Networking

The Networking forum covers all aspects of Networking in Azure, including endpoints, load-balancing, network security, DNS, Traffic Manager, virtual networks, and external connectivity.

Virtual Network:

  • Service overview

  • Technical documentation

  • Pricing details

  • Traffic Manager:

  • Service overview

  • Technical documentation

  • Pricing details

  • Network Watcher:

  • Service overview

  • Technical documentation

  • Pricing details

  • If you have any feedback on any aspect of Azure relating to Networking, we’d love to hear it.

    • Hot ideas
    • Top ideas
    • New ideas
    • My feedback
    1. Allow different ICMP packets through Virtual Networks

      Currently when defining rules under virtual networks you can only specify ICMP as a whole, you can not specify which type of ICMP packet is allowed

      6 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    2. Feeback regarding Firewall Deployment on Azure

      The following feedback has been posted by one of your customers regarding Deployments of Firewalls on Azure:
      "I did not recieve a cost per day when deploying, and no indication for the monthly cost via the analysis. So i was supprised that the cost in a matter of a few days exceeded 100. It was good that I triggered a cost alert. The dashboard should provide cost of FW up front, and a way to down the FW when the rest of the machines are turned off. I would like to run the VMs only when needed, so I would…

      4 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    3. Rules disappear

      I've had several instances where rules are saved but then disappear. This occurs in both Edge and Chrome.

      4 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      2 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    4. Allow Azure Firewall to be deployed to different resource group to VNet

      Currently Azure firewall must be in the same RG as the VNet, which impacts current RBAC models.

      4 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    5. 3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    6. Have a real-time logging feature on the Azure Firewall

      It would be very and very helpful to have a real-time logging (snooping) feature on the Azure Firewall. This is quit often needed to identify and troubleshoot network traffic.

      Currently you have to send the logs and diagnostics to a Log Analytics workspace, run a query and filter it. This is slow and cumbrous. It's not real-time and continuously running.

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    7. Azure Firewall: more granular threat intel rules and actions

      Currenly the only choices for TI are: Alert or Deny. It would be nice to have a choice actions based on threat category/severities/confidence.

      For example: block high confidence matches while only alerting on medium risks.

      Sites like abuseipdb.com often provide a "Confidence of abuse" level to indicate how likely it is that a given ip is abused. I assume TI internally uses a similar rating that could be used?

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    8. Make WAF accept application/octet-stream

      We do POST requests with content type application/octet-stream with binary content in it (user uploads archived binary data to server), it triggers 920420 rule with critical score (it blocks request immediately).
      - According to OWASP mod-security 3.0 source code it checks for tx.allowedrequestcontenttype variable that contains list of allowed content types - https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.0/master/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf#L991
      - By default tx.allowed
      requestcontenttype contains application/octet-stream so OWASP accepts POST requests with this content type - https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.0/master/rules/REQUEST-901-INITIALIZATION.conf#L163
      - Looks like mod-security in Azure WAF has custom tx.allowedrequestcontent_type configuration without this content type

      It would be nice to synchronize mod-security…

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    9. Azure firewall Threat Intel logs: option to always add fqdn to "Deny" log entries

      When TI blocks by IP instead of fqdn (which it seems to do most of the time, given the amount of blocks we notice), it would be very useful for troubleshooting if AzFW would also log the fqdn the client is accessing (from TLS Client Hello packet) in addition to only the blocked IP from SYN packets.

      We are experiencing quite a lot of false positives for Google and GitHub shared IP's on fresh Win 10 VMs with basic dev tools like Chrome/VScode, and this would help pinpoint what ligitimate fqdn the clients are trying to access.

      It's also quite…

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    10. Azure Firewall - Utilize Existing Subnet

      Azure Firewall should allow for deployment into an existing subnet, pending the requirements met for available IP address space.

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    11. Azure Firewall - DNAT rule for the target FQDN.

      We can use DNAT rule with source ip address or destination ip address. But I want to use the DNAT rule with the target FQDN. I know application rule can use the target FQDN so I hope we can also use the feature with DNAT rule.

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    12. Azure Firewall showing up as "Other classic resources > Deployments"

      In Cost Management + Billing, Azure firewall cost shows up under the category "Other Classic Resources > Deployments. This can be misleading. I understand that Firewall billing is billed in two ways, But it should be better designated, so resources billing can be traced.

      Thanks

      Ref: Service request: 118111921002018

      2 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    13. Azure firewall provisionning fail cause French local : LocationNotAvailableForResourceType

      Azure firewall provisionning fail because French local on portal

      LocationNotAvailableForResourceType
      L'emplacement fourni « Europe occidentale » n'est pas disponible pour le type de ressource « Microsoft.Network/publicIPAddresses ».

      1 vote
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    14. Create default IP Rule for IP restrictions

      When creating first IP restrictions rule in a Web Application the default rule Deny all is implemented.
      This default rule is not visible and should automatically be generated on creation of first visible rule to then be configurable with Priority numeric.
      Otherwise many users of Azure Web apps will create a rule and no realise the whole site is blocked due to this default rule being applied.

      1 vote
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    15. Please create a blog post discussing when FTP - Active client connections were blocked from Azure

      We had a case opened to learn that FTP - Active mode was blocked form Azure. This was documented internally at Microsoft but nothing we could find on the web or Azure documentation. Many companies still use Active FTP (not saying that is a best practice) and for these companies it would be helpful to call this issue out as a known fact for migrating to Azure (if code changes are required)

      1 vote
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    16. WAF fails to establish success health using the web service SAP cloud connector with custom TLS1.2 and struggled to find the issue from WAF.

      WAF fails to establish success health using the web service SAP cloud connector with custom TLS1.2 and struggled to find the issue from WAF stand point. Means, We modified multiple TLS1.2 algorithm and tested to fix the issue. Why the custom/selected TLS1.2 algo is not working? Can you build the "front end troubleshooting page or packet capture page" to select correct TLS1.2 or elect the correct TLS1.2 automatically?

      Moreover, Could you modify the name from "Listener" to "Backend Listener"? Boz, This name is really confusing with frontend certificate and backend TLS parameters.

      1 vote
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →

      Thanks for the valid suggestion. Your feedback is now open for the user community to upvote which allows us to effectively prioritize your request against our existing feature list and also gives us insight into the potential impact of implementing the suggested feature

    17. FQDN tag in Azure Firewall for AzureMonitor

      FQDN tag in Azure Firewall for AzureMonitor

      1 vote
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    18. Azure Firewall - NAT Rules Clarification

      The NAT rules UI is little wonky and less intuitive than I would like. I think the terms "destination" address and "translated" address could be modified to be more clear. Almost every customer that I have worked with on deployment of Azure Firewall has reversed these and hence impacted their configuration and timing for deployment. I think the UI should have F/W interface address (it should know it since it only can have one today) and the translated address field should be labeled target. That simple change would've saved a couple of customers an hour or two of frustration and…

      1 vote
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    19. service chaining

      redirect traffic based on customizeable criteria to other network functions that could be represented also as custom NVA to build network service chains.

      1 vote
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    1 3 Next →
    • Don't see your idea?

    Feedback and Knowledge Base