Networking

The Networking forum covers all aspects of Networking in Azure, including endpoints, load-balancing, network security, DNS, Traffic Manager, virtual networks, and external connectivity.

Virtual Network:

  • Service overview

  • Technical documentation

  • Pricing details
  • Traffic Manager:

  • Service overview

  • Technical documentation

  • Pricing details
  • Network Watcher:

  • Service overview

  • Technical documentation

  • Pricing details
  • If you have any feedback on any aspect of Azure relating to Networking, we’d love to hear it.

    How can we improve Azure Networking?

    You've used all your votes and won't be able to post a new idea, but you can still search and comment on existing ideas.

    There are two ways to get more votes:

    • When an admin closes an idea you've voted on, you'll get your votes back from that idea.
    • You can remove your votes from an open idea you support.
    • To see ideas you have already voted on, select the "My feedback" filter and select "My open ideas".
    (thinking…)

    Enter your idea and we'll search to see if someone has already suggested it.

    If a similar idea already exists, you can support and comment on it.

    If it doesn't exist, you can post your idea so others can support it.

    Enter your idea and we'll search to see if someone has already suggested it.

    • Hot ideas
    • Top ideas
    • New ideas
    • My feedback
    1. Ability to specify two RADIUS servers

      Ability to specify two or more radius servers in the P2S config for Azure VPN. Round robin by default if one fails.

      3 votes
      Vote
      Sign in
      Check!
      (thinking…)
      Reset
      or sign in with
      • facebook
      • google
        Password icon
        I agree to the terms of service
        Signed in as (Sign out)
        You have left! (?) (thinking…)
      • Add a Network Security Group tag for Windows Update

        I'd like to be able to block all outbound traffic on my NSG but still allow windows update to work. This is difficult to do as the windows update depends on quite a few DNS names and the IP address of these apparently changes often.

        If I could specify an "Allow" rule for a service tag called "WindowsUpdate" or similar with a higher priority than my "DenyAll" rule this would acheive this.

        3 votes
        Vote
        Sign in
        Check!
        (thinking…)
        Reset
        or sign in with
        • facebook
        • google
          Password icon
          I agree to the terms of service
          Signed in as (Sign out)
          You have left! (?) (thinking…)
          0 comments  ·  Flag idea as inappropriate…  ·  Admin →
        • Azure load balancer probe service

          Currently you need to provide a custom probe service or use applications (e g SQL Always-On Availability Group) which has built-in probe services or use other services' ports (e g RPC 135) for the probe service. Would it be possible to provide a probe service application that you can install as a service on the nodes instead of having to write your own probe service? I have seen some C# samples of such TCP port probe services, which you could install as a service, but it would be better to have official in case there are improvements, updates or changes…

          3 votes
          Vote
          Sign in
          Check!
          (thinking…)
          Reset
          or sign in with
          • facebook
          • google
            Password icon
            I agree to the terms of service
            Signed in as (Sign out)
            You have left! (?) (thinking…)
            0 comments  ·  Load Balancing  ·  Flag idea as inappropriate…  ·  Admin →
          • Named network sets (avoid repeated network rules in every Azure service)

            Both SQL Server and Storage now support firewall for inbound requests, where I can inform authorized IP addresses or virtual networks that have access. It is expected that other Azure services will follow that (Key Vault? Data Lake?).

            The problem is that if I have a subset of services that use same firewall rules, I have to repeat these rules over and over.

            The suggestion is that Azure Network allows definition of a named network set, or simply named network definition, and then in each service I simply inform that name, instead of repeating the rules again,

            This way if…

            3 votes
            Vote
            Sign in
            Check!
            (thinking…)
            Reset
            or sign in with
            • facebook
            • google
              Password icon
              I agree to the terms of service
              Signed in as (Sign out)
              You have left! (?) (thinking…)
            • Microsoft maintained UDR for MS services

              MS maintained UDR or firewall rule that enables traffic for MS services to allow outbound traffic from a host in a DMZ. Outbound traffic to all of 443 from a DMZ host to enable backups is a bad design - and using the MS provided IP List includes ALL services including other customers IAS servers - as an attacker all they would need to do to exfil data is to setup an azure host to send it to. It would be better enable outbound traffic for specific services such as backup and have MS maintain a list of that IPs…

              1 vote
              Vote
              Sign in
              Check!
              (thinking…)
              Reset
              or sign in with
              • facebook
              • google
                Password icon
                I agree to the terms of service
                Signed in as (Sign out)
                You have left! (?) (thinking…)
              • Support for IKEv2 VPN clients to connect to an Azure based RRAS server (Allow ESP traffic through NSG)

                Currently, Network Security Groups only support rules for TCP and UDP traffic. This request is for the addition of rules for ESP traffic which is required for IKEv2 clients to connect to an RRAS server running on Azure.
                We use ExpressRoute Point-to-Site is not an option as they cannot coexist. We currently use SSTP for our clients to connect but lack the resiliency that comes with an IKEv2 connection.

