Do we need DDoS protection if hub Vnet is connected to on-premise via Express route using Private peering

Question

If the hub Vnet is connected to an on-premise network via ExpressRoute and connectivity is established using Private peering, and no public IP is being used, everything is private. Do we still need DDoS protection in the hub Vnet? It seems like an overkill to me. Please share your thoughts on this.

Answer 1

Hello @Mahesh Badgujar ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

I understand that you would like to know if DDoS protection is needed in a setup where hub Vnet is connected to on-premises via Express Route Private peering and no public IP is being used.

DDOS Protection only supports Public IPs in ARM based VNETs.

Services running on Azure are inherently protected by the default infrastructure-level DDoS protection. Only if you need dedicated monitoring to detect attacks against your Public IPs and application specific thresholds, then you should enable DDOS Protection.

Refer: https://learn.microsoft.com/en-us/azure/ddos-protection/ddos-protection-overview#architecture

You may consider DDOS if you have the public endpoints of your on-premises resources/service associated to a VNet in Azure. Example designs include:

• Web sites (IaaS) in Azure and backend databases in on-premises datacenter.
• Application Gateway in Azure (DDoS protection enabled on App Gateway/WAF) and websites in on-premises datacenters.

Refer: https://learn.microsoft.com/en-us/azure/ddos-protection/ddos-faq#can-i-protect-my-on-premises-resources-using-ddos-protection-

https://learn.microsoft.com/en-us/azure/ddos-protection/ddos-protection-reference-architectures

Or, if you have a hub and spoke topology where the hub Vnet is peered to a spoke Vnet and the spoke Vnet has Public IPs, then you can enable DDOS protection in such setup. You can share an Azure DDoS Protection plan across all virtual networks in a single Microsoft Entra tenant to protect resources with public IP addresses.

Refer: https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/traditional-azure-networking-topology

If there are no Public endpoints involved in your complete/overall setup, then DDOS should not be necessary.

You can rather go through the Azure security baseline for ExpressRoute document which provides recommendations on how you can secure your cloud solutions on Azure.

Refer: https://learn.microsoft.com/en-us/security/benchmark/azure/baselines/expressroute-security-baseline

Kindly let us know if the above helps or you need further assistance on this issue.

---

Please don’t forget to "Accept the answer" wherever the information provided helps you, this can be beneficial to other community members.

Answer 2

Hey Mahesh Badgujar

It does seem like overkill at first, considering the private nature of the setup with no public IPs in the hub VNet.

The good news is, you've got a solid defense by keeping everything private and not directly exposed to the internet. DDoS attacks usually target public-facing resources, so your risk is significantly reduced.

That said, it's worth considering a few factors. If your on-premises network is critical, there might be value in implementing DDoS protection on that side of the ExpressRoute connection. Also, think about application-layer protection, especially if your hub VNet hosts services indirectly accessed by external users.

So te risk of a traditional DDoS attack may be lower in this scenario but I advice you e to assess your specific security requirements, compliance needs, and the potential impact of an attack.

If this helps kindly accept the answer thanks much.