Networking

The Networking forum covers all aspects of Networking in Azure, including endpoints, load-balancing, network security, DNS, Traffic Manager, virtual networks, and external connectivity.

Virtual Network:

  • Service overview

  • Technical documentation

  • Pricing details

  • Traffic Manager:

  • Service overview

  • Technical documentation

  • Pricing details

  • Network Watcher:

  • Service overview

  • Technical documentation

  • Pricing details

  • If you have any feedback on any aspect of Azure relating to Networking, we’d love to hear it.

    • Hot ideas
    • Top ideas
    • New ideas
    • My feedback
    1. Azure Firewall geo based rules

      Support for geo based Rules in azure firewall.
      IE Any traffic from Country A will be blocked

      194 votes
      Vote

      We're glad you're here

      Please sign in to leave feedback

      Signed in as (Sign out)
      You have left! (?) (thinking…)
      2 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    2. Disable source NAT on incoming sessions on Azure Firewall

      Hi,

      As far as I can tell, source NAT is applied to all incoming sessions crossing a destination nat-rule on the Azure Firewall.

      It would be great if there was an option for this implicit source NAT to be disabled. Doing so would allow internal Azure VMs to see the real public IP address of the system making the incoming connection.

      The Azure Firewall deployment docs state that a default route should be set on the host's subnets pointing to the Azure Firewall - so source NAT should not be necessary for (public) Internet IP addresses to be routed successfully…

      175 votes
      Vote

      We're glad you're here

      Please sign in to leave feedback

      Signed in as (Sign out)
      You have left! (?) (thinking…)
      5 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    3. FQDN tags for Office365 on Azure Firewall

      Office365 has plenty of domains. In case we need Office365 traffic via Azure Firewall, we have to retrieve all URLs and then add application rule accordingly. This will lead waste a lot of times.

      Please consider to add FQDN tag for Office365 accordingly. Thank you!

      143 votes
      Vote

      We're glad you're here

      Please sign in to leave feedback

      Signed in as (Sign out)
      You have left! (?) (thinking…)
      2 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    4. X-Forwarded-For from firewall should be sending the external IP of the incoming connection.

      X-Forwarded-For is being overwritten by the firewall, so our internal servers cannot check the external IP of the incoming connection.

      This is a requirement of both business logic and PCI requirements, and the firewall should be sending the external real IP instead of its own IP to the internal servers.

      135 votes
      Vote

      We're glad you're here

      Please sign in to leave feedback

      Signed in as (Sign out)
      You have left! (?) (thinking…)
      3 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    5. Add Effective Routes blade to Azure Firewall

      We are currently evaluating the use of Azure Firewall as our core firewall between on-prem and an Azure Hub/Spoke architecture via ExpressRoute.

      We need to be able to see what the effective routes are that Azure Firewall is using when we route all of our spoke traffic to it, and our on-prem traffic destined for the spokes to it as well. Currently, Effective Routes are only visible on resources with an associated NIC.

      Given that Azure Firewall is a PaaS network appliance, this is a critical feature for making it useful in our use case.

      130 votes
      Vote

      We're glad you're here

      Please sign in to leave feedback

      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  3 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    6. Add Azure Firewall compatibility with Application Gateway

      I have an architecture with multiple subscriptions, virtual networks and connectivity to on-premises. In the hub subscription we use(d) Azure Firewall to filter network traffic between networks.

      It appears that Azure Firewall cannot be used in conjunction with Application Gateway, as (apparently?) the health probe traffic is not routed correctly and backend status is deemed as "unknown" even though everything is healthy. Microsoft Support confirmed that this is currently unsupported.

      This prevents us from using ready made PaaS solutions (App GW) in order to publish services running in Azure. At the same time, we consider network security a critical matter…

      129 votes
      Vote

      We're glad you're here

      Please sign in to leave feedback

      Signed in as (Sign out)
      You have left! (?) (thinking…)
      5 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    7. Add ASG support on Azure Firewall

      Currently it's not possible to utilize ASGs in the Azure Firewall which limits the possibility of having an autoscaling environment and at the same time limit the network access to only what is necessary by specific resources.

      If deploying new resources and adding them into existing ASGs, it would be beneficial to be able to utilize ASGs as source/destination in Azure Firewall as well to remove the need of having to configure IP specific rules each time a new resource is deployed.

      100 votes
      Vote

      We're glad you're here

      Please sign in to leave feedback

      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    8. Remove requirement for public IP on Azure Firewall.

      Our organization requires access to Azure cloud only via VPN for internal users. We would prefer to use the Azure firewall however currently a public IP is required. The requirement for a public IP should be eliminated as from a security perspective, this is unacceptable if the firewall is used for internal traffic only.

      87 votes
      Vote

      We're glad you're here

      Please sign in to leave feedback

      Signed in as (Sign out)
      You have left! (?) (thinking…)
      2 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    9. XFD required for Azure Firewall to see the client source IP

      XFD required to be enable on Azure Firewall

      76 votes
      Vote

      We're glad you're here

      Please sign in to leave feedback

      Signed in as (Sign out)
      You have left! (?) (thinking…)
      6 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →

      Thanks for the valid suggestion. Your feedback is now open for the user community to upvote which allows us to effectively prioritize your request against our existing feature list and also gives us insight into the potential impact of implementing the suggested feature

    10. Diagnostic log for Azure Firewall includes rule collection name and priority for each entry

      The current log format for Azure Firewall as following, Rule Name and Priority Number is not supported by Azure Firewall diagnostic log yet.

      We would like to suggest to add this two columns on Azure Firewall Diagnostic log, I believe it will help to troubleshoot any network connectivity in an effective way for end users. Thank you!

      Application Rule.

