Networking

The Networking forum covers all aspects of Networking in Azure, including endpoints, load-balancing, network security, DNS, Traffic Manager, virtual networks, and external connectivity.

Virtual Network:

  • Service overview

  • Technical documentation

  • Pricing details

  • Traffic Manager:

  • Service overview

  • Technical documentation

  • Pricing details

  • Network Watcher:

  • Service overview

  • Technical documentation

  • Pricing details

  • If you have any feedback on any aspect of Azure relating to Networking, we’d love to hear it.

    • Hot ideas
    • Top ideas
    • New ideas
    • My feedback
    1. Azure Front Door - cache Key Vault sourced certificates

      We use Front Door to host multiple clients under the same domain, and configured HTTPS with a wildcard certificate sourced from Azure Key Vault. The same source Key Vault, secret name and secret version is used for all frontend endpoints configured.
      Customer DNS records:
      customer1.domain.com -> frontdoorname.azurefd.net
      customer2.domain.com -> frontdoorname.azurefd.net
      customer3.domain.com -> frontdoorname.azurefd.net

      Wildcard certificate in Key Vault *.domain.com

      Every time a new client front end is added and HTTPS configured for it, the certificate is deployed again, which takes 20 minutes. Front Door should recognize that the same version of the same certificate is already been uploaded before and…

      36 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  1 comment  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →
    2. Azure Front Door support for self-signed certificates on backend origins

      It would be great to be able to use self-signed certificates on the backend pool VM's, Cloud Services, etc, but continue to use a Public CA signed certificate for the Frontend host.

      Especially for Dev/Test environments where the default *.azurefd.net front-end domain/certificate is suitable for testing purposes and traffic to the back-end pool should be across https. It would save needing to buy and install certificates for dev/test environments.
      Or, perhaps long-life "origin certs" could be issued by Front Door to be used on the back-end pool. Similar to Cloudflare's Origin Certs concept where the issued certs are trusted by…

      103 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  3 comments  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →
    3. Ability to skip specific rules in Font Door WAF without skipping all rules

      There are a number of managed rules that trigger false-positives in Front Door's Web Application Firewall. For example, Google will attach a "gclid" URL parameter onto links for tracking, however, due to the randomness of this value, it can trigger the SQLI 942450 rule.

      The only options to prevent this from affecting customer are either:

      a) Remove the rule altogether, thereby reducing overall security across your backend hosts.

      or, b) Add in a custom rule to skip ALL rules when the "gclid" parameter is set (ie. Allow traffic). This is perhaps even worse than option (b), since you've effectively removed…

      10 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →
    4. Handle passthrough of ARR affinity cookied when routing through FrontDoor

      Given that the ARR affinity at App service level relies on a cookie in the domain of the service's host name binding, FrontDoor renders this effectively dead when serving the URL differently externally. Some form of cookie passthrough/rewriting for this would allow for app-level affinity to still be possible

      19 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →
    5. Azure Front Door should automatically configure custom domains on backend app services

      When a custom domain is registered with Azure Front Door it should register that custom domain with backend app services.

      When backend app services do not have the same custom domain as AFD, app service session cookies are not passed back to the browser. Therefore session affinity is broken.

      Although there is a workaround that involves pointing the custom domain at the app services to register the domain, then pointing the custom domain back to AFD, it some cases that's just not feasible.

      We will be halting further rollout of AFD to our customers until this issue is resolved.

      27 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  1 comment  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →
    6. Improve Front Door WAF Bot100200 managed rule (stop blocking Google crawlers)

      Currently the Front Door WAF Bot100200 managed rule blocks Google crawlers. This has resulted in pages being de-listed, and Ads being disapproved.

      This rule does, however, block malicious traffic, so disabling it completely (which is the only option) results in more malicious attempts on the backend hosts.

      This could also be fixed by putting Google crawlers into the "Good" bots rule which overrides the Bot100200. Why this hasn't happened, is anyone's guess. In its current state, this rule is unsuable.

      10 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →
    7. Support User-agent http header for Azure FrontDoor

      Support for User-Agent http Header.
      It could be very usefull to be able to redirect to specific backend using the User-Agent header (ios ...).

      Actually the only way i found to achieve this is to put another Ngnix in front of Front Door to redirect to specific Host.

      6 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →
    8. 22 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →
    9. Provide Example to connect Front Door with Azure Load Balancer

      Currently no example is provided to showcase connectivity between Azure Front Door and Azure Load Balancer - although your FaQ states it should work there is no proof anywhere and any combinations tried in a live subscription to make this work lead nowhere.

      1 vote
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →
    10. Why does front door remove Authorization Headers when we do a Redirect?

