Networking

The Networking forum covers all aspects of Networking in Azure, including endpoints, load-balancing, network security, DNS, Traffic Manager, virtual networks, and external connectivity.

Virtual Network:

  • Service overview

  • Technical documentation

  • Pricing details

  • Traffic Manager:

  • Service overview

  • Technical documentation

  • Pricing details

  • Network Watcher:

  • Service overview

  • Technical documentation

  • Pricing details

  • If you have any feedback on any aspect of Azure relating to Networking, we’d love to hear it.

    • Hot ideas
    • Top ideas
    • New ideas
    • My feedback
    1. XFD required for Azure Firewall to see the client source IP

      XFD required to be enable on Azure Firewall

      21 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →

      Thanks for the valid suggestion. Your feedback is now open for the user community to upvote which allows us to effectively prioritize your request against our existing feature list and also gives us insight into the potential impact of implementing the suggested feature

    2. Diagnostic log for Azure Firewall includes rule collection name for each entry

      Right now, if we follow https://docs.microsoft.com/en-us/azure/firewall/tutorial-diagnostics. The Diagnostic log entry for Azure Firewall likes below:
      { "category": "AzureFirewallNetworkRule", "time": "2019-09-03T10:08:17.4381790Z", "resourceId": "/SUBSCRIPTIONS/xxxx/RESOURCEGROUPS//PROVIDERS/MICROSOFT.NETWORK/AZUREFIREWALLS/", "operationName": "AzureFirewallNetworkRuleLog", "properties": {"msg":"TCP request from 10.0.1.100:22 to 112.85.42.195:45791. Action: Deny"}}

      Due to security policy and audit purpose on customer side, We want to have the rule collection name can be recorded as well, so that we know the traffic hits which rule.

      "category": "AzureFirewallNetworkRule", "time": "2019-09-03T10:08:17.4381790Z", "resourceId": "/SUBSCRIPTIONS/xxxx/RESOURCEGROUPS//PROVIDERS/MICROSOFT.NETWORK/AZUREFIREWALLS/", "operationName": "AzureFirewallNetworkRuleLog", "properties": {"msg":"TCP request from 10.0.1.100:22 to 112.85.42.195:45791. Action: Deny"}, "RuleCollectionName": "***"}

      9 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  2 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    3. X-Forwarded-For from firewall should be sending the external IP of the incoming connection.

      X-Forwarded-For is being overwritten by the firewall, so our internal servers cannot check the external IP of the incoming connection.

      This is a requirement of both business logic and PCI requirements, and the firewall should be sending the external real IP instead of its own IP to the internal servers.

      108 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      3 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    4. Add ASG support on Azure Firewall

      Currently it's not possible to utilize ASGs in the Azure Firewall which limits the possibility of having an autoscaling environment and at the same time limit the network access to only what is necessary by specific resources.

      If deploying new resources and adding them into existing ASGs, it would be beneficial to be able to utilize ASGs as source/destination in Azure Firewall as well to remove the need of having to configure IP specific rules each time a new resource is deployed.

      73 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    5. Consumption based pricing for Azure Firewall

      The fixed hourly cost of azure firewall makes it prohibitively expensive to use in low-volume scenarios. We don't want to be put in a situation where we have to make a financial decision that overrides security patterns/architectures. Please give us some more licensing options so that we can take this product and deploy comprehensively through our networks at any point of scale.
      Thanks,
      Ben

      10 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    6. Azure Firewall - Allow rules for any port on FQDNs

      Currently there is no option to allow connections to FQDNs through the Azure firewall unless the connection is on port 80 or 443.
      This means that we can't secure connections from IaaS VMs to services such as Service Bus which requires ports 9350-9354.
      Currently the only other alternative is a 3rd party NVA.

      22 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →

      Thanks for the valid suggestion. Your feedback is now open for the user community to upvote which allows us to effectively prioritize your request against our existing feature list and also gives us insight into the potential impact of implementing the suggested feature

    7. User / Group based Firewall Rules

      To move existing Webservices to Azure (Linux Webservers with internal Services) i would like to place them behind an Azure Firewall with Path Through Authentication against Azure AD, so that employees have access to the Ressource and any other access is blocked.I want to create Rules based on users not on IP-Addresses.

      Regards,
      Reiner

      7 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  1 comment  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    8. Allow Azure Firewall to be deployed to different resource group to VNet

      Currently Azure firewall must be in the same RG as the VNet, which impacts current RBAC models.