      {
      "category": "AzureFirewallApplicationRule",
      "time": "2018-04-16T23:45:04.8295030Z",
      "resourceId": "/SUBSCRIPTIONS/{subscriptionId}/RESOURCEGROUPS/{resourceGroupName}/PROVIDERS/MICROSOFT.NETWORK/AZUREFIREWALLS/{resourceName}",
      "operationName": "AzureFirewallApplicationRuleLog",
      "properties": {

        "msg": "HTTPS request from 10.1.0.5:55640 to mydestination.com:443. Action: Allow. Rule Collection: collection1000. Rule: rule1002"
      

      }
      }

      Network Rule.

      {
      "category": "AzureFirewallNetworkRule",
      "time": "2018-06-14T23:44:11.0590400Z",
      "resourceId": "/SUBSCRIPTIONS/{subscriptionId}/RESOURCEGROUPS/{resourceGroupName}/PROVIDERS/MICROSOFT.NETWORK/AZUREFIREWALLS/{resourceName}",
      "operationName": "AzureFirewallNetworkRuleLog",
      "properties": {

        "msg":
      71 votes
      Vote

      We're glad you're here

      Please sign in to leave feedback

      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    11. Azure firewall application rule does not support non-http80/http8080/https443 protocol, for example SMTP. Please add the new feature.

      In order to inspect access to smtp.office365.com through Azure firewall, and leverage target FQDN in application rule, please add SMTP protocol support since currently AFW does not support non-http80/http8080/https443 protocol.

      47 votes
      Vote

      We're glad you're here

      Please sign in to leave feedback

      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  5 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    12. Azure Firewall

      Please add the ability to protect against inbound traffic from the public internet in addition to its present ability to protect outbound traffic. If this is going to be offered as a true SaaS 'Firewall' solution, I believe this should have that true firewall protection for incoming traffic (protection against common attacks, layer 7 packet inspection, etc.)

      46 votes
      Vote

      We're glad you're here

      Please sign in to leave feedback

      Signed in as (Sign out)
      You have left! (?) (thinking…)
      planned  ·  9 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    13. Azure Firewall - Wildcards into FQDN into the Network Rules

      The Azure Firewall does not support wildcards into the FQDN of the Network Rules.
      This is working in Application Rules.
      Please make work into the Network Rules too.

      46 votes
      Vote

      We're glad you're here

      Please sign in to leave feedback

      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    14. Please add start / stop cmdlets (ex. Stop-AzFirewall / Start-AzFirewall)

      Could you please provide cmdlets like Stop-AzApplicationGateway / Start-AzApplicationGateway.

      Following steps are really complexed. (Why Firewall doesn't keep VNet and Public IP information?)
      We need more simple step for stopping and restarting Firewall because its too expensive for PoC.
      If you can add cmdlets and portal UI, it really helpful for us.

      https://docs.microsoft.com/en-us/azure/firewall/firewall-faq#how-can-i-stop-and-start-azure-firewall

      46 votes
      Vote

      We're glad you're here

      Please sign in to leave feedback

      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    15. Customizing OWASP Rules in Application Gateway

      There should be the possibility to customize the OWASP rules in the Application Gateway WAF v2, not just the ability to turn them on or off. For example, Rule 911100 (method not allowed by policy) doesn't allow PUT or PATCH HTTP methods. It would be good to be able to modify this rule to allow more methods, not just turn the rule off if we want these methods.

      42 votes
      Vote

      We're glad you're here

      Please sign in to leave feedback

      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  2 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    16. Consumption based pricing for Azure Firewall

      The fixed hourly cost of azure firewall makes it prohibitively expensive to use in low-volume scenarios. We don't want to be put in a situation where we have to make a financial decision that overrides security patterns/architectures. Please give us some more licensing options so that we can take this product and deploy comprehensively through our networks at any point of scale.
      Thanks,
      Ben

      41 votes
      Vote

      We're glad you're here

      Please sign in to leave feedback

      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  2 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    17. Allow ability with Azure Firewall to select the Public IP for outbound connections

      The Azure Firewall randomly selects the source public IP address to use for a connection on outbound connections.
      When you have multiple Public IPs associated to the Azure Firewall this means that when you connect to external sources, they may have to whitelist the full set of the Public IPs. So you have to use IP Prefix or load balancer to try workaround this.

      41 votes
      Vote

      We're glad you're here

      Please sign in to leave feedback

      Signed in as (Sign out)
      You have left! (?) (thinking…)
      2 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    18. Logs to Appear in Log Analytics Near Real Time

      I have setup Azure Firewall wit Log Analytics. What would be useful is if the logs could get shipped near real time to Log Analytics. Experiencing about a 10 min delay.

      40 votes
      Vote

      We're glad you're here

      Please sign in to leave feedback

      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    19. Support to retrieve effective route of Azure Firewall

      I believe Azure Firewall doesn't support to retrieve effective route at this moment. While if we advertise a lot of routes from on-premise or if we have hub-spoke setup, it's hard for us to know how Azure Firewall forward the traffic. Can we add this feature? Thanks!

      39 votes
      Vote

      We're glad you're here

      Please sign in to leave feedback

      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    20. Azure Firewall with Just in Time Access

      With the latest just in time access support for Azure Firewall, DNAT rules are added when access is requested to the private IP. We have secure servers without public endpoints secured by JIT. As soon as a request is made to access port 3389, Azure Firewall NATs a port (13389) on its public endpoint mapped to our server. There is no notification of this happening at the time of the JIT request. It would be great to have a feature that would allow the DNAT setting to be disabled when requesting access through JIT.

      37 votes
      Vote

      We're glad you're here

      Please sign in to leave feedback

      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  1 comment  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    ← Previous 1 3 4
    • Don't see your idea?

    Feedback and Knowledge Base