Networking

The Networking forum covers all aspects of Networking in Azure, including endpoints, load-balancing, network security, DNS, Traffic Manager, virtual networks, and external connectivity.

Virtual Network:

  • Service overview

  • Technical documentation

  • Pricing details

  • Traffic Manager:

  • Service overview

  • Technical documentation

  • Pricing details

  • Network Watcher:

  • Service overview

  • Technical documentation

  • Pricing details

  • If you have any feedback on any aspect of Azure relating to Networking, we’d love to hear it.

    • Hot ideas
    • Top ideas
    • New ideas
    • My feedback
    1. Support chunked file transfers through Azure Application Gateway + WAF

      This is an issue with the WAF's configuration of OWASP.

      When the WAF is in protection mode, it is currently not possible to use the js File API to upload files in a chunked manner to an application behind the Application Gateway. Some of the "chunks" get blocked by the firewall (see attached). This doesn't happen to all chunks but it is common enough that a 100mb file will probably encounter the issue.

      I have created a barebones test website which reproduces the issue here: https://github.com/elexisvenator/AzureWAF-chunked-upload-test

      I have contacted the OWASP ModSecurity project, who have responded that the Firewall rule…

      146 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      under review  ·  2 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    2. Web Application Firewall Cookie Exclusions only exclude Value checking not Name checking

      I understand it is only a Preview, but my feedback on Exclusions... if I create an Exclusion as follows:


      • Field = Request cookie name

      • Operator = starts with

      • Selector = Nonce

      This appears to stop the WAF inspecting the value of any cookie whose name starts with "Nonce". What it doesn't do is exclude the checking of the name of the cookie itself.

      For example a cookie called NonceABC--XYZ would still trigger the SQL Comment Sequence rule.

      This is a problem when an ASP.Net Core application, that uses Open Id Connect authorisation, is put behind the Application Gateway and the…

      133 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      7 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    3. Application gateway V2 subnet to support UDR

      We need to support UDR association with Appgw V2 subnet, since as of now it's not yet support while Appgw V1 does support. Please add this feature.

      125 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  3 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    4. Application Gateway WAF: update to OWASP CRS 3.0.2

      The 'OWASP 3.0' (3.0.0) WAF rule set generates a lot of false positives, even on random base64 payloads. The only option is to disable many rules.

      2 examples which frequently trigger on SAML authentication exchanges are 932140 (https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/671) and 941120 (https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/675).

      OWASP CRS 3.0.2 reworked some rules, in order to reduce some of these false positives. Please support CRS 3.0.2 (either as an in-place upgrade for 3.0.0, or as a new option).

      125 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      13 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    5. Allow ACL on Application Gateway for IP filtering via X-FORWARDED-FOR header

      We have requirements from customers to restrict access via their company subnets. It would be very nice if the App Gateway supported not only the SSL offload but the ability to apply ACLs to allow or deny access via a defined network range using X-FORWARDED-FOR headers.

      121 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      started  ·  12 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    6. Application gateway support multi-site listening on Private and Public Frontend IPs

      Currently the web application firewall can be configured with multiple Frontend IPs, such as Public & Private. However, multi-site listeners cannot be configured on standard web ports (80 & 443) on both frontend IPs. No port overlap is allowed. User must decide which of the two frontend IPs gets to listen on standard web ports, and the other must be configured on alternate ports. This is not usable for non-technical end users, and many of us require both public and private frontend IPs to support internal-only sites (such as a company intranet) in addition to customer-facing ones.

      117 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      3 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    7. Add functionality to Application Gateway for routing based on HTTP headers

      The ability to route traffic to backend pools depending on HTTP headers would be much appreciated. At the moment the only way to do this is with a function app.

      109 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      3 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    8. Pure internal standard_v2 application gateway

      Currently standardv2 application gateway must have a public IP to work. Please make it be able to work only with private IP address. This capability is available in standard sku but not in standardv2.

      106 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    9. Allow paths in Application Gateway rules to be defined as regular expression

      Currently, Application Gateway rules support only path matches with a wildcard at the end of the string.

      For us it means to rework our routing strategy as the first part of our route is dynamic /<domain>/<controller> (eg. /sales/process). The controllers are shared among domains. Domains can be dynamically created, what disallow us to directly use the current feature to separate only 'process' controller to standalone backend pool.

