Hello @AndrewKelleher-1432 ,
Azure DDOS Protection Standard provides additional mitigation capabilities over the Basic service tier that are tuned specifically to Azure Virtual Network resources but the protection is only provided for IPv4 and IPv6 Azure public IP addresses.
Please refer : https://video2.skills-academy.com/en-us/azure/virtual-network/ddos-protection-overview
And FAQ part of : https://azure.microsoft.com/en-in/pricing/details/ddos-protection/
If you wish you may leave your feedback here requesting this feature. All the feedback you share in these forums will be monitored and reviewed by the Microsoft engineering teams responsible for building Azure.
You may however configure WAF on your application gateway. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities.
Please refer : https://video2.skills-academy.com/en-us/azure/web-application-firewall/ag/ag-overview
Since you have mentioned that listeners are configured only on AppGW's private IP, I believe you are using Application gateway V1 and you can easily change the tier of the application gateway to WAF and manage the WAF rules per your requirement.
For more details on WAF rules, please refer : https://video2.skills-academy.com/en-us/azure/web-application-firewall/ag/application-gateway-crs-rulegroups-rules?tabs=owasp31
Hope this helps!
Kindly let us know if the above helps or you need further assistance on this issue.
Please don’t forget to "Accept the answer" wherever the information provided helps you, this can be beneficial to other community members.