Networking

The Networking forum covers all aspects of Networking in Azure, including endpoints, load-balancing, network security, DNS, Traffic Manager, virtual networks, and external connectivity.

Virtual Network:

  • Service overview

  • Technical documentation

  • Pricing details
  • Traffic Manager:

  • Service overview

  • Technical documentation

  • Pricing details
  • Network Watcher:

  • Service overview

  • Technical documentation

  • Pricing details
  • If you have any feedback on any aspect of Azure relating to Networking, we’d love to hear it.

    • Hot ideas
    • Top ideas
    • New ideas
    • My feedback
    1. Web Application Firewall Cookie Exclusions only exclude Value checking not Name checking

      I understand it is only a Preview, but my feedback on Exclusions... if I create an Exclusion as follows:


      • Field = Request cookie name

      • Operator = starts with

      • Selector = Nonce

      This appears to stop the WAF inspecting the value of any cookie whose name starts with "Nonce". What it doesn't do is exclude the checking of the name of the cookie itself.

      For example a cookie called NonceABC--XYZ would still trigger the SQL Comment Sequence rule.

      This is a problem when an ASP.Net Core application, that uses Open Id Connect authorisation, is put behind the Application Gateway and the…

      66 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      4 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    2. Monitor Application Gateway Load

      Provide a way to monitor Application Gateway CPU/Memory in order to track load. It's hard to know only based on current access/http errors when the WAF is under heavy preasure and we need to scale it up.

      144 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      2 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →

      There is no plan currently to offer these system level metrics for Application Gateway Standard (V1). However, we are planning to offer more observability with our new Autoscaling version (V2) of Application Gateway/WAF. We already offer Capacity Units as a metric which gives you a sense of the traffic load on your Application Gateway. More are planned for V2. Please send in your specific feedback via https://aka.ms/ApplicationGatewayCohort

    3. Application Gateway does not support a long content-security-policy header

      I am attempting to set our content-security-policy (CSP) HTTP header using a Rewrite rule.

      When I exceeded 1000 characters (the maximum allowed in AG for a header value), I was stuck.

      I attempted to add a second HTTP header for "content-security-policy" but it seems the built-in behavior is to replace the first HTTP header with the second.

      The CSP standard allows for multiple duplicate headers. AG does not appear to support this.

      I am utterly stuck. I cannot set the CSP I need because of the 1000 character limit.

      6 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    4. How to check secret version of KeyVault for Listener

      I created KeyVault certificate and listener reading bellow document.

      https://docs.microsoft.com/en-us/azure/application-gateway/configure-keyvault-ps

      But I can not confirm which version the AppGw is using because there is no secret version in Get-AzApplicationGateway. SedretId is bellow but it is only certificate name not sercret version.

      "keyVaultSecretId": "https://testkeyvaultest.vault.azure.net:443/secrets/test/"

      I hope we can check which version the AppGW is using.

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    5. Application Gateway support of URL hash based routing

      I'd like the ability for user requests with the same URL (or same header) to be sent to the same back-end. This is useful if the back-ends cache content that users request, enabling them to serve users significantly quicker.

      In my specific use case, I want to connect multiple web-socket connections to the same host to share common resources.

      Other load balancers accomplish this by hashing the URL request and sending requests with the same hash to the same back-end.

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    6. Reduce price for V2 SKUs

      Reduce price for V2 SKUs to make them more affordable for small workload projects

      12 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    7. Allow flags to be set on the Application Gateway Affinity Cookie

      Our security team is telling us that the cookie from the application gateway is failing security scans because the secure and httponly flags are not set.

      17 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →

      Thanks for the valid suggestion. Your feedback is now open for the user community to upvote which allows us to effectively prioritize your request against our existing feature list and also gives us insight into the potential impact of implementing the suggested feature

    8. "Azure Managed" SSL certificates for Application gateway for SSL offloading

      Please add the ability to use a Azure managed certificate for the application gateway for the use of SSL offloading. This feature would be nice so that we would not have to manage the certificate and it would auto update instead of us having to keep the certificate up to date.

      9 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    9. Azure WAF v2 is not recognized by Azure Security Center as security solution and it has not mentioned anywhere.

      Azure WAF v2 is not recognized by Azure Security Center as a security solution and it has not mentioned anywhere. The details that are provided is not enough to understand that it is not being recognized as below.

      Partner solution name: Application Gateway

      Type: Saas-based Web Application Firewall
      Integration mode: Semi-automatically provisioned
      Status : Not reported

      Status has never been reported to Azure Security Center. Usually this means that this security solution isn't configured yet. It is recommended you login to the security solution management console to finalize the initial configuration

      7 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  1 comment  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    10. Need ability to set Maximum file upload size as a property for V2

      Our hosted solution requires uploads larger than 2GB for some applications like uploading a large video. We need a user setting for the maximum file upload on the V2 AGW.

      The current documentation is also not clear. It says: The following table applies to v1, v2, Standard, and WAF SKUs unless otherwise stated. There are specific stated mentions of the 2GB limit for Standard and WAF and there is no specific limitation mentioned for v2.

