Networking

The Networking forum covers all aspects of Networking in Azure, including endpoints, load-balancing, network security, DNS, Traffic Manager, virtual networks, and external connectivity.

Virtual Network:

  • Service overview

  • Technical documentation

  • Pricing details
  • Traffic Manager:

  • Service overview

  • Technical documentation

  • Pricing details
  • Network Watcher:

  • Service overview

  • Technical documentation

  • Pricing details
  • If you have any feedback on any aspect of Azure relating to Networking, we’d love to hear it.

    How can we improve Azure Networking?

    You've used all your votes and won't be able to post a new idea, but you can still search and comment on existing ideas.

    There are two ways to get more votes:

    • When an admin closes an idea you've voted on, you'll get your votes back from that idea.
    • You can remove your votes from an open idea you support.
    • To see ideas you have already voted on, select the "My feedback" filter and select "My open ideas".
    (thinking…)

    Enter your idea and we'll search to see if someone has already suggested it.

    If a similar idea already exists, you can support and comment on it.

    If it doesn't exist, you can post your idea so others can support it.

    Enter your idea and we'll search to see if someone has already suggested it.

    • Hot ideas
    • Top ideas
    • New ideas
    • My feedback
    1. Allow the load balancer to support Azure databases as a backend pool

      It would be great if, in addition to Availability Sets and VMs, the various databases from Azure (MySQL, and PostgreSQL) could be part of a back end pool.

      2 votes
      Vote
      Sign in
      Check!
      (thinking…)
      Reset
      or sign in with
      • facebook
      • google
        Password icon
        I agree to the terms of service
        Signed in as (Sign out)
        You have left! (?) (thinking…)
        0 comments  ·  Load Balancing  ·  Flag idea as inappropriate…  ·  Admin →
      • Add option to connect or disconnect vpn

        In ASM model, we have an option to connect or disconnect an vpn connection. Now in arm model if we need to disconnect a vpn we need to delete the connection and if we need to connect the vpn we need tonrecreate thw connection

        1 vote
        Vote
        Sign in
        Check!
        (thinking…)
        Reset
        or sign in with
        • facebook
        • google
          Password icon
          I agree to the terms of service
          Signed in as (Sign out)
          You have left! (?) (thinking…)
        • Dynamic routing within VNET

          I would like to have the option to dynamically route traffic within a subnet in Azure.
          Example: I have a two VMs acting as tunnel endpoints for 4G<->Network devices. These VMs are connecting to the same endpoints over Internet but use different technologies and have different connection availability. One is fast but unreliable, the other one slow but reliable. This setup is exported from my on premise VMware setup. But for this to work I have to be able to dynamically choose which VM I want to route traffic to, be it using Cisco route tracking or OSPF.

          I've set…

          3 votes
          Vote
          Sign in
          Check!
          (thinking…)
          Reset
          or sign in with
          • facebook
          • google
            Password icon
            I agree to the terms of service
            Signed in as (Sign out)
            You have left! (?) (thinking…)
            0 comments  ·  Virtual Networks (VNET)  ·  Flag idea as inappropriate…  ·  Admin →
          • Whats happening with 'legacy' Virtual Network Gateways?

            So the documents all describe 'Basic', 'Standard' and 'High Performance' SKUs as being 'Legacy'.

            I'm assuming this means that they are no longer being actively maintained and are likely to be made obsolete in the near future?

            If so, why is 'Basic' contained amongst the new Gateways on the pricing page? https://azure.microsoft.com/en-gb/pricing/details/vpn-gateway/

            There is a huge price difference between 'Basic' and 'VpnGw1'. Im comfortable paying for 'VpnGw1' in my production environment but not comfortable spending that much for my test environments.