                Alternatively, support for Expressroute/Point-to-Site coexistence would also satisfy our requirement and eliminate the need to maintain an RRAS server in Azure.

                3 votes
                Vote
                Sign in
                Check!
                (thinking…)
                Reset
                or sign in with
                • facebook
                • google
                  Password icon
                  I agree to the terms of service
                  Signed in as (Sign out)
                  You have left! (?) (thinking…)
                • Adding tags concept for any object, which can have IP address.

                  Adding TAGs for ant object, which can have IP address and on top of that adding API to integrate NVA, will give to Customers great approach for really flexible micro-segmentation.

                  1 vote
                  Vote
                  Sign in
                  Check!
                  (thinking…)
                  Reset
                  or sign in with
                  • facebook
                  • google
                    Password icon
                    I agree to the terms of service
                    Signed in as (Sign out)
                    You have left! (?) (thinking…)
                  • Exclude subnet from Expressroute connected vnet

                    I'd like the ability to exclude a subnet from a VNET where you connected an Expressroute to. We want to have a DMZ subnet in a vnet that can only be reached through a virtual appliance (a Check Point vSEC gateway). But after connecting Expressroute, the servers on this subnet also learn the routes causing them to bypass the firewall setup.
                    It would be great if we could exclude a subnet.

                    1 vote
                    Vote
                    Sign in
                    Check!
                    (thinking…)
                    Reset
                    or sign in with
                    • facebook
                    • google
                      Password icon
                      I agree to the terms of service
                      Signed in as (Sign out)
                      You have left! (?) (thinking…)
                      1 comment  ·  ExpressRoute  ·  Flag idea as inappropriate…  ·  Admin →
                    • Support in Azure Security Center for Web Apps behind a WAF inside App Services.

                      Support in Azure Security Center for Web Apps behind a WAF inside App Services.

                      3 votes
                      Vote
                      Sign in
                      Check!
                      (thinking…)
                      Reset
                      or sign in with
                      • facebook
                      • google
                        Password icon
                        I agree to the terms of service
                        Signed in as (Sign out)
                        You have left! (?) (thinking…)
                        0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
                      • loadbalancer inbound NAT rule to arbitrary IP

                        Having an IPSec to on-prem, I would like to leverage an Azure Load Balancer to provide inbound NAT to services hosted on a private network (across the IPSec tunnel).

                        Currently LB's can only direct to VM or Availability Set, not user specified IPs.

                        It might make sense to create a "Private IP Address" resource type that would identify the 1..N addresses that the LB is NAT'ing to... or just let me plug in 1..N addresses.

                        3 votes
                        Vote
                        Sign in
                        Check!
                        (thinking…)
                        Reset
                        or sign in with
                        • facebook
                        • google
                          Password icon
                          I agree to the terms of service
                          Signed in as (Sign out)
                          You have left! (?) (thinking…)
                          0 comments  ·  Load Balancing  ·  Flag idea as inappropriate…  ·  Admin →
                        • WAF file size limit to be increased

                          Currently as the WAF limit is set to 30mb, we cannot process our large files which could hit 100mb for example. Zipping and cutting them down would still cause them to be bigger then 30 MB.

                          Can you please increase the WAF file silze limit? To possibly 1GB / 2GB

                          1 vote
                          Vote
                          Sign in
                          Check!
                          (thinking…)
                          Reset
                          or sign in with
                          • facebook
                          • google
                            Password icon
                            I agree to the terms of service
                            Signed in as (Sign out)
                            You have left! (?) (thinking…)
                            0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
                          • Migration of VPN Gateway from old to new SKUs

                            Please provide risk mitigation ways to migrate from legacy VPN gateway SKUs to the new gateway SKUs. Currently, the only way is to delete everything and recreate it again.

                            6 votes
                            Vote
                            Sign in
                            Check!
                            (thinking…)
                            Reset
                            or sign in with
                            • facebook
                            • google
                              Password icon
                              I agree to the terms of service
                              Signed in as (Sign out)
                              You have left! (?) (thinking…)

                              Thanks for the suggestion. This is something we are looking into. But no downtime migration will be very challenging due to current platform constraints. We will likely need to take a phased approach with some downtime involved (maintenance windows required) while trying to preserve VPN gateway public IP addresses. Please stay tuned.

                              Thanks,
                              Yushun [MSFT]

                            • Direct Traffic to External web page when all nodes in a pool are down

                              Ability to redirect incoming request to external webpage when all nodes in the backends pool are shutdown. Users will get this information information during maintenance/outage.

