Networking

The Networking forum covers all aspects of Networking in Azure, including endpoints, load-balancing, network security, DNS, Traffic Manager, virtual networks, and external connectivity.

Virtual Network:

  • Service overview

  • Technical documentation

  • Pricing details
  • Traffic Manager:

  • Service overview

  • Technical documentation

  • Pricing details
  • Network Watcher:

  • Service overview

  • Technical documentation

  • Pricing details
  • If you have any feedback on any aspect of Azure relating to Networking, we’d love to hear it.

    How can we improve Azure Networking?

    You've used all your votes and won't be able to post a new idea, but you can still search and comment on existing ideas.

    There are two ways to get more votes:

    • When an admin closes an idea you've voted on, you'll get your votes back from that idea.
    • You can remove your votes from an open idea you support.
    • To see ideas you have already voted on, select the "My feedback" filter and select "My open ideas".
    (thinking…)

    Enter your idea and we'll search to see if someone has already suggested it.

    If a similar idea already exists, you can support and comment on it.

    If it doesn't exist, you can post your idea so others can support it.

    Enter your idea and we'll search to see if someone has already suggested it.

    • Hot ideas
    • Top ideas
    • New ideas
    • My feedback
    1. Support VNET re-deployment without destroying subnets

      When you deploy a VNET from an ARM template in incremental mode I would expect omitting the subnet property would not change the subnets since they are child resources. Instead they are destroyed. I think this is inconsistent with all other similar resource types e.g. app service plans and web apps, azure SQL servers and databases, etc... Please make VNETs and subnets deployments consistent.

      https://github.com/Azure/azure-quickstart-templates/issues/2786

      15 votes
      Vote
      Sign in
      Check!
      (thinking…)
      Reset
      or sign in with
      • facebook
      • google
        Password icon
        I agree to the terms of service
        Signed in as (Sign out)
        You have left! (?) (thinking…)
        0 comments  ·  Virtual Networks (VNET)  ·  Flag idea as inappropriate…  ·  Admin →
      • Allow transit routing between ExpressRoute, VPN Gateways, and NVAs by allowing them to peer with BGP and exchange routes.

        Allow transit routing between ExpressRoute Gateways, VPN Gateways, and NVAs by allowing them to peer with BGP and exchange routes. This functionality would give the customer more flexibility in how they lay out their network.

        3 votes
        Vote
        Sign in
        Check!
        (thinking…)
        Reset
        or sign in with
        • facebook
        • google
          Password icon
          I agree to the terms of service
          Signed in as (Sign out)
          You have left! (?) (thinking…)
          0 comments  ·  Virtual Networks (VNET)  ·  Flag idea as inappropriate…  ·  Admin →
        • Ability to specify Target VM on Azure CLI command 'az network lb inbound-nat-rule create' command

          When you create an inbound NAT rule you cannot specify the target VM. You can use a different command (az network nic ip-config inbound-nat-rule add) or the GUI, but it would be good to have the option here too.

          1 vote
          Vote
          Sign in
          Check!
          (thinking…)
          Reset
          or sign in with
          • facebook
          • google
            Password icon
            I agree to the terms of service
            Signed in as (Sign out)
            You have left! (?) (thinking…)
            0 comments  ·  Load Balancing  ·  Flag idea as inappropriate…  ·  Admin →
          • Allow to Reserve VPN

            Allow the Azure Admin to reserve IP address for specific clients so when they connect to the VPN via a Point-to-Site configuration, the client receive the same IP Address all the time.