            So if I want to maintain consistency and eliminate variables between my environments I just have to pay for…

            3 votes
            Vote
            Sign in
            Check!
            (thinking…)
            Reset
            or sign in with
            • facebook
            • google
              Password icon
              I agree to the terms of service
              Signed in as (Sign out)
              You have left! (?) (thinking…)
            • missing information in NSG logs (both event & rulecounter logs)

              Due to missing IP, port & protocoll information for both source & destination, debugging & troubleshooting NSGs is hardly impossible... :-(

              Would be nice to see this information soon in the properties section!

              3 votes
              Vote
              Sign in
              Check!
              (thinking…)
              Reset
              or sign in with
              • facebook
              • google
                Password icon
                I agree to the terms of service
                Signed in as (Sign out)
                You have left! (?) (thinking…)
                0 comments  ·  Flag idea as inappropriate…  ·  Admin →
              • Roelant

                when adding endpoints to the traffic manager, you get all app-services that are available, but in our case, the list is very long, and searching makes it difficult. The list is not sorted, and neither can we filter it.
                Adding a filter would be very helpfull.

                3 votes
                Vote
                Sign in
                Check!
                (thinking…)
                Reset
                or sign in with
                • facebook
                • google
                  Password icon
                  I agree to the terms of service
                  Signed in as (Sign out)
                  You have left! (?) (thinking…)
                  planned  ·  0 comments  ·  Domain Name Service (DNS, Traffic Manager)  ·  Flag idea as inappropriate…  ·  Admin →
                • configurable MTU

                  I've seen several conflicting recommendations for IPSec tunnel MTU/MSS.

                  First and foremost, publishing this (preferably inside the tunnel slice/pane) is a good first step, since it'd allow us to know definitively what we can do.

                  Second, and more significantly, I'd like to be able to CHANGE it... preferably by increasing the size... it seems that every time I turn around, the MTU needs to shrink - I'd rather leverage jumbo frames to allow higher throughput.

                  3 votes
                  Vote
                  Sign in
                  Check!
                  (thinking…)
                  Reset
                  or sign in with
                  • facebook
                  • google
                    Password icon
                    I agree to the terms of service
                    Signed in as (Sign out)
                    You have left! (?) (thinking…)

                    Hi Scott,

                    Thanks for the feedback – totally understand the pain points and confusion. There are a couple of constraints on the Azure side and also specifically with VPN. The key issue is this is for packets coming over the Internet which we can only assume total packet size of 1500 bytes max. Azure SDN platform performs additional encapsulation on the packets within our datacenter networks, so it will be subtracted from there.

                    1. On the Azure VPN gateways, the recommendation is to set TCP MSS clamping to 1350; or if not possible for your device, then set MTU to 1400 bytes on the IPsec tunnel interface. We had updated/clarified the Azure documentation to call that out.

                    2. Changing MTU currently is not possible from the Azure VPN gateways. We will take it into configuration, but it will not be possible in the short term due to the scale…

                  • Local Network Watcher for End User for their Azure Instance

                    Local Network Watcher possibly tied into Internet Connection API. No overhead and only fires when the connection drops or is having issues. Allows the user to input their own instances and is able to visually see where the issue might be and possible solutions. So a mini Network Monitor.

                    3 votes
                    Vote
                    Sign in
                    Check!
                    (thinking…)
                    Reset
                    or sign in with
                    • facebook
                    • google
                      Password icon
                      I agree to the terms of service
                      Signed in as (Sign out)
                      You have left! (?) (thinking…)
                      0 comments  ·  Network Watcher  ·  Flag idea as inappropriate…  ·  Admin →
                    • Traffic Manager support blob storage

                      for web site availability, I would like to use blob storage under traffic manager when blob (such as pictures, pdfs , movies) is stored to blob storage.

                      6 votes
                      Vote
                      Sign in
                      Check!
                      (thinking…)
                      Reset
                      or sign in with
                      • facebook
                      • google
                        Password icon
                        I agree to the terms of service
                        Signed in as (Sign out)
                        You have left! (?) (thinking…)
                      • Loadbalancer multiple ports in one frontend rule

                        For NVA's (Network Virtual Appliances) in a HA setup, a load balancer is used to spread traffic across two active devices.