                              3 votes
                              Vote
                              Sign in
                              Check!
                              (thinking…)
                              Reset
                              or sign in with
                              • facebook
                              • google
                                Password icon
                                I agree to the terms of service
                                Signed in as (Sign out)
                                You have left! (?) (thinking…)
                                0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
                              • Ability to enable/disable vm members on a pool without reconfiguring the gateway

                                Occasionally we need to take one of the member in the pool for troubleshooting/debugging. This require to bring down the gateway at least 15-30 minutes. If possible to quickly enable/disable the member vm without long downtime.

                                3 votes
                                Vote
                                Sign in
                                Check!
                                (thinking…)
                                Reset
                                or sign in with
                                • facebook
                                • google
                                  Password icon
                                  I agree to the terms of service
                                  Signed in as (Sign out)
                                  You have left! (?) (thinking…)
                                  0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
                                • allow granular access control to manage NSG rules.

                                  Because only a single NSG is allowed per resource (subnet or NIC) it would be nice to subdivide the rules into groups and allow different teams to manage the different groupings, all within the same NSG. This could allow a central team to implement some rules and an application team to implement some rules. For example, let us define groups by priority-range and then allow different access privileges to different groups. Team 1 can manage group 1 and 4 and team 2 can manage group 2. [Manage = add, modify, delete]

                                  1 vote
                                  Vote
                                  Sign in
                                  Check!
                                  (thinking…)
                                  Reset
                                  or sign in with
                                  • facebook
                                  • google
                                    Password icon
                                    I agree to the terms of service
                                    Signed in as (Sign out)
                                    You have left! (?) (thinking…)
                                    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
                                  • Introduce managed SSL for Microsoft Azure

                                    This should be the accepted standard for secure Internet communications. Not sure why Microsoft refuses to commit to this after so many customer requests. Instead, charging customers high prices to communicate securely continues. Google Cloud has already implemented this feature.

                                    3 votes
                                    Vote
                                    Sign in
                                    Check!
                                    (thinking…)
                                    Reset
                                    or sign in with
                                    • facebook
                                    • google
                                      Password icon
                                      I agree to the terms of service
                                      Signed in as (Sign out)
                                      You have left! (?) (thinking…)
                                    • Audit logs for DNS record changes

                                      Multiple people have access to our DNS zones. We would like to know who changed what.

                                      4 votes
                                      Vote
                                      Sign in
                                      Check!
                                      (thinking…)
                                      Reset
                                      or sign in with
                                      • facebook
                                      • google
                                        Password icon
                                        I agree to the terms of service
                                        Signed in as (Sign out)
                                        You have left! (?) (thinking…)
                                      • Ability to limit access only to the specific storage account

                                        VNet Service Endpoint achieves secure access to storage from virtual network, but there is still a risk that someone might leak our sensitive data to his/her own storage account.
                                        To make sure our data is stored in our storage account, we really need the ability to limit access to the specific approved storage account.

                                        10 votes
                                        Vote
                                        Sign in
                                        Check!
                                        (thinking…)
                                        Reset
                                        or sign in with
                                        • facebook
                                        • google
                                          Password icon
                                          I agree to the terms of service
                                          Signed in as (Sign out)
                                          You have left! (?) (thinking…)
                                          0 comments  ·  Virtual Networks (VNET)  ·  Flag idea as inappropriate…  ·  Admin →
                                        • Need more information from Log Analytics for App Gateway.

                                          We see 400 errors in Log Analytics. We don't see these connections on the web servers. We think the App gateway is dropping traffic. Support doesnt seem to know why this happens. We don't have enough good information to track these issues. requestQuery_s is blank, MS support cannot tell me what this is, let alone what it means if it is blank.
                                          We need more information.

                                          4 votes
                                          Vote
                                          Sign in
                                          Check!
                                          (thinking…)
                                          Reset
                                          or sign in with
                                          • facebook
                                          • google
                                            Password icon
                                            I agree to the terms of service
                                            Signed in as (Sign out)
                                            You have left! (?) (thinking…)
                                            0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
                                          • Allow changing Billing Model for ExpressRoute from Unlimited to Metered with no downtime

                                            Currently you can change an ExpressRoute from Metered to Unlimited at any time without any disruption.

                                            You should also have the ability to go from Unlimited to Metered at any time without any disruption.

                                            1 vote
                                            Vote
                                            Sign in
                                            Check!
                                            (thinking…)
                                            Reset
                                            or sign in with
                                            • facebook
                                            • google
                                              Password icon
                                              I agree to the terms of service
                                              Signed in as (Sign out)
                                              You have left! (?) (thinking…)
                                              1 comment  ·  ExpressRoute  ·  Flag idea as inappropriate…  ·  Admin →
                                            ← Previous 1 3 4 5 14 15
                                            • Don't see your idea?

                                            Feedback and Knowledge Base