Networking

The Networking forum covers all aspects of Networking in Azure, including endpoints, load-balancing, network security, DNS, Traffic Manager, virtual networks, and external connectivity.

Virtual Network:

  • Service overview

  • Technical documentation

  • Pricing details
  • Traffic Manager:

  • Service overview

  • Technical documentation

  • Pricing details
  • Network Watcher:

  • Service overview

  • Technical documentation

  • Pricing details
  • If you have any feedback on any aspect of Azure relating to Networking, we’d love to hear it.

    How can we improve Azure Networking?

    You've used all your votes and won't be able to post a new idea, but you can still search and comment on existing ideas.

    There are two ways to get more votes:

    • When an admin closes an idea you've voted on, you'll get your votes back from that idea.
    • You can remove your votes from an open idea you support.
    • To see ideas you have already voted on, select the "My feedback" filter and select "My open ideas".
    (thinking…)

    Enter your idea and we'll search to see if someone has already suggested it.

    If a similar idea already exists, you can support and comment on it.

    If it doesn't exist, you can post your idea so others can support it.

    Enter your idea and we'll search to see if someone has already suggested it.

    • Hot ideas
    • Top ideas
    • New ideas
    • My feedback
    1. Network Watcher Topology should get information for resources in different resource group than VNET

      The preview of Network Watcher has a Topology feature which draws objects connected to a specific VNET, which is great. But, I noted that for a full topology, ALL resources need to be on the same Resource Group than the VNET chosen. That doesn't make sense, because is pretty common to have VMs and NICs on different RGs. Would be great if you choose a RG and a VNET as a starting point, and Topology feature gather all other resources interconnected independently of their RGs.

      59 votes
      Vote
      Sign in
      Check!
      (thinking…)
      Reset
      or sign in with
      • facebook
      • google
        Password icon
        Signed in as (Sign out)
        You have left! (?) (thinking…)
        6 comments  ·  Network Watcher  ·  Flag idea as inappropriate…  ·  Admin →
      • Network Watcher in Azure Stack?

        Can you provide any guidance on when we could expect to see this awesome tool in Azure Stack? it would be hugely beneficial

        49 votes
        Vote
        Sign in
        Check!
        (thinking…)
        Reset
        or sign in with
        • facebook
        • google
          Password icon
          Signed in as (Sign out)
          You have left! (?) (thinking…)
          4 comments  ·  Network Watcher  ·  Flag idea as inappropriate…  ·  Admin →
        • Network Monitor Dashboard

          Provide a dashboard to help understand the Azure network topology and to visualise the NSG rules

          17 votes
          Vote
          Sign in
          Check!
          (thinking…)
          Reset
          or sign in with
          • facebook
          • google
            Password icon
            Signed in as (Sign out)
            You have left! (?) (thinking…)
            0 comments  ·  Network Watcher  ·  Flag idea as inappropriate…  ·  Admin →
          • Next Hop - show which route entry was used

            When you use next hop feature, it shows the route table ID that was used - but it would be nice if it showed the rule name from the route table as well.

            10 votes
            Vote
            Sign in
            Check!
            (thinking…)
            Reset
            or sign in with
            • facebook
            • google
              Password icon
              Signed in as (Sign out)
              You have left! (?) (thinking…)
              0 comments  ·  Network Watcher  ·  Flag idea as inappropriate…  ·  Admin →
            • Introduce alert mechanism in network watcher?

              It would be great if you can introduce an alert mechanism with all the monitoring it does. For exmaple : similar to what we have for Azure VMs, when the cpu utilization goes down we can configure an alert for the based on the threshold.

              Network watcher monitors many many things it should have the capability to generate alerts based on it's monitoring capabilities.

              10 votes
              Vote
              Sign in
              Check!
              (thinking…)
              Reset
              or sign in with
              • facebook
              • google
                Password icon
                Signed in as (Sign out)
                You have left! (?) (thinking…)
                0 comments  ·  Network Watcher  ·  Flag idea as inappropriate…  ·  Admin →

                Thank you for your feedback. We are reviewing your suggestion about how we can provide alerting functionality in Network Watcher. It would be helpful if you could comment on which features or monitoring areas you would most like to see alerting.

              • Packet and Byte Count in NSG Flow Logs

                Adding packet and byte count to NSG flow logs would give it parity with a number of netFlow analysis tools. Analyzing flows by data transferred is much more useful than counting flows and provides much better insight into the network.

                While WireData may provide this additional data it is (1) not available everywhere, (2) provides data redundant to NSG Flow, and (3) requires agent to get the necessary data.

                8 votes
                Vote
                Sign in
                Check!
                (thinking…)
                Reset
                or sign in with
                • facebook
                • google
                  Password icon
                  Signed in as (Sign out)
                  You have left! (?) (thinking…)
                  started  ·  0 comments  ·  Network Watcher  ·  Flag idea as inappropriate…  ·  Admin →
                • Allow access to packet capture while capture is running.