      11 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    9. Disable source NAT on incoming sessions on Azure Firewall

      Hi,

      As far as I can tell, source NAT is applied to all incoming sessions crossing a destination nat-rule on the Azure Firewall.

      It would be great if there was an option for this implicit source NAT to be disabled. Doing so would allow internal Azure VMs to see the real public IP address of the system making the incoming connection.

      The Azure Firewall deployment docs state that a default route should be set on the host's subnets pointing to the Azure Firewall - so source NAT should not be necessary for (public) Internet IP addresses to be routed successfully…

      81 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      2 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    10. Add what network rule is matched in logging

      The Network rule log does not include the matching rule name like it does for Application rule log. In the Application rule log it reads "Action: Allow. Rule Collection: collection1000. Rule: rule1002" in the message, but Network rules end at "Action: Allow". It makes it hard to troubleshoot firewalls, and know what rule is causing the issue. It also makes it hard to introduce the firewall into an existing environment where you have to start with an allow all rule because you do not know if what rules are getting matched.

      10 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    11. FQDN like this 'gr-Prod-*.cloudapp.net' can not be set

      Even though this rule is mentioned in the docs here - https://docs.microsoft.com/en-us/azure/app-service/environment/firewall-integration#fqdn-httphttps-dependencies, it's not possible to create because the portal says gr-Prod-*.cloudapp.net invalid FQDN.

      I know that ASE rules should be handled by Service Tags, but not in my case.

      6 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    12. Update Subscription Limits Documentation

      Update your subscription limits documentation. Your documentation makes no mention of the single public IP address limitation. https://docs.microsoft.com/en-us/azure/azure-subscription-service-limits#azure-firewall-limits. Thanks.

      6 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      2 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →

      Thanks for the valid suggestion. Your feedback is now open for the user community to upvote which allows us to effectively prioritize your request against our existing feature list and also gives us insight into the potential impact of implementing the suggested feature

    13. Azure Firewall - DNAT rule for the target FQDN.

      We can use DNAT rule with source ip address or destination ip address. But I want to use the DNAT rule with the target FQDN. I know application rule can use the target FQDN so I hope we can also use the feature with DNAT rule.

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    14. Allow different ICMP packets through Virtual Networks

      Currently when defining rules under virtual networks you can only specify ICMP as a whole, you can not specify which type of ICMP packet is allowed

      6 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    15. Support for network rules with dns name or application rules with packets other than http/https.

      Support for network rules with dns name or application rules with packets other than http/https.

      For example if my service require access to SFTP or SMTP outside my organization I would like to open a rule with its domain address name and port (TCP22 or TCP25 respectively).

      21 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    16. Logs to Appear in Log Analytics Near Real Time

      I have setup Azure Firewall wit Log Analytics. What would be useful is if the logs could get shipped near real time to Log Analytics. Experiencing about a 10 min delay.

      34 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    17. Allow Azure Firewall to be deployed to different resource group to VNet

      Currently Azure firewall must be in the same RG as the VNet, which impacts current RBAC models.

      4 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    18. Customizing OWASP Rules in Application Gateway

      There should be the possibility to customize the OWASP rules in the Application Gateway WAF v2, not just the ability to turn them on or off. For example, Rule 911100 (method not allowed by policy) doesn't allow PUT or PATCH HTTP methods. It would be good to be able to modify this rule to allow more methods, not just turn the rule off if we want these methods.

      15 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  1 comment  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    19. Allow PowerBI Pro to be whitelisted in firewall rules of Azure resources

      I couldn't find any information or how to whitelist PowerBI Pro to connect securely to Azure resources like SQL Database and Storage Account

      1 vote
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →

      Thanks for the valid suggestion. Your feedback is now open for the user community to upvote which allows us to effectively prioritize your request against our existing feature list and also gives us insight into the potential impact of implementing the suggested feature

    20. Add support for Azure Firewall in Cloud App Discovery

      Cloud App Discovery can digest firewall logs from known firewall brands. Manually or by implementing a log parsing container application.

      Please enable seamless integrations between Cloud App Discovery and Azure Firewall

      6 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →

      Thanks for the valid suggestion. Your feedback is now open for the user community to upvote which allows us to effectively prioritize your request against our existing feature list and also gives us insight into the potential impact of implementing the suggested feature

    • Don't see your idea?

    Feedback and Knowledge Base