      We would prefer to be able to define something like '/[a-z]]+/process.*' as a matching criterion.

      104 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      planned  ·  14 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    10. Reorder the Listeners on the Application Gateway

      Recently I was in the need to register additional listeners to an App Gateway. The issue is that the rules and Listeners should be created (at least using the portal) on correct order and the portal don't have any options to change this order.
      As the process of update changes on the Gateway takes a few minutes, this type of change requires a few hours to create a new record, remove, add it again, create rules, etc.
      Using a pattern similar to the NSG where we define a value for the order would save a lot of time.

      96 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      2 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    11. Add effective route for gateway subnet UDR

      Allow effective routes to be viewed for troubleshooting when a UDR is applied to a gateway subnet

      83 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      6 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    12. Support for header content size configuration

      After many issues we run into an unsolvable 502 Bad Gateway error, simular to https://stackoverflow.com/questions/48964429/net-core-behind-nginx-returns-502-bad-gateway-after-authentication-by-identitys where the content size is too large in sign-oidc for open id connect post.

      Please add support to edit the values that end up into nginx.conf

      For now we cannot use the Application Gateway and looking into Cloudflare or Nginx Plus with WAF.

      83 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      6 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    13. WAF on Application Gateway have a function to allow some exceptional access for prevention mode

      It would be great if WAF on Application Gateway have a function to allow some exceptional access for prevention mode.

      Now, Web Application Firewall feature would be available as part of Azure Application Gateway.

      Currently, WAF on Application Gateway seems to not have a function to exclude from blocking access by any condition.
      So, I would like to request to add this function for WAF on Application Gateway.

      81 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    14. Need a function to URL path rewriting in Application Gateway

      Currently, I know Azure Application Gateway has a function for redirection of URL path based.

      Now, I need a function for rewriting URL path during redirecting a request to backend server.

      For example, When Application Gateway received a HTTP request to http://www.contoso.com/test/, it redirects the request as /images/ to backend server.

      In other words, I want to set a URL path for backend server in PathRuleConfig in Application Gateway.

      79 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    15. Application Gateway WAF support gzipped content in the request body

      Application Gateway WAF does not support gzipped content in the request body.

      79 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      4 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    16. Allow multiple hostnames in the same Listener Application Gateway

      Sometimes we share differents hostnames with the same web site.
      Currently, this means that we have to deploy differents listeners in order to provide access to the same backend pool.

      With a 20 listeners limit this solution is a bit expensive...

      Would it be possible to add multiple hostnames/sitenames to listener?

      Thanks in advance

      76 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      5 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    17. Application Gateway (WAF) - document how to get firewall logs

      Please create documentation about how to retrieve Azure App GW firewall log.

      Microsoft does not mention a word about this. - Correct me if I'm wrong. Finally I found a solution on third party (!!!) site: http://francescomolfese.it/en/2018/07/azure-application-gateway-come-monitorarlo-con-log-analytics/.

      Application GW produces these types of logs:
      1. ApplicationGatewayAccessLog
      2. ApplicationGatewayPerformanceLog
      3. ApplicationGatewayFirewallLog – the most important one as it contains logs about security operations (reasons for blocking connections, etc...)

      To retrieve these logs (or at least first 2 of the 3 mentioned above), you have to do this:
      o Go to Log Analytics workspaces in Azure portal --> create or choose…

      75 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      2 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    18. Azure Application Gateway - support for default route through NVA FW

      An Azure Application Gateway subnet can't have a UDR with a default route through an Network Virtual Appliance FW or Backend Health will be "unknown" This is due to asynchronous routing between the Azure Monitoring Service, the App Gateway, and the NVA FW. We need a way to create a route exception in the UDR for the Azure Monitoring Services traffic.

      73 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      8 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    19. Allow both AppGw and Standard Public IP Address to move from one subscription to another.

      Allow both AppGw and Standard Public IP Address to move from one subscription to another.
      We, regardless of using AppGw v1 or v2, would be allowed to move an existing AppGw entirely by doing this.

      71 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    20. When Azure-application-gateway will update with support of TLS 1.3

      Akamai-CDN recommended with TLS 1.3 but Azure-application-gateway is not available with the same.
      Due to this issue, we have see url-access issue over Akamai.
      So we have moved to Azure-traffic-manager\Azure-Load balancer.

      69 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      4 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    • Don't see your idea?

    Feedback and Knowledge Base