Azure DDoS Protection Standard** | **Virtual networks should be protected by Azure DDoS Protection Standard** | `Policy Definition`, **Built-in** | Protect your virtual networks against volumetric and protocol attacks with Azure DDoS Protection Standard. For more information, visit https://aka.ms/ddosprotectiondocs. | Modify    | 1.0.0   |
+| **Virtual networks should be protected by Azure DDoS Network Protection** | **Virtual networks should be protected by Azure DDoS Network Protection** | `Policy Definition`, **Built-in** | Protect your virtual networks against volumetric and protocol attacks with Azure DDoS Network Protection. For more information, visit https://aka.ms/ddosprotectiondocs. | Modify    | 1.0.0   |
 
 ### Management
 
@@ -201,7 +201,7 @@ The table below provides the specific **Custom** and **Built-in** **policy defin
 | **Auditing on SQL server should be enabled**                                                                        | **Auditing on SQL server should be enabled**                                                                        | `Policy Definition`, **Built-in**   | Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log.                                                                                                                                                                                                                                        | AuditIfNotExists                                 | 2.0.0   |
 | **Deploy Threat Detection on SQL servers**                                                                          | **Configure Azure Defender to be enabled on SQL servers**                                                           | `Policy Definition`, **Built-in**   | Enable Azure Defender on your Azure SQL Servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases.                                                                                                                                                                                                                  | DeployIfNotExists                                | 2.1.0   |
 | **Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy** | **Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy** | `Policy Definition`, **Built-in**   | Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores.                                                                 | DeployIfNotExists                                | 8.0.0   |
-| **Virtual networks should be protected by Azure DDoS Protection Standard**                                          | **Virtual networks should be protected by Azure DDoS Protection Standard**                                          | `Policy Definition`, **Built-in**   | Protect your virtual networks against volumetric and protocol attacks with Azure DDoS Protection Standard.                                                                                                                                                                                                                                                                          | Modify                                           | 1.0.0   |
+| **Virtual networks should be protected by Azure DDoS Network Protection**                                          | **Virtual networks should be protected by Azure DDoS Network Protection**                                          | `Policy Definition`, **Built-in**   | Protect your virtual networks against volumetric and protocol attacks with Azure DDoS Network Protection .                                                                                                                                                                                                                                                                          | Modify                                           | 1.0.0   |
 | **Kubernetes cluster should not allow privileged containers**                                                       | **Kubernetes cluster should not allow privileged containers**                                                       | `Policy Definition`, **Built-in**   | Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes.                                                              | Deny                                             | 7.2.0   |
 | **Kubernetes clusters should not allow container privilege escalation**                                             | **Kubernetes clusters should not allow container privilege escalation**                                             | `Policy Definition`, **Built-in**   | Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes.                                         | Audit                                            | 4.2.0   |
 | **Kubernetes clusters should be accessible only over HTTPS**                                                        | **Kubernetes clusters should be accessible only over HTTPS**                                                        | `Policy Definition`, **Built-in**   | Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for AKS Engine and Azure Arc enabled Kubernetes.                                                                                                                           | Deny                                             | 6.1.0   |

docs/reference/adventureworks/README.md

@@ -66,7 +66,7 @@ By default, all recommendations are enabled and you must explicitly disable them
   - ExpressRoute Gateway (optional - deployment across Availability Zones)
   - VPN Gateway (optional - deployment across Availability Zones)
   - Azure Private DNS Zones for Private Link (optional)
-  - Azure DDoS Standard protection plan (optional)
+  - Azure DDoS Network Protection (optional)
 - (Optionally) An Azure subscription dedicated for **identity** in case your organization requires to have Active Directory Domain Controllers in a dedicated subscription.
   - A virtual network will be deployed and will be connected to the hub VNet via VNet peering.
 - Landing Zone Management Group for **corp** connected applications that require connectivity to on-premises, to other landing zones or to the internet via shared services provided in the hub virtual network.

docs/reference/azpol.md

@@ -127,7 +127,7 @@ Any publically reachable Azure resource is exposed to threat of Distributed Deni
 
 Azure DDoS Protection service defends Azure resources against DDoS attacks. Azure DDoS Protection continuously monitors incoming traffic to identify potential indications of a DDoS attack. Enterprises benefit from working with Microsoft's DDoS Rapid Response (DRR) team during an active attack.
 