                  When a packet capture is running in the Network watcher, you currently have to wait until the capture is complete to view the .pcap file. It would be useful to be able to look at the .pcap file while the capture is running.

                  8 votes
                  Vote
                  Sign in
                  Check!
                  (thinking…)
                  Reset
                  or sign in with
                  • facebook
                  • google
                    Password icon
                    Signed in as (Sign out)
                    You have left! (?) (thinking…)
                    0 comments  ·  Network Watcher  ·  Flag idea as inappropriate…  ·  Admin →
                  • Can network traffic (volume, speed, etc.) be visible in blades either at network interface or network security group?

                    Can network traffic (volume, speed, etc.) be a tile visible in blades either at network interface or network security group or VM?

                    7 votes
                    Vote
                    Sign in
                    Check!
                    (thinking…)
                    Reset
                    or sign in with
                    • facebook
                    • google
                      Password icon
                      Signed in as (Sign out)
                      You have left! (?) (thinking…)
                      0 comments  ·  Network Watcher  ·  Flag idea as inappropriate…  ·  Admin →
                    • Enable NSG Flow Logs for secured Storage Accounts

                      At the moment, it's apparently not possible to use NSG Flow Logs with secured Storage Accounts, even if the exception "Allow trusted Microsoft services to access this storage account" is enabled on the Storage Account.

                      It would be really helpful if you could add the Network Watcher this list of trusted Microsoft servies, so we can use secured Storage Accounts to store our NSG Flow Logs on.

                      6 votes
                      Vote
                      Sign in
                      Check!
                      (thinking…)
                      Reset
                      or sign in with
                      • facebook
                      • google
                        Password icon
                        Signed in as (Sign out)
                        You have left! (?) (thinking…)
                        0 comments  ·  Network Watcher  ·  Flag idea as inappropriate…  ·  Admin →
                      • Azure Networking Traffic Simulator

                        You should consider adding a Azure Networking Traffic Simulator somewhere in Azure to provide better tooling for troubleshooting and configuring NSG firewall rules.

                        5 votes
                        Vote
                        Sign in
                        Check!
                        (thinking…)
                        Reset
                        or sign in with
                        • facebook
                        • google
                          Password icon
                          Signed in as (Sign out)
                          You have left! (?) (thinking…)
                          planned  ·  1 comment  ·  Network Watcher  ·  Flag idea as inappropriate…  ·  Admin →
                        • More frequent NSG Flow log rollover, and consumption into Traffic Analysis

                          It would be useful to have NSG flow logs consumed by Traffic Analysis more frequently than every hour (ever minute would be great!).

                          Currently the delay is too long to be useful for real-time troubleshooting, and useful only for analysis retrospectively.

                          4 votes
                          Vote
                          Sign in
                          Check!
                          (thinking…)
                          Reset
                          or sign in with
                          • facebook
                          • google
                            Password icon
                            Signed in as (Sign out)
                            You have left! (?) (thinking…)
                            1 comment  ·  Network Watcher  ·  Flag idea as inappropriate…  ·  Admin →
                          • Let IP flow verify show which NSG is matched.

                            The current implementation of IP flow verify in network watcher shows the name of the rule that is matched for allowing/denying traffic. It doesn't show the name of the effective NSG itself (only the rule in an NSG). A useful addition would be to show the name of the NSG in additional to the matched rule. A click through to the NSG for instant changes would help as well.

                            4 votes
                            Vote
                            Sign in
                            Check!
                            (thinking…)
                            Reset
                            or sign in with
                            • facebook
                            • google
                              Password icon
                              Signed in as (Sign out)
                              You have left! (?) (thinking…)
                              0 comments  ·  Network Watcher  ·  Flag idea as inappropriate…  ·  Admin →
                            • Local Network Watcher for End User for their Azure Instance

                              Local Network Watcher possibly tied into Internet Connection API. No overhead and only fires when the connection drops or is having issues. Allows the user to input their own instances and is able to visually see where the issue might be and possible solutions. So a mini Network Monitor.

                              3 votes
                              Vote
                              Sign in
                              Check!
                              (thinking…)
                              Reset
                              or sign in with
                              • facebook
                              • google
                                Password icon
                                Signed in as (Sign out)
                                You have left! (?) (thinking…)
                                0 comments  ·  Network Watcher  ·  Flag idea as inappropriate…  ·  Admin →
                              • GetBestNeigbhors for a given Source Azure Region

                                GetBestNeighbors
                                Input :
                                AzureRegion SourceRegion : Source region , Frame of Reference
                                AzureRegion[] Regions : List of regions which needs to be reached from Source Region

                                Output : Ordered list of azure regions “best” reachable from SourceRegion

                                Alternatively , Simpler version

                                GetBestNeighbors
                                Input :
                                AzureRegion SourceRegion : Source region

                                Output : Ordered list of all available azure regions “best” reachable from SourceRegion

                                Alternatively ,Even more simpler version

                                GetBestNeighbors
                                Input :

                                Output : Ordered list of all available azure regions “best” reachable from SourceRegion. This must be same as it would have been called from Source region as above.

