Networking

The Networking forum covers all aspects of Networking in Azure, including endpoints, load-balancing, network security, DNS, Traffic Manager, virtual networks, and external connectivity.

Virtual Network:

  • Service overview

  • Technical documentation

  • Pricing details
  • Traffic Manager:

  • Service overview

  • Technical documentation

  • Pricing details
  • Network Watcher:

  • Service overview

  • Technical documentation

  • Pricing details
  • If you have any feedback on any aspect of Azure relating to Networking, we’d love to hear it.

    • Hot ideas
    • Top ideas
    • New ideas
    • My feedback
    1. Support in Azure Security Center for Web Apps behind a WAF inside App Services.

      Support in Azure Security Center for Web Apps behind a WAF inside App Services.

      4 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    2. Please provide an option to monitor CPU performance of the application gateway at the portal level.

      Please provide an option to monitor CPU performance of the application gateway at the portal level. Since we are not aware of how much CPU is used of the backend instances.

      4 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    3. Application gateway

      Hi MS team,

      Could you enable the 'Edit' option for the Listeners we are configuring in the Application gateway. This will be really helpful if we decide to change our certificate.

      Although we can do a workaround of deleting the listener and creating new one, but that needs some time investigating it, so I feel Edit option is a much better and easy approach for clients.

      Thanks,
      Thulasidas

      4 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    4. Current CPU Utilization metrics

      We've 502 failed request. Upon raising a ticket with Microsoft support we found that the Instance count was getting heavily utilized. Can you implement CPU Metrics so that we can do the same thing by ourselves.

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    5. improve application gateway rule description documentation

      When you will improve the documentation to include better descriptions at the rules? Having a rule with a description Rule 981312 doesn't help to know what it does! Enabling all rules have a huge impact on WAF performance and we need to know what exactly each rule does in order to fine tune it.

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    6. Customizing OWASP Rules in Application Gateway

      There should be the possibility to customize the OWASP rules in the Application Gateway WAF v2, not just the ability to turn them on or off. For example, Rule 911100 (method not allowed by policy) doesn't allow PUT or PATCH HTTP methods. It would be good to be able to modify this rule to allow more methods, not just turn the rule off if we want these methods.

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    7. Allow configuring the managed identity for app gateway through the portal

      The current CLI experience has a rather steep learning curve and is not ideal for someone just evaluating whether to use Azure.

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →

      Thanks for the valid suggestion. Your feedback is now open for the user community to upvote which allows us to effectively prioritize your request against our existing feature list and also gives us insight into the potential impact of implementing the suggested feature

    8. v2 Invalid Header support

      As V2 is built on NGINx, it's resulted in at least one undocumented breaking change.
      AGW v2 has the NGINX flag ignore_invalid_headers flag enabled. This results in headers containing a period being dropped.

      Whilst this might not be best practice, they're not technically invalid and this is something we have for historic reasons and makes it impossible to move to v2 without changing a lot of code.

      Making this setting configurable or disabling by default for backward compatibility with v1 would be welcome as I'm sure v1 App Gateways will be retired at some point.

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    9. AppGw WAF_v2 Undo breaking change with case sensitivity for PathbasedRules

      between older SKUs and WAF_v2 has been a breaking change
      regarding case sensitivity of Rules.

      Starting with v2 Rules are now Case sensitive.

      Having a SaaS - offering with public API,

      This is
      - breaking existing REST-APIs published to customers and partners
      - completely unexpected for Windows-Users
      - a source for many customer-problems and support-calls

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    10. Web Application Firewall Exact Exculsion Does Not Work With Full Stops Bug

      Fix the bug whereby an exclusion in the Web Application Firewall WAF which uses an Exact match where the name contains a full stop / period does not work.

      My work around is to use Starts With instead which does not seem to care about the full stops.

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    11. Application Gateway does not support a long content-security-policy header

      I am attempting to set our content-security-policy (CSP) HTTP header using a Rewrite rule.

      When I exceeded 1000 characters (the maximum allowed in AG for a header value), I was stuck.

      I attempted to add a second HTTP header for "content-security-policy" but it seems the built-in behavior is to replace the first HTTP header with the second.

      The CSP standard allows for multiple duplicate headers. AG does not appear to support this.

