Keep network control
Protected transit makes sense when customer prefixes, edge design and BGP policy must stay central to the architecture.
Protected IP Transit
Peeryx protected IP transit and clean traffic delivery for exposed networks
Peeryx protected IP transit preserves prefixes, BGP control and several handoff models so legitimate traffic can return to production that is already running.
Relevant when you want to keep BGP and network control
Relevant when production already exists and should not be rebuilt
Relevant when latency, operating cost and handoff quality really matter
Relevant when you need several serious ways to get clean traffic back
When to choose Peeryx protected IP transit
Peeryx protected IP transit is the right choice when you need a real network product
This model is for teams that need more than a single protected IP or a one-size-fits-all tunnel. It preserves prefixes, BGP control and multiple clean-traffic handoff models while protecting infrastructure that is already in production.
- You keep your prefixes, announcement policy and routing constraints
- You need to protect existing infrastructure without a forced migration
- You want a clean comparison between BGP, GRE, cross-connect, protected IPs and hybrid models
- Your team needs a service that is documentable, integrable and operable every day
Return clean traffic the right way
Cross-connect, GRE, IPIP, VXLAN or a router VM are not sales details. They are the mechanisms that define the real quality of the integration.
Compare service quality, not just price
A technical buyer wants to see the traffic path, mitigation model, handoff design and the constraints that remain on the customer side.
Prepare a clean deployment scope
A good model lets you frame prefixes, links, target latency, current hoster and legitimate traffic return paths from the start.
Because it makes compatibility with the existing environment, handoff quality and long-term operating cost visible from the beginning.
How Peeryx works
Peeryx intercepts the attack, filters precisely and hands back only useful traffic
Peeryx sits between the Internet and your production as a specialized network layer. Depending on the scenario, your prefixes are announced toward the platform or your services are exposed through protected IPs, then legitimate traffic is returned through the delivery model that best fits your environment.
Protected transit or protected IPs depending on the need
BGP included with under-ASN and AS-SET support
GRE / IPIP / VXLAN / cross-connect / router VM
Compatible with symmetric or asymmetric routing
Controlled network exposure
BGP announcements for your prefixes or exposure through protected IPs depending on the level of control you want, rollout speed and the way your network already operates.
Mitigation built around real traffic
Filtering is designed to preserve legitimate traffic, with continuous observation, targeted signatures and upstream relief only when attack volume truly requires it.
Delivery matched to your topology
Cross-connect, GRE, IPIP, VXLAN or a router VM: Peeryx does not force a single model. The right handoff depends on your edge, hoster, target latency and operating style.
Existing infrastructure preserved
Dedicated servers, clusters, gaming platforms, APIs and critical services can stay where they are. The goal is to protect what already runs before considering wider changes.
How Peeryx receives traffic, how mitigation is applied, how clean traffic comes back and how much network control the customer keeps.
Delivery models
Choose the right integration model
Depending on your topology, clean traffic can be delivered through protected IPs, GRE, IPIP, VXLAN, cross-connect or a router VM. The right choice depends mainly on the infrastructure already in place and the level of network control you need.
Protected IPs
A practical way to start quickly with clean public exposure and lower early complexity.
GRE tunnel
A standard model for protecting an existing dedicated server without rebuilding the full architecture.
BGP
Best suited when your own prefixes and routing policies need to remain in place.
Production-first approach
The objective remains to add protection without disrupting the customer’s daily operations.
What you are actually buying
Transit first
A clear focus on protected transit for infrastructure, hosting and public-facing services.
Flexible delivery
Cross-connect, GRE, IPIP, VXLAN and router VM delivery models let you fit Peeryx into your existing network design.
Policy control
Five included post-filter firewall rules let you ratelimit, accept or drop traffic after mitigation.
Built for serious traffic
Protection spans L3, L4, L5 and L7, including DDoS targeting all L3/L4 protocols.
Delivery methods
Cross-connect
Protected transit delivered directly in datacenter for low-latency, high-trust interconnection.
GRE tunnel
Fast deployment model for secure protected transit over established GRE encapsulation.
IPIP tunnel
Simple routed delivery option when IPIP better matches your infrastructure constraints.
