Networking

The Networking forum covers all aspects of Networking in Azure, including endpoints, load-balancing, network security, DNS, Traffic Manager, virtual networks, and external connectivity.

Virtual Network:

  • Service overview

  • Technical documentation

  • Pricing details

  • Traffic Manager:

  • Service overview

  • Technical documentation

  • Pricing details

  • Network Watcher:

  • Service overview

  • Technical documentation

  • Pricing details

  • If you have any feedback on any aspect of Azure relating to Networking, we’d love to hear it.

    • Hot ideas
    • Top ideas
    • New ideas
    • My feedback
    1. downgrade attack prevention - TLS_FALLBACK_SCSV

      Downgrade attack prevention should be a necessary addition to the Azure Application Gateway.

      All security audits (SSL Labs among others) show this to be a necessary security measure and as such they all downgrade your security compliance if you dont have it.

      42 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  2 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    2. Add functionality to Application Gateway for routing based on HTTP headers

      The ability to route traffic to backend pools depending on HTTP headers would be much appreciated. At the moment the only way to do this is with a function app.

      109 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      3 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    3. Support for regex negative lookahead with WAF policy.

      I confirmed that we can not use regex negative lookahead like below as match values of custom WAF policy in Application Gateway.
      "\%(?!$|\W)"

      Some people want to use this regex so I want you to add this feature.

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    4. Application Gateway: support reuse of same azure vault stored certificate

      Problem: If you deploy a gateway with more than one secure (443) listener then you cannot use the same vault stored certificate as they must have unique names.

      See:
      https://feedback.azure.com/forums/217313-networking/suggestions/17523370-application-gateway-support-for-wildcard-ssl-cert
      Comment from Product at release time:
      You can associate the same certificate with multiple listeners. Please do not define the same certificate multiple times. Currently the certificate details must be unique – however the certificate could be reused across listeners.

      Scenario:
      You have multiple environments held in various vms/clusters/app service e.g.
      dev.domain.com
      test.domain.com
      pentest.domain.com
      uat.domain.com
      cutomer-uat.domain.com

      You have a wildcard certificate stored in vault and you want to reuse the…

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    5. Rewrite header rule dose not work well using redirect rule.

      When I attached rewrite header rule to a request routing rule with redirect, I confirmed that the rewrite rule did not work. I hope we can use rewrite header rule with redirect rule.

      6 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    6. Allow IP range whitelist for Application Gateway WAF IPS/IDS

      We have a range of web apps behind an Application Gateway (WAF in IPS mode) that need to be scanned on at least monthly basis for PCI compliance. We need to be able to whitelist the range of the scanners used by Qualys otherwise we get a FAIL for "Possible Scan Interference".

      Threat:
      Possible scan interference detected.

      A PCI scan must be allowed to perform scanning without interference from intrusion detection systems or intrusion prevention systems.
      The PCI ASV is required to post fail if scan interference is detected.

      23 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  1 comment  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    7. Better diagnostic message in AppGW on startup

      We have had instances of restarting app gw where during startup process the app gw ended up in a fail state without any diagnostic messages being available. RCA has shown that it has been due to DNS misconfiguration so FQDN for backend services hasn't been able to be resolved. This kind of error should yield an error log/diagnostic message so it easily can be rectified without opening a resource case. To further the issue a restart without a PUT operation actually doesn't change the DNS configuration so a restart should force a reread of all configurations and settings and clearing…

      1 vote
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    8. Transform incoming URLs to lowercase

      Some applications behind the app gw can be case-sensitive. Especially when working in a bundle with Identity providers. Would be great to have ability to create custom rules where you can transform all incoming URLs to lowercase or uppercase.

      4 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    9. Allow flags to be set on the Application Gateway Affinity Cookie

      Our security team is telling us that the cookie from the application gateway is failing security scans because the secure and httponly flags are not set.

      64 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      2 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →

      Thanks for the valid suggestion. Your feedback is now open for the user community to upvote which allows us to effectively prioritize your request against our existing feature list and also gives us insight into the potential impact of implementing the suggested feature

    10. Reserved price

      We are using application gateways extensively. but there is no reserved pricing in for AG. We need reserved pricing similar to VM and postgres PASS

      2 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    11. Application gateway support 99.95 SLA. We are using many azure resources in implementation and effective SLA is coming down due to AG. Other

      Application gateway supports 99.95 SLA. We are using many azure resources in implementation and effective SLA is coming down due to AG. Kindly provide/improve the SLA to 99.99

      2 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    12. Support App Service SSL certificates stored in Key Vault secrets for listeners on Application Gateway

      It seems like MS is 1 step away from having an extremely sticky functionality that seems like a no brainer.