      I am utterly stuck. I cannot set the CSP I need because of the 1000 character limit.

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    12. Azure Application gateway multiple Frontend ip addresses

      Azure Application Gateway allows multiple listeners over port 80 (HTTP), but it only allows 1 listener over port 443. You protect multiple websites using HTTP port (80), but only 1 using HTTPs (443). I propose the possibility of multiple IP frontend or just support multiple listeners over 443 (HTTPs). Trust me, is hard when you need an Application Gateway for each Azure web app...

      Best,

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    13. Search feature when selecting App Services for Backend Pool

      When setting app services on the backend pool having a search bar to filter down the preferred set of App Services.

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    14. Simplify HTTP redirect

      The current method involves a two listeners and doubles the amount of configuration required.
      A better method would be for each listener to have a HTTPS redirect flag on it so anything received on 80 automatically redirects to 443.

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    15. Azure Application Gateway with upstream HTTP Reverse Proxies and XFF

      Azure Application Gateway doesn't seem to populate the "clientIP" field value on the ApplicationGatewayLog and ApplicationGatewayFirewallLog logs with the initial/ real client IP when there is an upstream HTTP Reverse Proxy with X-Forwarded-For HTTP header insert option enabled. Under that integration scenario, "clientIP" gets populated with the client IP address from the Azure Application Gateway network flow and not from the application level flow via HTTP X-Forwarded-For header.

      It would be useful to have the option to change this behaviour for certain integration scenarios.

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    16. AppGW v2 setup : check the subnet size (min /28)

      Hello,

      Next to the Microsoft support request #119082022001909 (Impossible to create an AppGW v2 using Azure GUI Portal or AzureAppGWMigration.ps1 Application Gateway) : it appears it misses a check about the size of the subnet in which we want to deploy an Application Gateway v2.

      We've tried several times to create an appGW v2 using a /29 subnet without success, but without warnings too, although it is a prerequisite as described here > https://docs.microsoft.com/en-us/azure/application-gateway/configuration-overview#size-of-the-subnet

      We've tried it 'manually' using the Azure Portal GUI Wizard, or using a PS script (to migrate v1 to v2) and we've got the same error…

      2 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    17. Allow to customize behaviour of 949110 WAF Rule

      Currently WAF signatures even though in detect mode can start to block if the preset threshold of 949110 (not user available) is reached. This is not helpful as we getting too many false positives and unfortunately we need to disable signatures completely instead of putting it in detect mode so that real attacks can get logged atleast.

      Can we have this rule 949110, be made available to user for customization of threshold and behaviour according to our environment?

      2 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    18. Bug in Application Gateway Path Based Rules Redirection Configuration to External Site

      There is a bug in the "Rules" section of the "Application Gateway".
      Create a new path based rule for a multi-site Listener with HTTP HTTP settings.
      In this rule, add a new redirection configuration, to an EXTERNAL SITE.
      The "Include Path" checkbox is disabled. It is enabled only for the Listener case.
      Create the rule. The Include path value is null (verified through powershell az module and by the fact that the actual redirection does not work).
      I managed to enable this switch, via az powershell modules and all worked as expected.

      PLEASE FIX

      2 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    19. Instance IPs of Application Gateway are not visible in Portal

      In our usecase, external facing App Gateway(AG) will forward the traffic to PaloAlto virtual firewalls and firewall will NAT traffic to internal AG. Every application will have it's own external & internal AG. The NAT policy in firewall cannot use external AG subnet as source, you will have to identify instance IPs of each external AG and create NAT policy based on that. At the moment only Azure support have visibility to instance IPs, these IPs need to be exposed to Portal.

      2 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    20. azure application gateway websockets latency metric

      When using websockets together with Azure Application Gateway, you end up with artifically increased latency_d in the ApplicationGatewayPerformanceLog. Indeed, all the 101 (websockets) connections remain pending, which is a normal behavior and their duration gets recorded by the gateway. The problem is this normal behavior increases the average latency of all requests (including non-101) and there is no way to filter 101 out of the ApplicationGatewayPerformanceLog logs...Therefore, if we setup an alert on latency_d, this will raise a lot of false positives...While this metric is very useful in the ApplicationGatewayAccessLog because it allows for calculation of average user sessions, it…

      2 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    • Don't see your idea?

    Feedback and Knowledge Base