-ESLZ deploys a custom policy that automatically provisions Azure DDoS Standard plan on all Azure subscriptions under its scope. Same policy also enables enterprises to select the Azure regions to be covered as part of the assignment.  
+ESLZ deploys a custom policy that automatically provisions Azure DDoS Network Protection on all Azure subscriptions under its scope. Same policy also enables enterprises to select the Azure regions to be covered as part of the assignment.  
 
 ## Auto-provision Private Link/Endpoint with Private DNS Zone
 

docs/reference/contoso/Readme.md

@@ -62,7 +62,7 @@ The rest of the options across the different blades will depend on your environm
   - VPN Gateway (optional)
   - Azure Firewall (optional)
   - Firewall Policies (optional)  
-  - Azure DDoS Standard protection plan (optional)
+  - Azure DDoS Network Protection (optional)
 - An Azure Subscription dedicated for **identity**, where customers can deploy the Active Directory domain controllers required for their environment.
   - A virtual network will be deployed and will be connected to the hub VNet via VNet peering.
 - Landing Zone Management Group for **corp** connected applications that require connectivity to on-premises, to other landing zones or to the internet via shared services provided in the VWAN hub.

docs/reference/treyresearch/armTemplates/auxiliary/hubspoke-connectivity.json

@@ -75,7 +75,7 @@
                 "No"
             ],
             "metadata": {
-                "description": "Select whether the DDoS Standard protection plan should be enabled or not."
+                "description": "Select whether the DDoS Network Protection should be enabled or not."
             }
         },
         "connectivitySubscriptionId": {

docs/wiki/Deploying-ALZ-BasicSetup.md

@@ -143,9 +143,9 @@ On the *Network topology and connectivity* blade you will configure your core ne
 
 - Depending on your requirements, you may choose to deploy additional network infrastructure for your Azure architecture. The optional resources include:
 
-  - **Enable DDoS Protection Standard**: Usage of [Azure DDoS Protection Standard protection](https://docs.microsoft.com/en-us/azure/ddos-protection/ddos-protection-overview) is recommended to help protect all public endpoints hosted within your virtual networks. When this option is selected an Azure DDoS Protection Plan is provisioned in your Platform Subscription and which can be used to protect public endpoints across your Platform and Landing Zone subscriptions. DDoS Protection Plan's costs cover up to 100 public endpoints. Protection of additional endpoints requires additional fees. See [Azure DDoS Protection pricing](https://azure.microsoft.com/en-us/pricing/details/ddos-protection/) for further details.
+  - **Enable DDoS Network Protection**: Usage of [Azure DDoS Network Protection](https://docs.microsoft.com/en-us/azure/ddos-protection/ddos-protection-overview) is recommended to help protect all public endpoints hosted within your virtual networks. When this option is selected an Azure DDoS Protection Plan is provisioned in your Platform Subscription and which can be used to protect public endpoints across your Platform and Landing Zone subscriptions. DDoS Protection Plan's costs cover up to 100 public endpoints. Protection of additional endpoints requires additional fees. See [Azure DDoS Protection pricing](https://azure.microsoft.com/en-us/pricing/details/ddos-protection/) for further details.
   
-    **In this tutorial, DDoS Standard protection it is enabled**. Set **Enable DDoS Protection Standard** to **Yes**.
+    **In this tutorial, DDoS Network Protection it is enabled**. Set **Enable DDoS Network Protection** to **Yes**.
 
     ![networkTab-ddos](./media/clip_image036b-11-singlesubscription.png)
 
@@ -270,7 +270,7 @@ For Corp Landing Zones its virtual network can be connected (recommended) to the
 
   Any Azure Policies you selected will be assigned to the [Landing Zones Management Group](./How-Enterprise-Scale-Works#enterprise-scale-management-group-structure) under the root of your Enterprise Scale Management Group hierarchy. See [landing zone Azure's Policies](https://github.com/Azure/Enterprise-Scale/blob/main/docs/ESLZ-Policies.md) for further details on the configurable set of Azure Policies.
 