VXLAN tunnel
Flexible protected delivery for environments built around overlay network designs.
Router VM
Prefer to keep tunnel control on your side? Peeryx can provide a router VM for iBGP or eBGP return paths.
How the service integrates
1. Delivery design
Choose cross-connect, tunnels or router VM based on your existing topology and operational preferences.
2. Protected ingress
Traffic enters the Peeryx mitigation fabric where volumetric and protocol attacks are filtered in real time.
3. Post-filter policy
Firewall rules and behavioral analysis refine the accepted traffic profile after core mitigation.
4. Clean handoff
Filtered traffic is handed back to your infrastructure through the chosen delivery method, with BGP included.
Protected transit pricing
Commit-based pricing keeps the offer transparent while scaling efficiently for larger networks.
100 Mbps → 500 Mbps
€1/Mbps
Commit pricing
500 Mbps → 1 Gbps
€0.60/Mbps
Commit pricing
1 Gbps → 5 Gbps
€0.44/Mbps
Commit pricing
5 Gbps → 10 Gbps
€0.29/Mbps
Commit pricing
Overcommit excess: €1.50/month per exceeded Mbps
24h free trial available before purchase
Everything included in the default offer
Everything included in the default offer
- BGP announcement included
- No prefix announcement limit
- Under-ASN support included
- AS-SET parameter supported
- Anti-DDoS firewall included
- Behavioral AI-based mitigation included
- 5 included firewall rules
- Additional rules available at low extra cost
Router VM
Router VM delivery option
If you prefer to control the tunneling layer yourself, Peeryx can provide a router VM so you can establish tunnels on your side and route traffic back using iBGP or eBGP according to your design.
Option
Optional Game Anti-DDoS filtering
Add specialized gaming traffic filtering for €190/month when you need deeper rules tailored to game protocols and session patterns.
Activation windows
Tunnel delivery
Up to 24 hours
Cross-connect delivery
Up to 72 hours
Urgent activation
Under 2 hours with €250 setup
Typical use cases
Hosting providers
Protect public-facing customer workloads without sacrificing delivery flexibility.
Infrastructure operators
Add premium Anti-DDoS protected transit to exposed backbone segments and edge services.
Enterprise services
Secure business-critical applications, APIs and platforms against disruptive traffic spikes.
Gaming-related networks
Protect game-adjacent infrastructure while keeping the transit product as the operational core.
Blog
Why this topic matters before choosing an anti-DDoS provider
Before buying protected transit, buyers should understand link saturation, 95th percentile billing, blackholing, asymmetric routing and the difference between static profiles and truly adaptive mitigation.
XDP vs DPDK for Anti-DDoS filtering: which one should you choose?
The xdp vs dpdk anti ddos question comes up all the time. This guide gives a practical answer for network and security teams: what XDP does extremely well, where DPDK becomes the right tool, and which approach usually offers the best cost/performance ratio.
Read the article
Peeryx architecture
Protected transit
Adaptive mitigation and clean delivery
Protected IP transit: understand the model
Link saturation, 95th percentile, blackholing, asymmetric routing and clean traffic delivery: the fundamentals before comparing providers.
Read the article
Peeryx architecture
Protected transit
Adaptive mitigation and clean delivery
Protect an existing dedicated server with GRE or BGP
How to keep an OVH or Hetzner server in production and get legitimate traffic back without rebuilding the whole infrastructure.
Read the article
Flexible deployment
GRE / BGP delivery
Protection without full migration
Protected transit FAQ
What is the minimum commit?
The minimum commit is 100 Mbps, billed on a 95th percentile basis.
Can Peeryx deliver through a router VM?
Yes. Router VM delivery is available when clients want to manage the tunneling layer and return traffic through iBGP or eBGP.
Is Game filtering mandatory?
No. It is an optional €190/month add-on for customers who need more specialized gaming rules.
What happens outside the commit?
Excess traffic outside the commit is billed at €1.50/month per exceeded Mbps.
Need a credible network design around protected transit?
Share your prefixes, links, hoster, target latency and expected handoff model. We will recommend the right Peeryx design.