Update: Microsoft will be moving away from UserVoice sites on a product-by-product basis throughout the 2021 calendar year. We will leverage 1st party solutions for customer feedback. Learn more here.

Networking

The Networking forum covers all aspects of Networking in Azure, including endpoints, load-balancing, network security, DNS, Traffic Manager, virtual networks, and external connectivity.

Virtual Network:

  • Service overview

  • Technical documentation

  • Pricing details

  • Traffic Manager:

  • Service overview

  • Technical documentation

  • Pricing details

  • Network Watcher:

  • Service overview

  • Technical documentation

  • Pricing details

  • If you have any feedback on any aspect of Azure relating to Networking, we’d love to hear it.

    • Hot ideas
    • Top ideas
    • New ideas
    • My feedback
    1. Diagnostic log for Azure Firewall includes rule collection name for each entry

      Right now, if we follow https://docs.microsoft.com/en-us/azure/firewall/tutorial-diagnostics. The Diagnostic log entry for Azure Firewall likes below:
      { "category": "AzureFirewallNetworkRule", "time": "2019-09-03T10:08:17.4381790Z", "resourceId": "/SUBSCRIPTIONS/xxxx/RESOURCEGROUPS//PROVIDERS/MICROSOFT.NETWORK/AZUREFIREWALLS/", "operationName": "AzureFirewallNetworkRuleLog", "properties": {"msg":"TCP request from 10.0.1.100:22 to 112.85.42.195:45791. Action: Deny"}}

      Due to security policy and audit purpose on customer side, We want to have the rule collection name can be recorded as well, so that we know the traffic hits which rule.

      "category": "AzureFirewallNetworkRule", "time": "2019-09-03T10:08:17.4381790Z", "resourceId": "/SUBSCRIPTIONS/xxxx/RESOURCEGROUPS//PROVIDERS/MICROSOFT.NETWORK/AZUREFIREWALLS/", "operationName": "AzureFirewallNetworkRuleLog", "properties": {"msg":"TCP request from 10.0.1.100:22 to 112.85.42.195:45791. Action: Deny"}, "RuleCollectionName": "***"}

      38 votes
      Vote

      We're glad you're here

      Please sign in to leave feedback

      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  4 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    2. Disable SNI TLS extension check on Azure Firewall

      We are getting a lot of "Action: Deny. Reason: SNI TLS extension was missing" on Azure Firewall Log, which causes application failure if client application doesn't support SNI at the time of client hello. Can we add a feature to support Disable SNI check on Firewall manually?

      36 votes
      Vote

      We're glad you're here

      Please sign in to leave feedback

      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  3 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    3. Add Service Tag (Internet) to Azure Firewall Network Rule

      Hello Team,

      It would be nice to add some service tags like Internet in the network rule section when we have to configure an outbound rule to allow VMs to browse the Internet. The current option only allows for IPs, which makes it a bit difficult if one wants the VM to browse the Internet.

      28 votes
      Vote

      We're glad you're here

      Please sign in to leave feedback

      Signed in as (Sign out)
      You have left! (?) (thinking…)
      4 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    4. Azure Firewall - managed backup function

      Azure Firewall is a managed service but as of now is missing some critical operational functions like backup/restore and audit trail. Please enhance the service to automatically backup configuration (i.e. rules) and allow for restore into existing or a new instance of the Firewall. Also, enable some reporting capability that will show a history of configuration/rule modifications (add/delete/update)

      27 votes
      Vote

      We're glad you're here

      Please sign in to leave feedback

      Signed in as (Sign out)
      You have left! (?) (thinking…)
      3 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    5. Allow more than 100 IP Groups per firewall

      IP Groups are very strong features allowing the definition of dynamic IP adresses int one group that can be used for Firewall Rules. When such a dynamic IP address changed, the only thin to do it change the content of the IP group and all Firewall rules get the updated information, without the requirement to change them all individually.

      This great feuature is also used in our On Premise Palo Alto Firewall, having hundreths of so called Rule Objects. The limit in Azure seems to be 100 IP Groups per Firewall. Some Powershell/CLI/REST API command to check upon the existince…

      27 votes
      Vote

      We're glad you're here

      Please sign in to leave feedback

      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    6. Firewall rule checker

      A quick tool to find out what rule allows/denies your test connection (source/dest, port, protocol etc.) would be very hand and an addition to being able to disable/enable rules

      27 votes
      Vote

      We're glad you're here

      Please sign in to leave feedback

      Signed in as (Sign out)
      You have left! (?) (thinking…)
      3 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    7. Azure Firewall - Allow rules for any port on FQDNs

      Currently there is no option to allow connections to FQDNs through the Azure firewall unless the connection is on port 80 or 443.
      This means that we can't secure connections from IaaS VMs to services such as Service Bus which requires ports 9350-9354.
      Currently the only other alternative is a 3rd party NVA.

      26 votes
      Vote

      We're glad you're here

      Please sign in to leave feedback

      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →

      Thanks for the valid suggestion. Your feedback is now open for the user community to upvote which allows us to effectively prioritize your request against our existing feature list and also gives us insight into the potential impact of implementing the suggested feature

    8. Option needed in Azure Portal to export Azure Firewall rules to CSV

      Need a feature to export all the rules in Azure Firewall into an Excel or a CSV file. As of now, the Azure Portal supports only extraction to JSON, which can't easily be converted to Excel/CSV. An Excel/CSV would be much helpful to track and manage the firewall rules.