-  As part of the policies that you can assign to your landing zones, the Azure landing zone portal accelerator experience will allow you to protect your landing zones with a DDoS Standard plan. For connected Landing Zones (*Corp* Landing Zones), you will have the option to prevent usage of public endpoints for Azure PaaS services as well as ensure that private endpoints to Azure PaaS services are integrated with Azure Private DNS Zones.
+  As part of the policies that you can assign to your landing zones, the Azure landing zone portal accelerator experience will allow you to protect your landing zones with a DDoS Network Protection. For connected Landing Zones (*Corp* Landing Zones), you will have the option to prevent usage of public endpoints for Azure PaaS services as well as ensure that private endpoints to Azure PaaS services are integrated with Azure Private DNS Zones.
 
   **In this tutorial, all recommended Azure Policies are enabled.**
 

docs/wiki/Deploying-ALZ-Foundation.md

@@ -49,7 +49,7 @@ Please note that if you enable the "Deploy Azure Security Center and enable secu
 Azure landing zone portal accelerator provides an integrated CICD pipeline via [AzOps](https://github.com/Azure/AzOps) that can be used with GitHub Actions. For detailed steps for setting up this configuration, refer to the [Deploy Platform DevOps and Automation](./Deploying-ALZ-Platform-DevOps) article.
 
 ## 7. Network topology and connectivity
-On the *Network topology and connectivity* blade, you can configure the core networking platform resources, such as hub virtual network, gateways (VPN and/or ExpressRoute), Azure Firewall, DDoS Protection Standard and Azure Private DNS Zones for Azure PaaS services. To deploy and configure these network resources, you must select a network topology.
+On the *Network topology and connectivity* blade, you can configure the core networking platform resources, such as hub virtual network, gateways (VPN and/or ExpressRoute), Azure Firewall, DDoS Network Protection and Azure Private DNS Zones for Azure PaaS services. To deploy and configure these network resources, you must select a network topology.
 
 *For this [scenario](https://github.com/Azure/Enterprise-Scale/blob/main/docs/reference/wingtip/README.md) since we don't require network connectivity to on-premises or other networking services such as virtual network gateways or Azure Firewall, select "No" on the Deploy network topology option*
 

docs/wiki/Deploying-ALZ-HubAndSpoke.md

@@ -50,7 +50,7 @@ Azure landing zone portal accelerator provides an integrated CICD pipeline via [
 
 
 ## 7. Network topology and connectivity
-On the *Network topology and connectivity* blade, you will configure the core networking platform resources, such as hub virtual network, gateways (VPN and/or ExpressRoute), Azure Firewall, DDoS Protection Standard and Azure Private DNS Zones for Azure PaaS services. To deploy and configure these network resources, you must:
+On the *Network topology and connectivity* blade, you will configure the core networking platform resources, such as hub virtual network, gateways (VPN and/or ExpressRoute), Azure Firewall, DDoS Network Protection and Azure Private DNS Zones for Azure PaaS services. To deploy and configure these network resources, you must:
 
 * In the Deploy network topology option, select either "Hub and spoke with Azure Firewall" or "Hub and spoke with your own third-party NVA".  For this example, we will select the "Hub and spoke with Azure Firewall".
 * Provide a dedicated (empty) subscription that will be used to host the requisite networking infrastructure.
@@ -61,7 +61,7 @@ On the *Network topology and connectivity* blade, you will configure the core ne
 
 Depending on your requirements, you may choose to deploy additional network infrastructure for your Azure landing zones architecture. The optional resources include:
 
-* DDoS Protection Standard
+* DDoS Network Protection
 * Azure Private DNS Zones for Azure PaaS services
 * VPN and ExpressRoute Gateways
   * If you choose to deploy either or both of these gateways, you will have the option to select the subnet to be dedicated for these resources, if you decide to deploy them as regional or zone-redundant gateways, as well as choose the right SKU based on your requirements
@@ -85,7 +85,7 @@ You can optionally bring in N number of subscriptions that will be bootstrapped
 
 You can also indicate which subscriptions you would like to be bootstrapped as landing zones but without corp connectivity. Finally, you can select which policy you want to assign broadly to all of your landing zones.
 
