Networking

The Networking forum covers all aspects of Networking in Azure, including endpoints, load-balancing, network security, DNS, Traffic Manager, virtual networks, and external connectivity.

Virtual Network:

  • Service overview

  • Technical documentation

  • Pricing details

  • Traffic Manager:

  • Service overview

  • Technical documentation

  • Pricing details

  • Network Watcher:

  • Service overview

  • Technical documentation

  • Pricing details

  • If you have any feedback on any aspect of Azure relating to Networking, we’d love to hear it.

    • Hot ideas
    • Top ideas
    • New ideas
    • My feedback
    1. Application Gateway service tag for IPs used to obtain backend health probe status in the portal.

      At this time in order for backend health probe status in the portal to work, we need to open port 65505-65034 on the app gw subnet to get a healthy status. Customers are not comfortable in opening these ports to the internet. We should create a Service Tag for source IPs in Azure that reaches out to the app gw to get this status. This would put the customer at ease and less reluctant on opening these ports.

      13 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      3 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    2. Mutual SSL

      We ran into a limitation of the App GW today when the scenario required mutual SSL auth between the client IoT device and the backend server. Our Application Gateway always acts as a proxy to terminate incoming traffic and create new connections to our backend pools (SSL end to end).

      My team is looking for a way for the Application Gateway to include part of the client certificate in a header. Something that would be a unique to the client reaching out so that the backend could authenticate as needed.

      Please support this feature functionality!

      13 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    3. Deprecate use of Cipher Block Chaining cipher modes - TLS_RSA_WITH_AES_256_CBC_SHA256

      App Gateway is REQUIRING a WEAK CIPHER be enabled

      See: https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-configure-ssl-policy-powershell#configure-a-custom-ssl-policy

      ==Important==
      TLSRSAWITHAES256CBCSHA256 must be selected when configuring a custom SSL policy. Application gateway uses this cipher suite for backend management. You can use this in combination with any other suites, but this one must be selected as well.

      As of May 2019 - SSLLABS is identifying cipher suites using CBC as WEAK - https://blog.qualys.com/technology/2019/04/22/zombie-poodle-and-goldendoodle-vulnerabilities#comment-303228

      13 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    4. Headers to identify health monitoring requests

      My ApplicationInsights logs show all the health requests done by AG to monitor the health of the system.
      I'd like to have the possibility to recognize health requests through specific headers so that I can skip standard HTTP pipeline and immediately return 200 status code, without logging the request

      13 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      under review  ·  0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    5. Forward Request's Original Host

      This is useful when backend services need a way to recognize the client's requested domain (i.e. multitenant saas based on custom domains).

      X-Forwarded-Host or other custom header where we can get the original domain's name.

      Thanks!
      Luis

      12 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  3 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    6. Allow configuring the managed identity for app gateway through the portal

      The current CLI experience has a rather steep learning curve and is not ideal for someone just evaluating whether to use Azure.

      12 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →

      Thanks for the valid suggestion. Your feedback is now open for the user community to upvote which allows us to effectively prioritize your request against our existing feature list and also gives us insight into the potential impact of implementing the suggested feature

    7. Direct Traffic to External web page when all nodes in a pool are down

      Ability to redirect incoming request to external webpage when all nodes in the backends pool are shutdown. Users will get this information information during maintenance/outage.

      12 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    8. We need the AppGw supports SNI for multiple end-to-end SSL sites(Different Certificate on backends)

      We have configured multiple end-to-end SSL sites on AppGw with different certificate, but AppGw doesn't support SNI when probe or forwarding traffic to backend. As a result, we have to configure the same certificate for my all virtual hosts on the backend. Could you please add this SNI feature in the AppGw future version?

      12 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      2 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    9. Application Gateway: SSL Offload: OWASP Header support

      Application Gateway: SSL Offload: OWASP Header support

      When using an Application Gateway to provide SSL offloading, there are no OWASP security header options. Without them, sites using ssl offloading will remain vulnerable to multiple attacks.

      Adding a security headers section to the WAF rules area will allow these to be set for SSL offload sites (and ssl passthrough ideally also). Alternately, these could be tied to each listener or the ssl policy.

