Networking

The Networking forum covers all aspects of Networking in Azure, including endpoints, load-balancing, network security, DNS, Traffic Manager, virtual networks, and external connectivity.

Virtual Network:

  • Service overview

  • Technical documentation

  • Pricing details

  • Traffic Manager:

  • Service overview

  • Technical documentation

  • Pricing details

  • Network Watcher:

  • Service overview

  • Technical documentation

  • Pricing details

  • If you have any feedback on any aspect of Azure relating to Networking, we’d love to hear it.

    • Hot ideas
    • Top ideas
    • New ideas
    • My feedback
    1. How to check secret version of KeyVault for Listener

      I created KeyVault certificate and listener reading bellow document.

      https://docs.microsoft.com/en-us/azure/application-gateway/configure-keyvault-ps

      But I can not confirm which version the AppGw is using because there is no secret version in Get-AzApplicationGateway. SedretId is bellow but it is only certificate name not sercret version.

      "keyVaultSecretId": "https://testkeyvaultest.vault.azure.net:443/secrets/test/"

      I hope we can check which version the AppGW is using.

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    2. Azure Application Gateway: Support backend health status when using user defined routes

      Currently, if you have a security requirement to use User Defined Routing through a network virtual appliance firewall, health status of Azure Application Gateway doesn't work.

      This should be redesigned so it's an outbound connection from the application gateways to Azure's monitoring infrastructure rather than it needing to be an inbound connection.

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    3. AAG - Export/Import configuration (primary -> DR restore)

      Looking for an option to backup & restore AAG configuration (backend pools, listeners, etc) from active/primary AAG to passive/DR AAG.

      MS supported responded by saying, no direct way to perform this task but you can manually export the configuration using ARM template form. Reference: https://azure.microsoft.com/en-in/blog/export-template/

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    4. Proxy timeout

      Possibility to customize the Application Proxy timeout. Default and long is not flexible enough.

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    5. Application Gateway support of URL hash based routing

      I'd like the ability for user requests with the same URL (or same header) to be sent to the same back-end. This is useful if the back-ends cache content that users request, enabling them to serve users significantly quicker.

      In my specific use case, I want to connect multiple web-socket connections to the same host to share common resources.

      Other load balancers accomplish this by hashing the URL request and sending requests with the same hash to the same back-end.

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    6. Customizing OWASP Rules in Application Gateway

      There should be the possibility to customize the OWASP rules in the Application Gateway WAF v2, not just the ability to turn them on or off. For example, Rule 911100 (method not allowed by policy) doesn't allow PUT or PATCH HTTP methods. It would be good to be able to modify this rule to allow more methods, not just turn the rule off if we want these methods.

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    7. v2 Invalid Header support

      As V2 is built on NGINx, it's resulted in at least one undocumented breaking change.
      AGW v2 has the NGINX flag ignoreinvalidheaders flag enabled. This results in headers containing a period being dropped.

      Whilst this might not be best practice, they're not technically invalid and this is something we have for historic reasons and makes it impossible to move to v2 without changing a lot of code.

      Making this setting configurable or disabling by default for backward compatibility with v1 would be welcome as I'm sure v1 App Gateways will be retired at some point.

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    8. One click add Application Gateway to AKS Ingress

      Right now adding Application Gateway to AKS is a disastrous mess of endless commands.

      This should be no more difficult than going to Networking under AKS and picking the Application Gateway to Install and clicking Add. (Or delete one that's already in there)

      And it should be a one liner using az.

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    9. AppGw WAF_v2 Undo breaking change with case sensitivity for PathbasedRules

      between older SKUs and WAF_v2 has been a breaking change
      regarding case sensitivity of Rules.

      Starting with v2 Rules are now Case sensitive.

      Having a SaaS - offering with public API,

      This is
      - breaking existing REST-APIs published to customers and partners
      - completely unexpected for Windows-Users
      - a source for many customer-problems and support-calls

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    10. Allow pattern mattern regexp exclusions like used on other vendors e.g barracuda

      Allow pattern mattern regexp exclusions like used on other vendors e.g barracuda.

      So we can customise what is blcoked in sql Tautology for example

      sql-tautology-conditions-simple

      [^[:alnum:]]+(OR|AND|HAVING)(\x20|\x09|\x0d|%0a|\x22|\x27|\x2b)+[%'"()0x*+-/[:xdigit:]]+(\x20|\x09|\x0d|%0a)(!)?(=|<|>)(\x20|\x09|\x0d|%0a)[%'"()0x*+-/[:xdigit:]]+ similar expression in waf policy ?

