Does Windows Azure have anything readily available against denial of service attacks?

I reckon no one service provider could truly have a feature against denial of service attacks, because by saying that it means preventing DoS attacks. The only way is by migitating DoS attacks, which you can employ a number of techniques. I know that Windows Azure partially mitigates Denial of Service attacks, and this is due to the nature of the Load Balancer within the Azure environment. One technique that I know may work is to deploy an inexpensive role instance (Extra Small or Small)that acts as a reverse proxy to the actual web application which is sitting on the actual production role instance (Large or Extra Large instance)in Windows Azure. To implement the reverse proxy role instance, just enable ARR which is a feature within IIS. You can use startup tasks to enable ARR. This reverse proxy role instance may also have a rule in it that it checks for certain metrics, and if that metric has exceeded the preset threshold, it basically just stops accepting or forwarding the traffic onto the actual web app, or if automatic scaling is implemented, it just stops scaling beyond a maximum # of allowed instances. This minimized the economic impact from a DoS attack too. Then you just rely on how Windows Azure mitigates any Denial of Service attacks, which is when it detects any attack patterns from one Windows Azure role instance to another role instance. In that it will stop any attacks onto your actual web application.

The Azure load balancer provides some protection, but the details of this are not published.

A bit outdated blogpost about this but still relevant:http://blogs.blackmarble.co.uk/blogs/sspencer/post/2011/02/14/denial-of-service-and-windows-azure.aspx