Networking

The Networking forum covers all aspects of Networking in Azure, including endpoints, load-balancing, network security, DNS, Traffic Manager, virtual networks, and external connectivity.

Virtual Network:

  • Service overview

  • Technical documentation

  • Pricing details
  • Traffic Manager:

  • Service overview

  • Technical documentation

  • Pricing details
  • Network Watcher:

  • Service overview

  • Technical documentation

  • Pricing details
  • If you have any feedback on any aspect of Azure relating to Networking, we’d love to hear it.

    How can we improve Azure Networking?

    You've used all your votes and won't be able to post a new idea, but you can still search and comment on existing ideas.

    There are two ways to get more votes:

    • When an admin closes an idea you've voted on, you'll get your votes back from that idea.
    • You can remove your votes from an open idea you support.
    • To see ideas you have already voted on, select the "My feedback" filter and select "My open ideas".
    (thinking…)

    Enter your idea and we'll search to see if someone has already suggested it.

    If a similar idea already exists, you can support and comment on it.

    If it doesn't exist, you can post your idea so others can support it.

    Enter your idea and we'll search to see if someone has already suggested it.

    • Hot ideas
    • Top ideas
    • New ideas
    • My feedback
    1. Azure DNS needs DNSSEC support

      DNSSEC is required to be able to secure your DNS requests. At the moment this is not available. We cannot move until our domains to Azure DNS untill these requirements have been met.

      3,056 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
    2. Stop/Start Virtual Network Gateway - to don't pay when it not in use

      There are two charges related to the Azure VPN service: the compute resource charge at $0.05/hour, and the egress data volume charge. Both are based on resource consumption, Unfortunately, even if the VPN tunnels are not connected, the gateway compute resource is still being consumed and will cost ~$38 monthly!
      This is not really "Pay only for what you use".

      Need functionality to “STOP” (and of course "START") a gateway if the customer is certain that the gateway will not be in use.

      1,588 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
    3. Support IPv6 Throughout the Azure Platform

      IPv6 has been a standard for years and ISPs are starting to roll out native IPv6 stacks to consumers. The time is now to support IPv6.

      1,547 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      65 comments  ·  IPv6  ·  Flag idea as inappropriate…  ·  Admin →

      IPv6 in Azure VNET is currently previewing globally- in ALL Azure Public cloud regions.

      Announcement (Service Update): https://azure.microsoft.com/en-us/updates/public-preview-microsoft-adds-full-ipv6-support-for-azure-vnets/

      Links to Documentation & Samples
      Full documentation including sample scripts is available here: https://aka.ms/IPv6ForAzureVNETdoc

      A sample JSON template is posted in the quickstart repository: https://azure.microsoft.com/en-us/resources/templates/ipv6-in-vnet/

    4. Support URL rewriting with Application Gateway

      PathBasedRouting is nice, but not super great without the ability to rewrite paths. I am trying to front a Service Fabric cluster, where multiple HTTP services live on http://+:80, at different path prefixes. Would be nice to use Application Gateway to direct https://api.company.com to http://cluster/api, and https://www.company.com to http://cluster/www

      1,049 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      36 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    5. Azure should be its own domain registrar

      Windows Azure should offer domain registrar services so users don't have to maintain our domain names with a separate company. This also has the potential to greatly streamline the process of setting up a website on Azure.

      954 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
    6. Extend Azure DNS to support zone transfers so it can be used as seconday DNS

      If Azure DNS supported zone transfers, then if could be used both as a reliable secondary DNS service, or as an external proxy service for AD split-brain, or on-premise hosted DNS configurations.

      895 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
    7. Allow Mutual SSL Auth on Application Gateway

      At the moment SSL termination is possible with Application Gateway but it doesn't cater for instances where client authentication is required (mutual auth). So if client auth is required, SSL needs to be passed through and terminated on each of the web servers. This increases load across the server farm and makes management of certificates more difficult since all certs need to be maintained on all servers. I believe this function is available with API Management but the additional cost is hard to justify if one doesn't require the other additional features. So having mutual SSL auth capability built into…

      761 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      43 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    8. Application Gateway: Support wildcard hosts in listeners

      Our product creates dynamic DNS zones for our customers, e.g. foo.z1.contoso.com, bar.z2.contoso.com, etc. We use Azure DNS for this. (Notice that we stripe our customer's domains across multiple zones (z1, z2), because Azure DNS has a max record count of 5000.)

      So, to support this, we have a wildcard SSL certificate for each zone e.g. *.z1.contoso.com, *.z2.contoso.com.

      In order to have Application Gateway provide SSL termintation for us, we obviously need to create Multi-site listeners for port 443. Unfortuantely, the 'Host' field on the Multi-site listener does not accept wildcard entries. Furthermore, specifying the host name 'z1.contoso.com' does not appear…

      709 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      29 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    9. change virtual machine virtual network through portal

      Today, I needed to change a virtual network to a existing Virtual Machine. I had to delete this VM, create a new one using attached disks from the old one and set the Virtual Network. It would be nice if we had another way to do that, using Portal for example.

