Do we need DDoS protection if hub Vnet is connected to on-premise via Express route using Private peering

Mahesh Badgujar 40 Reputation points

If the hub Vnet is connected to an on-premise network via ExpressRoute and connectivity is established using Private peering, and no public IP is being used, everything is private. Do we still need DDoS protection in the hub Vnet? It seems like an overkill to me. Please share your thoughts on this.

Azure DDos Protection
Azure DDos Protection
An Azure service that provides defense against distributed denial-of-service (DDoS) attacks.
63 questions
{count} votes

Accepted answer
  1. GitaraniSharma-MSFT 45,501 Reputation points Microsoft Employee

    Hello @Mahesh Badgujar ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I understand that you would like to know if DDoS protection is needed in a setup where hub Vnet is connected to on-premises via Express Route Private peering and no public IP is being used.

    DDOS Protection only supports Public IPs in ARM based VNETs.

    Services running on Azure are inherently protected by the default infrastructure-level DDoS protection. Only if you need dedicated monitoring to detect attacks against your Public IPs and application specific thresholds, then you should enable DDOS Protection.


    You may consider DDOS if you have the public endpoints of your on-premises resources/service associated to a VNet in Azure. Example designs include:

    • Web sites (IaaS) in Azure and backend databases in on-premises datacenter.
    • Application Gateway in Azure (DDoS protection enabled on App Gateway/WAF) and websites in on-premises datacenters.


    Or, if you have a hub and spoke topology where the hub Vnet is peered to a spoke Vnet and the spoke Vnet has Public IPs, then you can enable DDOS protection in such setup. You can share an Azure DDoS Protection plan across all virtual networks in a single Microsoft Entra tenant to protect resources with public IP addresses.


    If there are no Public endpoints involved in your complete/overall setup, then DDOS should not be necessary.

    You can rather go through the Azure security baseline for ExpressRoute document which provides recommendations on how you can secure your cloud solutions on Azure.


    Kindly let us know if the above helps or you need further assistance on this issue.

    Please don’t forget to "Accept the answer" wherever the information provided helps you, this can be beneficial to other community members.

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Azar 14,195 Reputation points

    Hey Mahesh Badgujar

    It does seem like overkill at first, considering the private nature of the setup with no public IPs in the hub VNet.

    The good news is, you've got a solid defense by keeping everything private and not directly exposed to the internet. DDoS attacks usually target public-facing resources, so your risk is significantly reduced.

    That said, it's worth considering a few factors. If your on-premises network is critical, there might be value in implementing DDoS protection on that side of the ExpressRoute connection. Also, think about application-layer protection, especially if your hub VNet hosts services indirectly accessed by external users.

    So te risk of a traditional DDoS attack may be lower in this scenario but I advice you e to assess your specific security requirements, compliance needs, and the potential impact of an attack.

    If this helps kindly accept the answer thanks much.

    0 comments No comments