-As part of the policies that you can assign to your landing zones, the Azure landing zone portal accelerator will allow you to protect your landing zones with a DDoS Standard plan, and for corp connected landing zones, you will have the option to prevent usage of public endpoints for Azure PaaS services as well as ensure that private endpoints to Azure PaaS services are integrated with Azure Private DNS Zones. 
+As part of the policies that you can assign to your landing zones, the Azure landing zone portal accelerator will allow you to protect your landing zones with a DDoS Network Protection plan, and for corp connected landing zones, you will have the option to prevent usage of public endpoints for Azure PaaS services as well as ensure that private endpoints to Azure PaaS services are integrated with Azure Private DNS Zones. 
 
 ![Graphical user interface, application  Description automatically generated](./media/clip_image037.jpg)
 

docs/wiki/Deploying-ALZ-VWAN.md

@@ -49,7 +49,7 @@ Please note that if you enable the "Deploy Azure Security Center and enable secu
 Azure landing zone portal accelerator provides an integrated CICD pipeline via [AzOps](https://github.com/Azure/AzOps) that can be used with GitHub Actions. For detailed steps for setting up this configuration, refer to the [Deploy Platform DevOps and Automation](./Deploying-ALZ-Platform-DevOps) article.
 
 ## 7. Network topology and connectivity
-On the *Network topology and connectivity* blade, you will configure the core networking platform resources, such as hub virtual network, gateways (VPN and/or ExpressRoute), Azure Firewall, DDoS Protection Standard and Azure Private DNS Zones for Azure PaaS services. To deploy and configure these network resources, you must select a network topology. For this scenario:
+On the *Network topology and connectivity* blade, you will configure the core networking platform resources, such as hub virtual network, gateways (VPN and/or ExpressRoute), Azure Firewall, DDoS Network Protection and Azure Private DNS Zones for Azure PaaS services. To deploy and configure these network resources, you must select a network topology. For this scenario:
 
 * Select "Virtual WAN (Microsoft managed)") as the network topology
 * Provide a dedicated (empty) subscription that will be used to host the requisite networking infrastructure.
@@ -58,7 +58,7 @@ On the *Network topology and connectivity* blade, you will configure the core ne
 
 Depending on your requirements, you may choose to deploy additional network infrastructure for your Azure landing zone architecture. The optional resources include:
 
-* DDoS Protection Standard
+* DDoS Network Protection
 * VPN and ExpressRoute Gateways
   * If you choose to deploy either or both of these gateways, you will have the option to select the scale unit based on your requirements
 * Azure Firewall
@@ -77,7 +77,7 @@ You can optionally bring in N number of subscriptions that will be bootstrapped
 
 You can also indicate which subscriptions you would like to be bootstrapped as landing zones but without corp connectivity. Finally, you can select which policy you want to assign broadly to all of your landing zones.
 
-As part of the policies that you can assign to your landing zones, the Azure landing zone portal accelerator experience will allow you to protect your landing zones with a DDoS Standard plan, and for corp connected landing zones, you will have the option to prevent usage of public endpoints for Azure PaaS services as well as ensure that private endpoints to Azure PaaS services are integrated with Azure Private DNS Zones. 
+As part of the policies that you can assign to your landing zones, the Azure landing zone portal accelerator experience will allow you to protect your landing zones with a DDoS Network Protection, and for corp connected landing zones, you will have the option to prevent usage of public endpoints for Azure PaaS services as well as ensure that private endpoints to Azure PaaS services are integrated with Azure Private DNS Zones. 
 
 ![Graphical user interface, application  Description automatically generated](./media/clip_image037.jpg)
 

docs/wiki/Deploying-ALZ.md

@@ -149,13 +149,13 @@ The default API Permissions for this App are “User.Read”, as depicted below:
 
