Hello @Mahesh Badgujar ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
I understand that you would like to know if DDoS protection is needed in a setup where hub Vnet is connected to on-premises via Express Route Private peering and no public IP is being used.
DDOS Protection only supports Public IPs in ARM based VNETs.
Services running on Azure are inherently protected by the default infrastructure-level DDoS protection. Only if you need dedicated monitoring to detect attacks against your Public IPs and application specific thresholds, then you should enable DDOS Protection.
You may consider DDOS if you have the public endpoints of your on-premises resources/service associated to a VNet in Azure. Example designs include:
- Web sites (IaaS) in Azure and backend databases in on-premises datacenter.
- Application Gateway in Azure (DDoS protection enabled on App Gateway/WAF) and websites in on-premises datacenters.
Or, if you have a hub and spoke topology where the hub Vnet is peered to a spoke Vnet and the spoke Vnet has Public IPs, then you can enable DDOS protection in such setup. You can share an Azure DDoS Protection plan across all virtual networks in a single Microsoft Entra tenant to protect resources with public IP addresses.
If there are no Public endpoints involved in your complete/overall setup, then DDOS should not be necessary.
You can rather go through the Azure security baseline for ExpressRoute document which provides recommendations on how you can secure your cloud solutions on Azure.
Kindly let us know if the above helps or you need further assistance on this issue.
Please don’t forget to "Accept the answer" wherever the information provided helps you, this can be beneficial to other community members.