                        There are applications (i.e. AD) that uses a lot of ports for communication or even dynamic port-ranges.

                        Unfortunately at this moment the LB only allows up to 150 rules with a single port.

                        Ideally it should be possible to load balance all ports (*), especially when it is a security device and you want to perform zero trust even within the Azure environment.

                        This is merely a problem on the Internal Load Balancer.

                        24 votes
                        Vote
                        Sign in
                        Check!
                        (thinking…)
                        Reset
                        or sign in with
                        • facebook
                        • google
                          Password icon
                          I agree to the terms of service
                          Signed in as (Sign out)
                          You have left! (?) (thinking…)
                          2 comments  ·  Load Balancing  ·  Flag idea as inappropriate…  ·  Admin →
                        • scheduled connectivity check

                          Scheduled connectivity check
                          Check functionality is fine. I want to get email when check is completed and failed. So we need recurring checks.

                          3 votes
                          Vote
                          Sign in
                          Check!
                          (thinking…)
                          Reset
                          or sign in with
                          • facebook
                          • google
                            Password icon
                            I agree to the terms of service
                            Signed in as (Sign out)
                            You have left! (?) (thinking…)
                            0 comments  ·  Network Watcher  ·  Flag idea as inappropriate…  ·  Admin →

                            Thank you for your feedback. We are investigating your suggestion to make scheduled connectivity checks with alerting and we will continue to update the status of this item appropriately. Please continue to share any feedback regarding the connectivity check and Network Watcher

                          • Alteração do DNS

                            Sou cliente do Azure no Brasil e temos contrato máquinas virtuais localizadas no Sul do Brasil, porém no Mapa do caminho do DNS está indo para os EUA causando grandes problemas quando as empresas de internet estão com problemas de DNS e grande parte do tempo estão com problemas. Com isso, sugiro que quando contratamos um servidor no Brasil, que o DNS não tenha que sair do país de origem, uma vez que o servidor contratado também está no Brasil.

                            1 vote
                            Vote
                            Sign in
                            Check!
                            (thinking…)
                            Reset
                            or sign in with
                            • facebook
                            • google
                              Password icon
                              I agree to the terms of service
                              Signed in as (Sign out)
                              You have left! (?) (thinking…)
                            • Active / passive load balancing without the dependency of the cluster service.

                              Active / passive load balancing without the dependency of the cluster service.

                              1 vote
                              Vote
                              Sign in
                              Check!
                              (thinking…)
                              Reset
                              or sign in with
                              • facebook
                              • google
                                Password icon
                                I agree to the terms of service
                                Signed in as (Sign out)
                                You have left! (?) (thinking…)
                                0 comments  ·  Load Balancing  ·  Flag idea as inappropriate…  ·  Admin →
                              • apply filter ip origen azure in NGS

                                apply filter ip origen azure in NGS.
                                This option is like "Allow access to Azure services" in "SQL server Azure"

                                3 votes
                                Vote
                                Sign in
                                Check!
                                (thinking…)
                                Reset
                                or sign in with
                                • facebook
                                • google
                                  Password icon
                                  I agree to the terms of service
                                  Signed in as (Sign out)
                                  You have left! (?) (thinking…)
                                • Provide certificate-based authentication for S2S VPN

                                  Can you describe the technical reason why you decide not to offer this option when creating a s2s vpn and you offer only the phase1 pre-shared key method? The communications in Madrid HC Region are administered by Cesus and they follow directives from the Security Group of Madrid Digital (former ICM). In their form to require a s2s vpn only cert based is accepted for ipsec tunnels and without a clear technical reason it is almost impossible to negotiate an exception to shift to pre-shared key based phase 1 vpn

                                  1 vote
                                  Vote
                                  Sign in
                                  Check!
                                  (thinking…)
                                  Reset
                                  or sign in with
                                  • facebook
                                  • google
                                    Password icon
                                    I agree to the terms of service
                                    Signed in as (Sign out)
                                    You have left! (?) (thinking…)

                                    Thank you for the suggestion. The key reasons for not offering cert-based IKE authentication is due to the additional compliance requirements and validations related to handling certificates. As a result, this is currently not on the roadmap.