      10 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    11. Application Gateway WAF

      Application Gateway is always slow to update even few configuration changes, so better backend networking with high speed support has to be mapped so that every end user will get better outcomes.

      1 vote
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    12. Is it possible to expose Azure blob storage via Application Gateway

      Expose Azure blob storage via Application Gateway.

      I would like to remove public access for Azure Blob and only make it accessible via virtual network. The Azure Application Gateway will be public facing which does the SSL termination and forwards the request to blob.

      This would allow scanning for malicious content via virtual appliances before content is stored in blob.

      145 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      5 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    13. Application Gateway v2 "trusted root certificate" configuration via portal

      To configure end-to-end encryption with Application Gateway v2, cer is not supported for Backend Authentication Certificates under the HTTP settings. Using this will result in an error stating authentication certificates are not supported for v2. A Trusted Root Certificate should be configured for v2. This option seems to only be availalbe via powershell and not through the Azure Portal.
      Please update the portal configuration options under "Add HTTP Setting" to allow adding Trusted Root for v2 gateways and not just Authentication Cert.

      25 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    14. AppGW v2 setup : check the subnet size (min /28)

      Hello,

      Next to the Microsoft support request #119082022001909 (Impossible to create an AppGW v2 using Azure GUI Portal or AzureAppGWMigration.ps1 Application Gateway) : it appears it misses a check about the size of the subnet in which we want to deploy an Application Gateway v2.

      We've tried several times to create an appGW v2 using a /29 subnet without success, but without warnings too, although it is a prerequisite as described here > https://docs.microsoft.com/en-us/azure/application-gateway/configuration-overview#size-of-the-subnet

      We've tried it 'manually' using the Azure Portal GUI Wizard, or using a PS script (to migrate v1 to v2) and we've got the same error…

      2 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    15. Azure Application Gateway wasp rule issue : 941120

      Since we have observed the exlusion rule in Application Gateway WAF is not working. For one of the azure ad cookies that are being generated randomly creating 403 issue on gateway and blocking the request. So cookie will be like 'OpenIdConnect.nonce' which need to excluded but its not working since name got concatenated with the value of the cookie. Please have a review on this since this seems bug on the wasp rule

      For Ex. REQUESTCOOKIESNAMES:OpenIdConnect.nonce.XcAqQkCKX3DproXEwEN5OnpgG3E2wFYTzxvyttvCLZo%3D ....

      5 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  1 comment  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    16. Static public outbound IP for Application Gateway v1

      We use Application Gateway v1 because it has the possibility to assign a static private frontend IP.
      Now we would love to see the possibility to assign a static public IP for outbound traffic.

      10 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →

      Thanks for the valid suggestion. Your feedback is now open for the user community to upvote which allows us to effectively prioritize your request against our existing feature list and also gives us insight into the potential impact of implementing the suggested feature

    17. WAF (Application Gateway) Listeners limit increase from 100 to 200

      We had issue regarding creating more than 100 listeners in Application Gateway, and found that there is a limitation of 100 listeners maximum which is very annoying because there is always scenarios where customers need to create multiple bindings for websites\domains, and then we need to create listeners for the same. I logged a case with MS and the response is not satisfying that MS can not increase limit from 100 to 200, MS will consider it in future.

      I had to create more listeners for my requirement which increased complexity in my architecture and cost as well.

      Please increase…

      16 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →

      Thanks for the valid suggestion. Your feedback is now open for the user community to upvote which allows us to effectively prioritize your request against our existing feature list and also gives us insight into the potential impact of implementing the suggested feature

    18. Instance IPs of Application Gateway are not visible in Portal

      In our usecase, external facing App Gateway(AG) will forward the traffic to PaloAlto virtual firewalls and firewall will NAT traffic to internal AG. Every application will have it's own external & internal AG. The NAT policy in firewall cannot use external AG subnet as source, you will have to identify instance IPs of each external AG and create NAT policy based on that. At the moment only Azure support have visibility to instance IPs, these IPs need to be exposed to Portal.

      2 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    19. Allow setting intermediate certificates for SSL

      Application Gateway does not support setting intermediate certificate. Some CA provide leaf certificates that do not include all certificates in the certification path. When AG does not has the intermediate certificate, we need to manually create a certificate with the intermediate one.

      8 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →

      Thanks for the valid suggestion. Your feedback is now open for the user community to upvote which allows us to effectively prioritize your request against our existing feature list and also gives us insight into the potential impact of implementing the suggested feature

    20. Add custom error pages like 405(with TRACE method) at global level of application gateway V2

      Please add custom error pages like 405(with TRACE method) and other status code returned by appgw(without forwarding request to backend) at global level of application gateway V2, where customer can block other scenarios and return a designated URL to original client.
      Sometime customer has a requirement of completely removing 'Microsoft-Azure-Application-Gateway/v2' in response header, so please consider to add this feature in future.

      6 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    • Don't see your idea?

    Feedback and Knowledge Base