 
 ### Network topology and connectivity
-On the *Network topology and connectivity* blade, you will configure the core networking platform resources, such as hub virtual network, gateways (VPN and/or ExpressRoute), Azure Firewall, DDoS Protection Standard and Azure Private DNS Zones for Azure PaaS services. To deploy and configure these network resources, you must select a network topology (for this scenario, select either "Hub and spoke with Azure Firewall" or "Hub and spoke with your own third-party NVA"), provide the address space to be assigned to the hub virtual network, select an Azure region where the hub virtual network will be created and provide a dedicated (empty) subscription that will be used to host the requisite infrastructure. For this example, we will select the "Hub and spoke with Azure Firewall" network topology.
+On the *Network topology and connectivity* blade, you will configure the core networking platform resources, such as hub virtual network, gateways (VPN and/or ExpressRoute), Azure Firewall, DDoS Network Protection and Azure Private DNS Zones for Azure PaaS services. To deploy and configure these network resources, you must select a network topology (for this scenario, select either "Hub and spoke with Azure Firewall" or "Hub and spoke with your own third-party NVA"), provide the address space to be assigned to the hub virtual network, select an Azure region where the hub virtual network will be created and provide a dedicated (empty) subscription that will be used to host the requisite infrastructure. For this example, we will select the "Hub and spoke with Azure Firewall" network topology.
 
  ![img](./media/clip_image036a.png)
 
 Depending on your requirements, you may choose to deploy additional network infrastructure for your Azure landing zones deployment. The optional resources include:
 
-* DDoS Protection Standard
+* DDoS Network Protection
 * Azure Private DNS Zones for Azure PaaS services
 * VPN and ExpressRoute Gateways
   * If you choose to deploy either or both of these gateways, you will have the option to select the subnet to be dedicated for these resources, if you decide to deploy them as regional or zone-redundant gateways, as well as choose the right SKU based on your requirements
@@ -176,7 +176,7 @@ You can optionally bring in N number of subscriptions that will be bootstrapped
 
 You can also indicate which subscriptions you would like to be bootstrapped as landing zones but without corp connectivity. Finally, you can select which policy you want to assign broadly to all of your landing zones.
 
-As part of the policies that you can assign to your landing zones, the Azure landing zone portal accelerator will allow you to protect your landing zones with a DDoS Standard plan, and for corp connected landing zones, you will have the option to prevent usage of public endpoints for Azure PaaS services as well as ensure that private endpoints to Azure PaaS services are integrated with Azure Private DNS Zones. 
+As part of the policies that you can assign to your landing zones, the Azure landing zone portal accelerator will allow you to protect your landing zones with a DDoS Network Protection, and for corp connected landing zones, you will have the option to prevent usage of public endpoints for Azure PaaS services as well as ensure that private endpoints to Azure PaaS services are integrated with Azure Private DNS Zones. 
 
 ![Graphical user interface, application  Description automatically generated](./media/clip_image037.jpg)
 

docs/wiki/What-is-Enterprise-Scale.md

@@ -47,7 +47,7 @@ Another example are some of the networking resources that we provide prescriptiv
 - [ExpressRoute Gateways & Circuits](https://azure.microsoft.com/pricing/details/expressroute/)
 - [Azure Firewalls](https://azure.microsoft.com/pricing/details/azure-firewall/)
 - [Virtual WANs](https://azure.microsoft.com/pricing/details/virtual-wan/)
-- [DDoS Standard Protection Plans](https://azure.microsoft.com/pricing/details/ddos-protection/)
+- [DDoS Network Protection](https://azure.microsoft.com/pricing/details/ddos-protection/)
 
 Each of these resources have an associated cost that varies based on how they are deployed, configured and consumed as part of your Enterprise-Scale deployment.
 

docs/wiki/Whats-new.md

@@ -51,17 +51,22 @@ Here's what's changed in Enterprise Scale/Azure Landing Zones:
 
 #### Docs
 
+- Renamed Azure DDoS Standard Protection references to [Azure DDoS Network Protection](https://learn.microsoft.com/en-us/azure/ddos-protection/ddos-protection-sku-comparison#ddos-network-protection).
 - Added ALZ Azure Policy [deprecation process](Deprecating-ALZ-Policies.md) to the Wiki.
 