                                2 votes
                                Vote
                                Sign in
                                Check!
                                (thinking…)
                                Reset
                                or sign in with
                                • facebook
                                • google
                                  Password icon
                                  Signed in as (Sign out)
                                  You have left! (?) (thinking…)
                                  0 comments  ·  Network Watcher  ·  Flag idea as inappropriate…  ·  Admin →
                                • Provide option to trigger Alerts based on Network Watcher Connection Monitor result

                                  It would be useful if there is an option to trigger an Alert directly from the Network Watcher Connection Monitor when the result of a Monitor is UnReachable.

                                  1 vote
                                  Vote
                                  Sign in
                                  Check!
                                  (thinking…)
                                  Reset
                                  or sign in with
                                  • facebook
                                  • google
                                    Password icon
                                    Signed in as (Sign out)
                                    You have left! (?) (thinking…)
                                    0 comments  ·  Network Watcher  ·  Flag idea as inappropriate…  ·  Admin →
                                  • Network Flow Logs should show public destination IP

                                    When looking at the NSG Flow Logs at the moment, all traffic from e.g. my local laptop, seems to be flowing directly to the private IP address of my VM.

                                    The source IP is the public IP address of my laptop and the destination IP should, in my opinion, be the public IP address of the VM, not the local private subnet IP (10.x.x.x), when traffic is inbound from the internet.

                                    1 vote
                                    Vote
                                    Sign in
                                    Check!
                                    (thinking…)
                                    Reset
                                    or sign in with
                                    • facebook
                                    • google
                                      Password icon
                                      Signed in as (Sign out)
                                      You have left! (?) (thinking…)
                                      0 comments  ·  Network Watcher  ·  Flag idea as inappropriate…  ·  Admin →

                                      Yes, the NSG Flow Logs will record the private IP address of the Network Interface. There are scenarios where public IP addresses can be shared across resources (e.g. using an Internet Load Balancer or Application Gateway) therefore we display private IP addresses to be most specific.
                                      The need to preserve Public IPs address traffic flow as part of the flow logs is valued feedback. Thank you for contributing.

                                    • Monitor container network traffic within a node

                                      I would like to see a solution for monitoring traffic between containers on the same node. I'm not sure if the Network Watcher product already does this or not - it wasn't specified.

                                      1 vote
                                      Vote
                                      Sign in
                                      Check!
                                      (thinking…)
                                      Reset
                                      or sign in with
                                      • facebook
                                      • google
                                        Password icon
                                        Signed in as (Sign out)
                                        You have left! (?) (thinking…)
                                        2 comments  ·  Network Watcher  ·  Flag idea as inappropriate…  ·  Admin →
                                      • Let security group view show the order in which rules are processed

                                        The current security group view allows multiple ways to sort the security rules that show up. It would be most useful if there would be a way to sort the security rules in the effective way they would be processed, meaning:
                                        1. customer defined rules on the subnet
                                        2. default rules on the subnet
                                        3. customer defined rules on the NIC
                                        4. default rules on the NIC.

                                        1 vote
                                        Vote
                                        Sign in
                                        Check!
                                        (thinking…)
                                        Reset
                                        or sign in with
                                        • facebook
                                        • google
                                          Password icon
                                          Signed in as (Sign out)
                                          You have left! (?) (thinking…)
                                          0 comments  ·  Network Watcher  ·  Flag idea as inappropriate…  ·  Admin →

                                          Thank you for the suggestion, we’ll consider adding this sort option. The current UI in Portal provides you with tabs to see the security rules applied on the Subnet and the NIC, as well as the default rules.

                                          Note, the rule processing order you provided only applies for inbound traffic. From https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-nsg :

                                          Inbound traffic

                                          1. NSG applied to subnet: If a subnet NSG has a matching rule to deny traffic, the packet will be dropped.

                                          2. NSG applied to NIC (Resource Manager) or VM (classic): If VM\NIC NSG has a matching rule to deny traffic, packet will be dropped at VM\NIC, although subnet NSG has a matching rule to allow traffic.

                                          Outbound traffic

                                          1. NSG applied to NIC (Resource Manager) or VM (classic): If VM\NIC NSG has a matching rule to deny traffic, the packet will be dropped.

                                          2. NSG applied to subnet: If…

                                        • Don't see your idea?

                                        Feedback and Knowledge Base