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    11. Restrict outbound access for AppGw V2

      Hi Team,

      For AppGw V2, outbound internet connectivity can't be blocked, keep outbound NSG rule as default, this will lead security concern for Bank/Gov customers. Please consider to improve this limitation such as allow access to dependency and then block default.

      Thank you!

      Thank you!

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    12. Search feature when selecting App Services for Backend Pool

      When setting app services on the backend pool having a search bar to filter down the preferred set of App Services.

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    13. Support for W3C Trace Context (distributed tracing)

      Please add support for W3C Trace Context (https://www.w3.org/TR/trace-context/).

      Azure Application Gateway should generate (and log) the required headers for the trace context so that end-to-end tracing would be possible. Preferrably with integration to Application Insights which already supports this.

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    14. Simplify HTTP redirect

      The current method involves a two listeners and doubles the amount of configuration required.
      A better method would be for each listener to have a HTTPS redirect flag on it so anything received on 80 automatically redirects to 443.

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    15. Application Gateway: support reuse of same azure vault stored certificate

      Problem: If you deploy a gateway with more than one secure (443) listener then you cannot use the same vault stored certificate as they must have unique names.

      See:
      https://feedback.azure.com/forums/217313-networking/suggestions/17523370-application-gateway-support-for-wildcard-ssl-cert
      Comment from Product at release time:
      You can associate the same certificate with multiple listeners. Please do not define the same certificate multiple times. Currently the certificate details must be unique – however the certificate could be reused across listeners.

      Scenario:
      You have multiple environments held in various vms/clusters/app service e.g.
      dev.domain.com
      test.domain.com
      pentest.domain.com
      uat.domain.com
      cutomer-uat.domain.com

      You have a wildcard certificate stored in vault and you want to reuse the…

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    16. Azure Application Gateway with upstream HTTP Reverse Proxies and XFF

      Azure Application Gateway doesn't seem to populate the "clientIP" field value on the ApplicationGatewayLog and ApplicationGatewayFirewallLog logs with the initial/ real client IP when there is an upstream HTTP Reverse Proxy with X-Forwarded-For HTTP header insert option enabled. Under that integration scenario, "clientIP" gets populated with the client IP address from the Azure Application Gateway network flow and not from the application level flow via HTTP X-Forwarded-For header.

      It would be useful to have the option to change this behaviour for certain integration scenarios.

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    17. Allow ModSecurity Rule Exclusion

      ModSecurity is not really designed to be a plug and play solution. It almost always requires tuning. Without being to enter exclusions for certain files or paths, the only option is to disable the rule entirely, which is self defeating in most cases. An example would be WordPress. ModSecurity will flag certain actions of WordPress core (photo upload to the media gallery using admin or editing a post for example) as bad actions, meaning you either disable the rule entirely and thus the protection, or turn it on and off when you need to do those actions. Neither of those…

      2 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    18. AppGW v2 setup : check the subnet size (min /28)

      Hello,

      Next to the Microsoft support request #119082022001909 (Impossible to create an AppGW v2 using Azure GUI Portal or AzureAppGWMigration.ps1 Application Gateway) : it appears it misses a check about the size of the subnet in which we want to deploy an Application Gateway v2.

      We've tried several times to create an appGW v2 using a /29 subnet without success, but without warnings too, although it is a prerequisite as described here > https://docs.microsoft.com/en-us/azure/application-gateway/configuration-overview#size-of-the-subnet

      We've tried it 'manually' using the Azure Portal GUI Wizard, or using a PS script (to migrate v1 to v2) and we've got the same error…

      2 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    19. Allow to customize behaviour of 949110 WAF Rule

      Currently WAF signatures even though in detect mode can start to block if the preset threshold of 949110 (not user available) is reached. This is not helpful as we getting too many false positives and unfortunately we need to disable signatures completely instead of putting it in detect mode so that real attacks can get logged atleast.

      Can we have this rule 949110, be made available to user for customization of threshold and behaviour according to our environment?

      2 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    20. Bug in Application Gateway Path Based Rules Redirection Configuration to External Site

      There is a bug in the "Rules" section of the "Application Gateway".
      Create a new path based rule for a multi-site Listener with HTTP HTTP settings.
      In this rule, add a new redirection configuration, to an EXTERNAL SITE.

      The "Include Path" checkbox is disabled. It is enabled only for the Listener case.
      Create the rule. The Include path value is null (verified through powershell az module and by the fact that the actual redirection does not work).
      I managed to enable this switch, via az powershell modules and all worked as expected.

      PLEASE FIX

      2 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    • Don't see your idea?

    Feedback and Knowledge Base