      I have a set of APIs built using web service (legacy) and I have created a new set of APIs using Azure functions. Now I want all my legacy API to route to Azure Function.

      I tried the Azure Front Door service redirect to achieve the functionality. I was able to redirect but the request headers are missing in the redirected requests. Not sure why Azure Front Door is removing them?

      4 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →
    11. Exclusions required in config of Frontdoor WAF

      Please implement match exclusions in the Frontdoor WAF similar to how exclusions are handled in Application Gateway WAF. We need to ignore a cookie value where randomized session strings seem to trip WAF regularly.

      Thanks
      Ben.

      6 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →
    12. give FrontDoor health probes an identifiable user agent to enable traffice to be filtered in Application Insights

      Health Probe requests from Azure FrontDoor should have an identifiable user agent string, which ideally should be included in the default ApplicationInsights.Config filters section.

      Any user of FD whose sites us AI are going to find their telemetry feeds flooded with multiple requests a minute otherwise, and all suggestions given from other users or MS have been workarounds for what should be a standard filter being missing

      15 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →
    13. Log the violating field for Azure Frontdoor WAF logs

      Azure Front Door WAF logs currently indicate the violated rule name (ruleName_s) but it does not include the field (cookie name, query parameter name, etc) that was responsible for the action being invoked.

      This makes investigating false positives difficult.

      From what I can see in the Application Gateway documentation, its WAF looks like it does give you information about the details of the violation:
      https://docs.microsoft.com/en-us/azure/web-application-firewall/ag/web-application-firewall-troubleshoot

      1 vote
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →
    14. Provide an identifiable user agent for Front Door health probe requests

      HTTP requests sent by Azure FD for health probes should provide an identifiable User Agent, enabling application insights to filter these as synthetic traffic.

      Given the volume of requests this is going to be a problem for every Front Door user who uses AI telemetry

      11 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →
    15. Tag Front Door

      Allow tagging an existing Front Door. Currently is possible to tag a front door only during creation.

      16 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  1 comment  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →
    16. Add option to detach specific files from the Azure Front Door dynamic cache

      When you host a SPA (Single Page Application) on an Azure Blob storage with Azure Front Door (with dynamic caching activated):

      Everytime you release a new version of the app, users have to force-reload the page in order to get the new version.
      Because the links to the new assets (like main.***.js, ...) are located in the index.html, which has been cached.

      I was able to solve it:
      1. Let the Azure CLI set the Cache-Control header to "no-cache" on the index.html after pushing it to the blob storage:
      az storage blob update --account-name $(storageAccount) --container $web --name index.html --content-cache-control…

      31 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →

      Thanks for the valid suggestion. Your feedback is now open for the user community to upvote which allows us to effectively prioritize your request against our existing feature list and also gives us insight into the potential impact of implementing the suggested feature

    17. Confirguration of caching rules in Front Door

      Allow configuration of content caching rules similar to how Azure CDN (Akamai) and Azure CDN (Verizon). This will allow better support of leveraging Front Door with Azure Storage Static Websites where it is impractical to set cache-control on a per-item basis.

      82 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      planned  ·  1 comment  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →
    18. Make Front Door work correctly for Azure B2C sign into a aspnet core web app

      I have a aspnet core web app which uses Azure B2C for storing registered users data. Registration and sign in for the app works as expected.

      I tried to configure the site to work with Front Door. however, we noticed Correlation Failed exceptions being logged immediately after the user had signed in. They were not then being redirected correctly to the next view.

      Further investigation showed that Front Door was stripping cookies from a key response being returned from Azure B2C. These were the very cookies used to complete the sign in process for B2C. this explained the failure.

      In…

      32 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      2 comments  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →
    19. Guaranteed time to roll out a custom SSL certificate when creating/updating FrontDoor endpoints

      When creating or updating a FrontDoor endpoint with a new URL it would be useful to have a expected time when all locations globally will serve with the correct certificate. I have been advised by Azure Support now that a normal turnaround time for our scenario (certificate provided by us, stored in Keyvault) should be 6-8 hours, but have just had an instance where it has taken over 24.

      Given we will be regularly adding new URLs and will need to advise clients when they should be able to correctly access the addresses a) it would be useful to be…

      9 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →
    20. Front Door support Range headers where the client asks for more bytes than is available from the origin

      When the Facebook sharing service reaches out to get the metadata for a page, it asks for the first 512Kb of the page. However, most of the pages on our site are 21Kb, so Front Door kicks out the request with a 503 because the Content-Length headers do not match. Please support Range requests for files smaller than the requested size as well as cache those requests as well.

      4 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →
    • Don't see your idea?

    Feedback and Knowledge Base