      669 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      16 comments  ·  Virtual Networks (VNET)  ·  Flag idea as inappropriate…  ·  Admin →
    10. Provide a 301 (Permanent) redirect service for apex (naked) domains

      Discussed in the Azure DNS docs: https://azure.microsoft.com/en-us/documentation/articles/dns-getstarted-create-recordset/#comment-2294403853

      Right now, you must use a static IP address if you want to point an apex (naked) domain (e.g., mycompany.com) to a Cloud Service (e.g., mycloudservice.cloudapp.net). Static IP's are stable as long as the Cloud Service isn't deprovisioned; however, for maximum security, simplicity, and maintainability (i.e., even if a cloud service is deprovisioned), it would be awesome if we could have 301 redirects for the apex domain to a the www CNAME endpoint and not need to be concerned with the IP address of the Cloud Service at all. The scenario goes like…

      583 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
    11. Enable ICMP traffic to Azure VMs over the Internet

      There are several scenarios that ICMP traffic to Azure VMs is necessary. Specially for monitoring tools that requires this kind of communication. When the time this was written, AWS offers ICMP traffic controlled by endpoints, which is not possible with Azure VMs endpoints.

      555 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
    12. Change existing Public IP SKU from Basic to Standard

      We have already setup our business in Azure and utilize Public IPs in our infrastructure that are used by many different clients. With the release of Standard SKU Load Balancer and the requirement for Standard SKU Public IPs, we cannot proceed to upgrade our setup. A change in IPs would mean weeks or even months in planning/communication and reconfiguration of firewalls,VPNs,application restrictions.

      553 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      28 comments  ·  IP addresses  ·  Flag idea as inappropriate…  ·  Admin →
    13. Provide explicit drain stop capabilities for Load Balancing.

      Many on-prem systems rely on an ability to gracefully drain traffic from a node before removing it from load balancing for updates or maintenance. While there are workarounds today for the Azure Load Balancing infrastructure (http://serverfault.com/questions/686095/gracefully-take-a-server-out-of-azure-load-balancer-drain-stop) it's not as flexible as existing on-prem services. Please add this feature.

      477 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      18 comments  ·  Load Balancing  ·  Flag idea as inappropriate…  ·  Admin →
    14. Let's Encrypt Integration for HTTPS certificates

      It should be possible to define a list of SSL hostnames. Application Gateway should automatically acquire and renew certificates for all given hostnames (most probably through the HTTP domain validation process).

      For every request, Application Gateway should use the correct certificate based on the hostname.

      Supporting multiple hostnames is critical to use Let's Encrypt with multi-site routing.

      465 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      2 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    15. Allow DNS servers to be advertised per subnet instead of VNET

      Instead of advertising the DNS servers per VNET, is there anyway we can specify what DNS servers should be advertised per subnet? In most cases, I would create a VNET and use NSGs to segregate out my traffic.

      The problem with specifying the DNS servers for the whole VNET, is now I am required to create a completely separate VNET for a DMZ, as my internal DNS servers are being advertised to those machines. In this case, being able to specify DNS servers at a subnet level will allow more flexibility in regards to creating one VNET instead of multiple…

      465 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      18 comments  ·  Virtual Networks (VNET)  ·  Flag idea as inappropriate…  ·  Admin →
    16. Please add port-mirroring to Azure to enable DLP and logging applications

      We would like a virtual span port or port-mirroring ability

      365 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      13 comments  ·  Virtual Networks (VNET)  ·  Flag idea as inappropriate…  ·  Admin →
    17. Increase listener limit for Application Gateway

      Application gateway has a very low listener limit (20 listeners / certificates). This severely limits it's usefulness for multi-tenant/domain applications where a web farm / service hosts many endpoints. IIS itself has no such small limit, but due to constraints on certificate deployment in cloud services, Application Gateway is the only clear path to wide scale SNI based SSL hosting. With it's low limit, it does not come close to meeting our use case. I would suggest the limit be removed or set to a very high limit like 10k+ so many certificates could be bound to host many different…

      360 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      21 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →

      We have raised the limit to 100 recently. We are regularly reviewing the limits and will continue to look for opportunities to raise the limits even further. If you have scenarios requiring limits higher than what is supported, please add your scenario details here (if you are comfortable with that) or raise an issue with Azure support and we will get back to you.

    18. Please provide a way for grouping the endpoints and assign as a group name to the Azure VMs

      We are adding endpoints for each virtual machine once created. Normally the RDP endpoint will be created by default, and can be added more if required by specifying the port #. I feel there are additional features needed to make this feature more flexible and to secure them in a centralized place. Some are -

      1. The endpoints are configured by defining the ports, but it is not accepting whether the ports are inbound or outbound. So, there should be an option to include the port to open for inbound or outbound instead of configuring in the VM.

      2. There…

      309 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      3 comments  ·  Virtual Networks (VNET)  ·  Flag idea as inappropriate…  ·  Admin →
    19. Add Custom Tags to NSG Rules

      It would be great if we can define our own on-premise network ranges (using 'Named networks' in AAD?) and add these as Custom Tags to our NSG rules. Now we have our on-premise ip-adresses/subnets as a seperate item in every NSG. When these ip-adresses/subnets change for whatever reason, we have to check every NSG and change this item. If we could use these 'centrally managed' ip-adresses/subnets as 'Custom Tags' in our NSG's rules we don't have to check and change every NSG rule with every ip-address change.

      302 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
    20. Allow creation of NSG rules based on FQDN along with Ports

      NSG gives option to configure NSG rules with IPAddress and Ports. Same like that we need option to configure Inbound/Outbound NSG rules based on the FQDN. Because most of our customers wants to block Internet access from their Azure IaaS VMs, If we do so, we lose the ability to configure Azure Disk Encryption, Azure Keyvault, Azure File Storage Services, Azure Websites...etc. Because all these Azure services requires its endpoints (FQDN) to be reachable from inside the VM

      298 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
    ← Previous 1 3 4 5 38 39
    • Don't see your idea?

    Feedback and Knowledge Base