+
 #### Tooling
 
 - *No updates, yet.*
 
 ### Policy
 
+- Renamed Azure DDoS Standard Protection references to [Azure DDoS Network Protection](https://learn.microsoft.com/en-us/azure/ddos-protection/ddos-protection-sku-comparison#ddos-network-protection). 
+- Incremented version for policy Deploy-DDoSProtection from "version":"1.0.0" to "version": "1.0.1"
 - Added `Configure Microsoft Defender for Azure Cosmos DB to be enabled` to the `Deploy Microsoft Defender for Cloud configuration` initiative and updated version to `3.1.0` - Fixing issue [issue #1081](https://github.com/Azure/Enterprise-Scale/issues/1081)
 - Deprecated two ALZ policies ([#1](https://www.azadvertizer.net/azpolicyadvertizer/Deploy-Nsg-FlowLogs.html), [#2](https://www.azadvertizer.net/azpolicyadvertizer/Deploy-Nsg-FlowLogs-to-LA.html)) as a [built-in Azure Policy](https://www.azadvertizer.net/azpolicyadvertizer/e920df7f-9a64-4066-9b58-52684c02a091.html) has been developed with the same functionality.
 
+
 | Old Policy ID(s)                               | New Policy ID(s)                     |
 |------------------------------------------------|--------------------------------------|
 | Deploy-Nsg-FlowLogs, Deploy-Nsg-FlowLogs-to-LA | e920df7f-9a64-4066-9b58-52684c02a091 |
@@ -557,7 +562,7 @@ Here's what's changed in Enterprise Scale/Azure Landing Zones:
 #### Docs
 
 - ["What's New?"](./Whats-new) page created
-- Azure DDoS Standard design considerations and recommendations added to CAF docs ([Virtual WAN](https://docs.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/virtual-wan-network-topology) & [Hub & Spoke](https://docs.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/traditional-azure-networking-topology)) - closing issue [#603](https://github.com/Azure/Enterprise-Scale/issues/603)
+- Azure DDoS Network Protection design considerations and recommendations added to CAF docs ([Virtual WAN](https://docs.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/virtual-wan-network-topology) & [Hub & Spoke](https://docs.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/traditional-azure-networking-topology)) - closing issue [#603](https://github.com/Azure/Enterprise-Scale/issues/603)
 - [Connectivity to other cloud providers](https://docs.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-other-providers) CAF document released
 - [Testing approach for enterprise-scale](https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/testing-approach) CAF document released
 - Updated [pricing section](https://github.com/Azure/Enterprise-Scale/wiki/What-is-Enterprise-Scale#pricing) on "What is Enterprise Scale" wiki page to provide further clarity.

eslzArm/eslz-portal.json

@@ -1109,10 +1109,10 @@
                         {
                             "name": "enableDdoS",
                             "type": "Microsoft.Common.OptionsGroup",
-                            "label": "Enable DDoS Protection Standard",
+                            "label": "Enable DDoS Network Protection",
                             "defaultValue": "Yes (recommended)",
                             "visible": "[not(equals(steps('connectivity').enableHub, 'No'))]",
-                            "toolTip": "If 'Yes' is selected when also adding a connectivity subscription, DDoS Protection Standard will be enabled.",
+                            "toolTip": "If 'Yes' is selected when also adding a connectivity subscription, DDoS Network Protection will be enabled.",
                             "constraints": {
                                 "allowedValues": [
                                     {
@@ -2154,10 +2154,10 @@
                         {
                             "name": "enableLzDdoS",
                             "type": "Microsoft.Common.OptionsGroup",
-                            "label": "Enable DDoS Protection Standard",
+                            "label": "Enable DDoS Network Protection",
                             "defaultValue": "Yes (recommended)",
                             "visible": "[and(not(equals(steps('connectivity').enableHub,'No')),equals(steps('connectivity').enableDdoS,'Yes'))]",
-                            "toolTip": "If 'Yes' is selected when also adding a connectivity subscription earlier, DDoS Protection Standard will be enabled.",
+                            "toolTip": "If 'Yes' is selected when also adding a connectivity subscription earlier, DDoS Network Protection will be enabled.",
                             "constraints": {
                                 "allowedValues": [
                                     {