      We have App Service Certificates. They are not "standard" but they work amazingly.

      They happen to be stored in the KeyVault in a really annoying way as a special data type. They are able to be auto-rotated, purchased through the portal, and create a lock in to the platform.

      Why cant we use these in the Application Gateway? It would GREATLY trivialize using it.

      6 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    13. Azure Application Gateway: Support backend health status when using user defined routes

      Currently, if you have a security requirement to use User Defined Routing through a network virtual appliance firewall, health status of Azure Application Gateway doesn't work.

      This should be redesigned so it's an outbound connection from the application gateways to Azure's monitoring infrastructure rather than it needing to be an inbound connection.

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    14. Add custom error pages like 405(with TRACE method) at global level of application gateway V2

      Please add custom error pages like 405(with TRACE method) and other status code returned by appgw(without forwarding request to backend) at global level of application gateway V2, where customer can block other scenarios and return a designated URL to original client.
      Sometime customer has a requirement of completely removing 'Microsoft-Azure-Application-Gateway/v2' in response header, so please consider to add this feature in future.

      23 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  1 comment  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    15. One click add Application Gateway to AKS Ingress

      Right now adding Application Gateway to AKS is a disastrous mess of endless commands.

      This should be no more difficult than going to Networking under AKS and picking the Application Gateway to Install and clicking Add. (Or delete one that's already in there)

      And it should be a one liner using az.

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    16. Remove NSG validation from App Gateway V2 deployment

      This is more of a bug report than an idea.
      I tried deploying new WAF_V2 app gateway through ARM templates. My gateway subnet has a hardened NSG applied.
      Validation is applied to check whether certain traffic is blocked to the gateway. I have many problems with this:

      1) The validation is never satisfied with my rules. It will only be satisfied when I have my entire VNET way too open.
      I am refering to this error message when deploying:
      "Network security group <NSGID> blocks incoming internet traffic on ports 65200 - 65535 to subnet <SUBNETID>, associated with Application…

      68 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      6 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    17. Application Gateway (WAF) - document how to get firewall logs

      Please create documentation about how to retrieve Azure App GW firewall log.

      Microsoft does not mention a word about this. - Correct me if I'm wrong. Finally I found a solution on third party (!!!) site: http://francescomolfese.it/en/2018/07/azure-application-gateway-come-monitorarlo-con-log-analytics/.

      Application GW produces these types of logs:
      1. ApplicationGatewayAccessLog
      2. ApplicationGatewayPerformanceLog
      3. ApplicationGatewayFirewallLog – the most important one as it contains logs about security operations (reasons for blocking connections, etc...)

      To retrieve these logs (or at least first 2 of the 3 mentioned above), you have to do this:
      o Go to Log Analytics workspaces in Azure portal --> create or choose…

      75 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      2 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    18. Application gateway support multi-site listening on Private and Public Frontend IPs

      Currently the web application firewall can be configured with multiple Frontend IPs, such as Public & Private. However, multi-site listeners cannot be configured on standard web ports (80 & 443) on both frontend IPs. No port overlap is allowed. User must decide which of the two frontend IPs gets to listen on standard web ports, and the other must be configured on alternate ports. This is not usable for non-technical end users, and many of us require both public and private frontend IPs to support internal-only sites (such as a company intranet) in addition to customer-facing ones.

      114 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      3 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    19. Web Application Firewall Cookie Exclusions only exclude Value checking not Name checking

      I understand it is only a Preview, but my feedback on Exclusions... if I create an Exclusion as follows:


      • Field = Request cookie name

      • Operator = starts with

      • Selector = Nonce

      This appears to stop the WAF inspecting the value of any cookie whose name starts with "Nonce". What it doesn't do is exclude the checking of the name of the cookie itself.

      For example a cookie called NonceABC--XYZ would still trigger the SQL Comment Sequence rule.

      This is a problem when an ASP.Net Core application, that uses Open Id Connect authorisation, is put behind the Application Gateway and the…

      127 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      6 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    20. Pure internal standard_v2 application gateway

      Currently standardv2 application gateway must have a public IP to work. Please make it be able to work only with private IP address. This capability is available in standard sku but not in standardv2.

      106 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    • Don't see your idea?

    Feedback and Knowledge Base