            1 vote
            Vote
            Sign in
            Check!
            (thinking…)
            Reset
            or sign in with
            • facebook
            • google
              Password icon
              I agree to the terms of service
              Signed in as (Sign out)
              You have left! (?) (thinking…)
            • BUG in Azure PowerShell interface for creating NSGs

              There is a bug/conflict between the documentation for creating NSG rules with Azure PowerShell. The tag "VIRTUAL_NETWORK" mentioned in the documentation causes the API to throw a 400, where as the "VirtualNetwork" tag (not mentioned anywhere in the documentation) allows for the successful creation of the rule

              1 vote
              Vote
              Sign in
              Check!
              (thinking…)
              Reset
              or sign in with
              • facebook
              • google
                Password icon
                I agree to the terms of service
                Signed in as (Sign out)
                You have left! (?) (thinking…)
              • VM MAC address spoofing

                I wanted to run multiple LXC/LXD containers on a single Linux VM and make them exposed to VNET via a bridged interface to provide services in the private network. That's not possible without VM/VNIC ability of MAC address spoofing. Please support it.

                1 vote
                Vote
                Sign in
                Check!
                (thinking…)
                Reset
                or sign in with
                • facebook
                • google
                  Password icon
                  I agree to the terms of service
                  Signed in as (Sign out)
                  You have left! (?) (thinking…)
                  under review  ·  0 comments  ·  Virtual Networks (VNET)  ·  Flag idea as inappropriate…  ·  Admin →
                • Next Hop - show which route entry was used

                  When you use next hop feature, it shows the route table ID that was used - but it would be nice if it showed the rule name from the route table as well.

                  1 vote
                  Vote
                  Sign in
                  Check!
                  (thinking…)
                  Reset
                  or sign in with
                  • facebook
                  • google
                    Password icon
                    I agree to the terms of service
                    Signed in as (Sign out)
                    You have left! (?) (thinking…)
                    0 comments  ·  Network Watcher  ·  Flag idea as inappropriate…  ·  Admin →
                  • Add HTTP/2 support to Azure Application Gateway

                    Add HTTP/2 support to Azure Application Gateway. HTTP/2 has been around for long enough that this should be supported by now. We were disappointed once again after spending time investigating Azure Application Gateway that this is not supported. We shouldn't have to go backwards to use this service.

                    9 votes
                    Vote
                    Sign in
                    Check!
                    (thinking…)
                    Reset
                    or sign in with
                    • facebook
                    • google
                      Password icon
                      I agree to the terms of service
                      Signed in as (Sign out)
                      You have left! (?) (thinking…)
                      0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
                    • Let IP flow verify show which NSG is matched.

                      The current implementation of IP flow verify in network watcher shows the name of the rule that is matched for allowing/denying traffic. It doesn't show the name of the effective NSG itself (only the rule in an NSG). A useful addition would be to show the name of the NSG in additional to the matched rule. A click through to the NSG for instant changes would help as well.

                      1 vote
                      Vote
                      Sign in
                      Check!
                      (thinking…)
                      Reset
                      or sign in with
                      • facebook
                      • google
                        Password icon
                        I agree to the terms of service
                        Signed in as (Sign out)
                        You have left! (?) (thinking…)
                        0 comments  ·  Network Watcher  ·  Flag idea as inappropriate…  ·  Admin →
                      • Let security group view show the order in which rules are processed

                        The current security group view allows multiple ways to sort the security rules that show up. It would be most useful if there would be a way to sort the security rules in the effective way they would be processed, meaning:
                        1. customer defined rules on the subnet
                        2. default rules on the subnet
                        3. customer defined rules on the NIC
                        4. default rules on the NIC.

                        1 vote
                        Vote
                        Sign in
                        Check!
                        (thinking…)
                        Reset
                        or sign in with
                        • facebook
                        • google
                          Password icon
                          I agree to the terms of service
                          Signed in as (Sign out)
                          You have left! (?) (thinking…)
                          0 comments  ·  Network Watcher  ·  Flag idea as inappropriate…  ·  Admin →

                          Thank you for the suggestion, we’ll consider adding this sort option. The current UI in Portal provides you with tabs to see the security rules applied on the Subnet and the NIC, as well as the default rules.