eslzArm/eslzArm.json

@@ -1509,7 +1509,7 @@
             The following optional deployment will configure virtual network hub into the connectivity subscription
         */
         {
-            // Creating resource group for DDoS Standard Protection
+            // Creating resource group for DDoS Network Protection
             "condition": "[and(equals(parameters('enableDdoS'), 'Yes'), not(empty(parameters('connectivitySubscriptionId'))))]",
             "type": "Microsoft.Resources/deployments",
             "apiVersion": "2020-10-01",
@@ -3234,10 +3234,10 @@
             }
         },
         /*
-            Note: ES Lite only: deploy RG for DDoS standard protection to platform subscription
+            Note: ES Lite only: deploy RG for DDoS Network Protection to platform subscription
         */
         {
-            // Creating resource group for DDoS Standard Protection
+            // Creating resource group for DDoS Network Protection
             "condition": "[and(equals(parameters('enableDdoS'), 'Yes'), not(empty(parameters('singlePlatformSubscriptionId'))))]",
             "type": "Microsoft.Resources/deployments",
             "apiVersion": "2020-10-01",
@@ -3267,7 +3267,7 @@
             }
         },
         /*
-            Note: ES Lite only: deploy DDoS standard protection
+            Note: ES Lite only: deploy DDoS Network Protection
         */
         {
             // Creating DDoS protection plan into the connectivity subscription

eslzArm/fairfaxeslz-portal.json

@@ -868,10 +868,10 @@
                         {
                             "name": "esDdoS",
                             "type": "Microsoft.Common.OptionsGroup",
-                            "label": "Enable DDoS Protection Standard",
+                            "label": "Enable DDoS Network Protection",
                             "defaultValue": "Yes (recommended)",
                             "visible": "[not(equals(steps('esConnectivityGoalState').esHub, 'No'))]",
-                            "toolTip": "If 'Yes' is selected when also adding a connectivity subscription, DDoS Protection Standard will be enabled.",
+                            "toolTip": "If 'Yes' is selected when also adding a connectivity subscription, DDoS Network Protection will be enabled.",
                             "constraints": {
                                 "allowedValues": [
                                     {

eslzArm/managementGroupTemplates/policyAssignments/MODIFY-DDoSPolicyAssignment.json

@@ -11,7 +11,7 @@
         "ddosPlanResourceId": {
             "type": "string",
             "metadata": {
-                "description": "Provide the resourceId to the DDos Standard Plan in your connectivity subscription."
+                "description": "Provide the resourceId to the DDoS Network Protection in your connectivity subscription."
             }
         },
         "enforcementMode": {
@@ -29,8 +29,8 @@
         },
         "policyAssignmentNames": {
             "deployDdoS": "Enable-DDoS-VNET",
-            "description": "Protect your virtual networks against volumetric and protocol attacks with Azure DDoS Protection Standard. For more information, visit https://aka.ms/ddosprotectiondocs.",
-            "displayName": "Virtual networks should be protected by Azure DDoS Protection Standard"
+            "description": "Protect your virtual networks against volumetric and protocol attacks with Azure DDoS Network Protection. For more information, visit https://aka.ms/ddosprotectiondocs.",
+            "displayName": "Virtual networks should be protected by Azure DDoS Network Protection"
         },
         "rbacNetworkContributor": "4d97b98b-1d4f-4787-a291-c67834d212e7",
         "roleAssignmentNames": {

eslzArm/subscriptionTemplates/hubspoke-connectivity.json

@@ -87,7 +87,7 @@
                 "No"
             ],
             "metadata": {
-                "description": "Select whether the DDoS Standard protection plan should be enabled or not."
+                "description": "Select whether the DDoS Network Protection should be enabled or not."
             }
         },
         "connectivitySubscriptionId": {

eslzArm/subscriptionTemplates/nvahubspoke-connectivity.json

@@ -65,7 +65,7 @@
                 "No"
             ],
             "metadata": {
-                "description": "Select whether the DDoS Standard protection plan should be enabled or not."
+                "description": "Select whether the DDoS Network Protection should be enabled or not."
             }
         },
         "connectivitySubscriptionId": {

src/resources/Microsoft.Authorization/policyDefinitions/Deploy-DDoSProtection.json

@@ -6,10 +6,10 @@
   "properties": {
     "policyType": "Custom",
     "mode": "All",
-    "displayName": "Deploy an Azure DDoS Protection Standard plan",
-    "description": "Deploys an Azure DDoS Protection Standard plan",
+    "displayName": "Deploy an Azure DDoS Network Protection",
+    "description": "Deploys an Azure DDoS Network Protection",
     "metadata": {
-      "version": "1.0.0",
+      "version": "1.0.1",
       "category": "Network",
       "source": "https://github.com/Azure/Enterprise-Scale/",
       "alzCloudEnvironments": [