      This would allow sites that depend on these headers for COMPLIANCE in their industry to use this product without having to configure an expensive workaround for this basic…

      12 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    10. SSL ID session affinity, SNI and multiple VIPs/Certificate on Azure Application Gateway

      Be able to access applications that require SSL certificate based on SNI and provide session affinity using SSL session ID. This will allow to use less Public IPV4 addresses on frontend

      11 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    11. Auto-scale for Application Gateway

      I hope Application Gateway instance can increase with auto-scale.

      If it has this feature, we dose't need to add instance for many web access.

      11 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      planned  ·  0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    12. Prioritize Multi Site rules over Basic rules

      Currently, basic rules take precedent over multi-site rules. Logically you want to go from granular to generic, so this really should work the other way around. For example, if i have a multi-site rule for sitea.com on port 443 that uses backend pool a and a basic rule that forwards everything else on 443 to pool b currently everything will go to pool b instead of the filtering action occurring.

      10 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    13. Azure WAF v2 is not recognized by Azure Security Center as security solution and it has not mentioned anywhere.

      Azure WAF v2 is not recognized by Azure Security Center as a security solution and it has not mentioned anywhere. The details that are provided is not enough to understand that it is not being recognized as below.

      Partner solution name: Application Gateway

      Type: Saas-based Web Application Firewall
      Integration mode: Semi-automatically provisioned
      Status : Not reported

      Status has never been reported to Azure Security Center. Usually this means that this security solution isn't configured yet. It is recommended you login to the security solution management console to finalize the initial configuration

      10 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  1 comment  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    14. Need ability to set Maximum file upload size as a property for V2

      Our hosted solution requires uploads larger than 2GB for some applications like uploading a large video. We need a user setting for the maximum file upload on the V2 AGW.

      The current documentation is also not clear. It says: The following table applies to v1, v2, Standard, and WAF SKUs unless otherwise stated. There are specific stated mentions of the 2GB limit for Standard and WAF and there is no specific limitation mentioned for v2.

      10 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    15. URL path management

      It would be nice to have ability to allow/block some path of the hosted sites:
      /page1/subpage1/subpage2 - allow
      /page1/subpage1 - block
      / - block
      or at least to allow/block only one page.

      9 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    16. To improve portal user experience for Application Gateway configuration

      Application Gateway is a combination of backend pool, backend HTTP settings, listeners, custom probes and rules. Most of the time, to make changes, it is necessary to update more than one of the above mentioned settings (pool, HTTP setting, listeners, rules). Each settings are placed on different UI blades and takes nearly 3 - 10 mins to make single setting change getting reflected.

      Feedback: Make a Wizard kind of interaction that will enable to specify all desired setting changes at once, then let apply these changes in a single shot behind the scenes.

      9 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      2 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    17. Allow both ExpressRoute and VPN Virtual Network Gateways on a single VNet

      We have several clients who require both a ExpressRoute Gateway to connect from their on-premises network, AND a VPN connection between the same VNet and another VNet (Either in the same subscription, or in a different subscription.

      An example is a client who wishes to use their subscription to host database servers that can then replicate certain data sets across to an other companies subscription via a VPN connection.

      9 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      planned  ·  0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    18. Allow setting intermediate certificates for SSL

      Application Gateway does not support setting intermediate certificate. Some CA provide leaf certificates that do not include all certificates in the certification path. When AG does not has the intermediate certificate, we need to manually create a certificate with the intermediate one.

      9 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →

      Thanks for the valid suggestion. Your feedback is now open for the user community to upvote which allows us to effectively prioritize your request against our existing feature list and also gives us insight into the potential impact of implementing the suggested feature

    19. Update activity logs to contain specific configuration change information.

      Currently the Activity Logs in Application Gateway just convey the information that configuration was updated at a specific time by a specific user.
      It should also contain the information about the specific configuration that was done or updated.
      Please refer the Support request number: 118121226003062 I had raised for the same shortcoming of Activity Logs.

      9 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    20. Application Gateway does not support a long content-security-policy header

      I am attempting to set our content-security-policy (CSP) HTTP header using a Rewrite rule.

      When I exceeded 1000 characters (the maximum allowed in AG for a header value), I was stuck.

      I attempted to add a second HTTP header for "content-security-policy" but it seems the built-in behavior is to replace the first HTTP header with the second.

      The CSP standard allows for multiple duplicate headers. AG does not appear to support this.

      I am utterly stuck. I cannot set the CSP I need because of the 1000 character limit.

      9 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  1 comment  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    • Don't see your idea?

    Feedback and Knowledge Base