      24 votes
      Vote

      We're glad you're here

      Please sign in to leave feedback

      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    9. Azure Firewall - FQDN Based NAT!

      I strongly hope AzureFirewall has "FQDN-based-Nat" function!!!

      23 votes
      Vote

      We're glad you're here

      Please sign in to leave feedback

      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    10. Support for network rules with dns name or application rules with packets other than http/https.

      Support for network rules with dns name or application rules with packets other than http/https.

      For example if my service require access to SFTP or SMTP outside my organization I would like to open a rule with its domain address name and port (TCP22 or TCP25 respectively).

      22 votes
      Vote

      We're glad you're here

      Please sign in to leave feedback

      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    11. Azure Firewall Service Tags in DNAT Source addresses

      Add service tags for the DNAT Source addresses

      21 votes
      Vote

      We're glad you're here

      Please sign in to leave feedback

      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    12. Add what network rule is matched in logging

      The Network rule log does not include the matching rule name like it does for Application rule log. In the Application rule log it reads "Action: Allow. Rule Collection: collection1000. Rule: rule1002" in the message, but Network rules end at "Action: Allow". It makes it hard to troubleshoot firewalls, and know what rule is causing the issue. It also makes it hard to introduce the firewall into an existing environment where you have to start with an allow all rule because you do not know if what rules are getting matched.

      21 votes
      Vote

      We're glad you're here

      Please sign in to leave feedback

      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    13. Add capability to flush the firewall dns cache (especially for negative cache)

      As mentioned in the doc, “Negative cache: DNS resolution results in no response or no resolution. The firewall caches this information for one hour.”.
      (https://docs.microsoft.com/en-us/azure/firewall/dns-settings#dns-proxy)

      There is currently to way to flush the firewall dns cache.

      It will be great to add it.

      19 votes
      Vote

      We're glad you're here

      Please sign in to leave feedback

      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    14. Make WAF accept application/octet-stream

      We do POST requests with content type application/octet-stream with binary content in it (user uploads archived binary data to server), it triggers 920420 rule with critical score (it blocks request immediately).
      - According to OWASP mod-security 3.0 source code it checks for tx.allowedrequestcontenttype variable that contains list of allowed content types - https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.0/master/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf#L991
      - By default tx.allowed
      requestcontenttype contains application/octet-stream so OWASP accepts POST requests with this content type - https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.0/master/rules/REQUEST-901-INITIALIZATION.conf#L163
      - Looks like mod-security in Azure WAF has custom tx.allowedrequestcontent_type configuration without this content type

      It would be nice to synchronize mod-security…

      19 votes
      Vote

      We're glad you're here

      Please sign in to leave feedback

      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    15. Azure Firewall selective SNAT support

      We need the ability to set the outbound public IP address for source IP, ranges or subnets. This is basic firewall support. NAT gateway has this ability.

      18 votes
      Vote

      We're glad you're here

      Please sign in to leave feedback

      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    16. IP Group Update

      When a new IP is added to an IP Group that is used in the Azure Firewall, please allow the firewall to recognize the new IP without having to change something in the firewall and do a Save.

      18 votes
      Vote

      We're glad you're here

      Please sign in to leave feedback

      Signed in as (Sign out)
      You have left! (?) (thinking…)
      2 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    17. Have a real-time logging feature on the Azure Firewall

      It would be very and very helpful to have a real-time logging (snooping) feature on the Azure Firewall. This is quit often needed to identify and troubleshoot network traffic.

      Currently you have to send the logs and diagnostics to a Log Analytics workspace, run a query and filter it. This is slow and cumbrous. It's not real-time and continuously running.

      16 votes
      Vote

      We're glad you're here

      Please sign in to leave feedback

      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    18. User / Group based Firewall Rules

      To move existing Webservices to Azure (Linux Webservers with internal Services) i would like to place them behind an Azure Firewall with Path Through Authentication against Azure AD, so that employees have access to the Ressource and any other access is blocked.I want to create Rules based on users not on IP-Addresses.

      Regards,
      Reiner

      16 votes
      Vote

      We're glad you're here

      Please sign in to leave feedback

      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  2 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    19. Windows KMS servicetag is missing in Azure Firewall

      I have several Azure Firewall deployments with Windows servers. I'm looking for KMS servicetag. I cannot use fqdn destination address because KMS is not using http/https. Please could you add this service tag ?

      15 votes
      Vote

      We're glad you're here

      Please sign in to leave feedback

      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    20. Allow PowerBI Pro to be whitelisted in firewall rules of Azure resources

      I couldn't find any information or how to whitelist PowerBI Pro to connect securely to Azure resources like SQL Database and Storage Account

      15 votes
      Vote

      We're glad you're here

      Please sign in to leave feedback

      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →

      Thanks for the valid suggestion. Your feedback is now open for the user community to upvote which allows us to effectively prioritize your request against our existing feature list and also gives us insight into the potential impact of implementing the suggested feature

    • Don't see your idea?

    Feedback and Knowledge Base