                                    If certificate-based authentication is a requirement, currently customers will need to leverage a VPN appliances available from Azure Marketplace.

                                    Thanks,
                                    Yushun [MSFT]

                                  • Streamline SSL Certificate Renewal

                                    I have a SAN SSL certificate that contains 6 different addresses, these each have their own listeners etc. To apply a renewed certificate today I've spent 4hours with Azure support, adding the new certificate, updating each site to use the new certificate one by one, and then going through the HTTPSettings and changing the certificate over in there for each site as well.
                                    In IIS this is much simpler, I add the new certificate and update the binding on one website and all sites are updated - done, in 1minute.
                                    In summary making it quicker and simpler to update a…

                                    3 votes
                                    Vote
                                    Sign in
                                    Check!
                                    (thinking…)
                                    Reset
                                    or sign in with
                                    • facebook
                                    • google
                                      Password icon
                                      I agree to the terms of service
                                      Signed in as (Sign out)
                                      You have left! (?) (thinking…)
                                      0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
                                    • Predefined Access Rules for Every Region

                                      Microsoft Azure should have predefined access rules for every region.
                                      For example, if someone wants to block traffic for every region except only one, should choose to allow for the specific one and add block rule for every other region.
                                      That would be good for DDos attacks.

                                      1 vote
                                      Vote
                                      Sign in
                                      Check!
                                      (thinking…)
                                      Reset
                                      or sign in with
                                      • facebook
                                      • google
                                        Password icon
                                        I agree to the terms of service
                                        Signed in as (Sign out)
                                        You have left! (?) (thinking…)
                                      • Support EV SSL cerrtificates in application gateway

                                        Please support EV SSL certificates in Application Gateway. What is the reason they aren't supported already?

                                        16 votes
                                        Vote
                                        Sign in
                                        Check!
                                        (thinking…)
                                        Reset
                                        or sign in with
                                        • facebook
                                        • google
                                          Password icon
                                          I agree to the terms of service
                                          Signed in as (Sign out)
                                          You have left! (?) (thinking…)
                                          1 comment  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
                                        • add a source tag for Office 365 IPs to NSG Rules

                                          Consider adding support for multiple address ranges in NSG rules or add a source tag for Office 365 IPs.

                                          Currently it is a nightmare to add all addresses for Exchange Online. We need a NSG policy for each address range :)

                                          https://feedback.azure.com/forums/217313-networking/suggestions/11716131-add-a-source-tag-for-azure-datacenter-ips-to-nsg-r

                                          5 votes
                                          Vote
                                          Sign in
                                          Check!
                                          (thinking…)
                                          Reset
                                          or sign in with
                                          • facebook
                                          • google
                                            Password icon
                                            I agree to the terms of service
                                            Signed in as (Sign out)
                                            You have left! (?) (thinking…)
                                          • Allow Static Public IP Address

                                            Hi,
                                            We currently have VMSS running inside a public Load Balancer, that ensures all the apps have the same Public IP address. This is important for us, as we need to be able to publish our IP Addresses for all clients to whitelist.

                                            We really want to move to using the Application Gateway, but can't because it doesn't support static Public IP addresses.

                                            I don't believe there is a work around either?

                                            21 votes
                                            Vote
                                            Sign in
                                            Check!
                                            (thinking…)
                                            Reset
                                            or sign in with
                                            • facebook
                                            • google
                                              Password icon
                                              I agree to the terms of service
                                              Signed in as (Sign out)
                                              You have left! (?) (thinking…)
                                              0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
                                            ← Previous 1 3 4 5 11 12
                                            • Don't see your idea?

                                            Feedback and Knowledge Base