                          Note, the rule processing order you provided only applies for inbound traffic. From https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-nsg :

                          Inbound traffic

                          1. NSG applied to subnet: If a subnet NSG has a matching rule to deny traffic, the packet will be dropped.

                          2. NSG applied to NIC (Resource Manager) or VM (classic): If VM\NIC NSG has a matching rule to deny traffic, packet will be dropped at VM\NIC, although subnet NSG has a matching rule to allow traffic.

                          Outbound traffic

                          1. NSG applied to NIC (Resource Manager) or VM (classic): If VM\NIC NSG has a matching rule to deny traffic, the packet will be dropped.

                          2. NSG applied to subnet: If…

                        • Allow access to packet capture while capture is running.

                          When a packet capture is running in the Network watcher, you currently have to wait until the capture is complete to view the .pcap file. It would be useful to be able to look at the .pcap file while the capture is running.

                          1 vote
                          Vote
                          Sign in
                          Check!
                          (thinking…)
                          Reset
                          or sign in with
                          • facebook
                          • google
                            Password icon
                            I agree to the terms of service
                            Signed in as (Sign out)
                            You have left! (?) (thinking…)
                            0 comments  ·  Network Watcher  ·  Flag idea as inappropriate…  ·  Admin →
                          • Allow Agent IP in UDR when using Forced Tunnel

                            You can not add a UDR for the VM Agent IP when employing Forced Tunneling. This makes deployments fail (e.g. VMSS).

                            Please allow UDR to the special VM Agent IP of 168.63.129.16

                            Full error message:
                            Failed to add route 'DirectRouteToVMAgent' to route table 'VmAgentIp'.

                            Error: AddressPrefix 168.63.129.16/32 for route DirectRouteToVMAgent is not allowed because its in restricted address space.

                            38 votes
                            Vote
                            Sign in
                            Check!
                            (thinking…)
                            Reset
                            or sign in with
                            • facebook
                            • google
                              Password icon
                              I agree to the terms of service
                              Signed in as (Sign out)
                              You have left! (?) (thinking…)
                              0 comments  ·  Virtual Networks (VNET)  ·  Flag idea as inappropriate…  ·  Admin →
                            • Add CAA record

                              Add the ability to add a CAA record! This is now becoming more important with Qualys flagging it as a "requirement".

                              55 votes
                              Vote
                              Sign in
                              Check!
                              (thinking…)
                              Reset
                              or sign in with
                              • facebook
                              • google
                                Password icon
                                I agree to the terms of service
                                Signed in as (Sign out)
                                You have left! (?) (thinking…)
                              • Monitor container network traffic within a node

                                I would like to see a solution for monitoring traffic between containers on the same node. I'm not sure if the Network Watcher product already does this or not - it wasn't specified.

                                1 vote
                                Vote
                                Sign in
                                Check!
                                (thinking…)
                                Reset
                                or sign in with
                                • facebook
                                • google
                                  Password icon
                                  I agree to the terms of service
                                  Signed in as (Sign out)
                                  You have left! (?) (thinking…)
                                  2 comments  ·  Network Watcher  ·  Flag idea as inappropriate…  ·  Admin →
                                • Network Watcher Topology should get information for resources in different resource group than VNET

                                  The preview of Network Watcher has a Topology feature which draws objects connected to a specific VNET, which is great. But, I noted that for a full topology, ALL resources need to be on the same Resource Group than the VNET chosen. That doesn't make sense, because is pretty common to have VMs and NICs on different RGs. Would be great if you choose a RG and a VNET as a starting point, and Topology feature gather all other resources interconnected independently of their RGs.

