Did you get an answer for this question from Microsoft Haripraghash please? If yes please share it with me. Thanks

Ragulan Sivabalakrishnan no I did not get a reply for that. Based on what I have researched, best bet is to add a WAF in front to at least mitigate L7 attacks. However it won’t entirely eliminate DDOS as DDOS can be done in a variety of ways on L4

All PaaS services have basic DDoS enabled by default.

docs.microsoft.com/en-us/azure/app-service/overview-security

Provided as a complimentary service among others like Azure Firewall and DDoS Std, WAF is needed to protect against L7 attacks on web applications viz. sql injection, xss scripting etc. Firewall can allow organizations to control the flow of traffic inbound/outbound from the hub VNET. While DDoS Std, protects the public IPs of both WAF, Firewall and other services in the hub VNET from DDoS attacks. Network security requires holistic approach, defense in depth, zero trust - where if one layer/control is breached; other layers/controls are available to provide protection.