                                  15 votes
                                  Vote
                                  Sign in
                                  Check!
                                  (thinking…)
                                  Reset
                                  or sign in with
                                  • facebook
                                  • google
                                    Password icon
                                    I agree to the terms of service
                                    Signed in as (Sign out)
                                    You have left! (?) (thinking…)
                                    1 comment  ·  Network Watcher  ·  Flag idea as inappropriate…  ·  Admin →
                                  • Display health probe status in Load Balancer

                                    Display health probe status for each node in the backend pools in Load Balancer

                                    13 votes
                                    Vote
                                    Sign in
                                    Check!
                                    (thinking…)
                                    Reset
                                    or sign in with
                                    • facebook
                                    • google
                                      Password icon
                                      I agree to the terms of service
                                      Signed in as (Sign out)
                                      You have left! (?) (thinking…)
                                      0 comments  ·  Load Balancing  ·  Flag idea as inappropriate…  ·  Admin →
                                    • Increase limit for Public IP by Virtual Machine

                                      Increase limit for Public IP by Virtual Machine, today we can set just one IP for each VM. Sometimes it is important to get more IP by instance, mainly when I've many websites on some host. We could to create other VIPs.

                                      4 votes
                                      Vote
                                      Sign in
                                      Check!
                                      (thinking…)
                                      Reset
                                      or sign in with
                                      • facebook
                                      • google
                                        Password icon
                                        I agree to the terms of service
                                        Signed in as (Sign out)
                                        You have left! (?) (thinking…)
                                        1 comment  ·  IP addresses  ·  Flag idea as inappropriate…  ·  Admin →
                                      • Gray out existing connections so they can't be connected with ExpressRoute.

                                        Gray out existing connections so they can't be connected with ExpressRoute again and cause an outage.

                                        Failed to create connection 'ExpressRoute-EUS'. Error: The ExpressRoute connection for Nrp Resource Uri: https://eastus.network.azure.com/subscriptions/GUID/resourceGroups/expressroute-rg/providers/Microsoft.Network/connections/ExpressRoute-EUS2 already exists with a different Nrp Resource Uri:https://eastus.network.azure.com/subscriptions/GUID/resourceGroups/expressroute-rg/providers/Microsoft.Network/connections/US-East2

                                        "Do not allow redundant ER connection deployments to start. There is currently an error message but no block to starting a redundant connection deployment. This operation causes the circuit to lose connectivity."

                                        15 votes
                                        Vote
                                        Sign in
                                        Check!
                                        (thinking…)
                                        Reset
                                        or sign in with
                                        • facebook
                                        • google
                                          Password icon
                                          I agree to the terms of service
                                          Signed in as (Sign out)
                                          You have left! (?) (thinking…)
                                          under review  ·  0 comments  ·  ExpressRoute  ·  Flag idea as inappropriate…  ·  Admin →
                                        • multiple public IP

                                          Allow secondary NICs to have public IPs. We're trying to deploy Palo Alto Network appliances as a VPN endpoint and it requires dual-NIC each with a public IP address. PA's reference architecture uses a NAT server to provide a second public interface. This is not idea since we have to manage multiple servers and routes. The completed multi public IP feature allows multiple public IPs on the same NIC. We're looking for public IPs on multiple NICs.

                                          5 votes
                                          Vote
                                          Sign in
                                          Check!
                                          (thinking…)
                                          Reset
                                          or sign in with
                                          • facebook
                                          • google
                                            Password icon
                                            I agree to the terms of service
                                            Signed in as (Sign out)
                                            You have left! (?) (thinking…)
                                            1 comment  ·  IP addresses  ·  Flag idea as inappropriate…  ·  Admin →
                                          • NAPTR Support (Name Authority Pointer)

                                            Support NAPTR records with Azure DNS. These are primarily used to complement SRV records which you currently support.
                                            https://en.wikipedia.org/wiki/NAPTR_record

                                            1 vote
                                            Vote
                                            Sign in
                                            Check!
                                            (thinking…)
                                            Reset
                                            or sign in with
                                            • facebook
                                            • google
                                              Password icon
                                              I agree to the terms of service
                                              Signed in as (Sign out)
                                              You have left! (?) (thinking…)
                                            ← Previous 1 3 4 5 9 10
                                            • Don't see your idea?

                                            Feedback and Knowledge Base