Networking
The Networking forum covers all aspects of Networking in Azure, including endpoints, load-balancing, network security, DNS, Traffic Manager, virtual networks, and external connectivity.
Virtual Network:
Traffic Manager:
Network Watcher:
If you have any feedback on any aspect of Azure relating to Networking, we’d love to hear it.
-
Allow creation of NSG rules based on FQDN along with Ports
NSG gives option to configure NSG rules with IPAddress and Ports. Same like that we need option to configure Inbound/Outbound NSG rules based on the FQDN. Because most of our customers wants to block Internet access from their Azure IaaS VMs, If we do so, we lose the ability to configure Azure Disk Encryption, Azure Keyvault, Azure File Storage Services, Azure Websites...etc. Because all these Azure services requires its endpoints (FQDN) to be reachable from inside the VM
396 votesThis remains on our long-term backlog as something we want to offer
For now we recommend trying Azure Firewall as the prefered solution to control outbound to Internet
-Mario [MSFT]
-
Add a Network Security Group tag for Windows Update
I'd like to be able to block all outbound traffic on my NSG but still allow windows update to work. This is difficult to do as the windows update depends on quite a few DNS names and the IP address of these apparently changes often.
If I could specify an "Allow" rule for a service tag called "WindowsUpdate" or similar with a higher priority than my "DenyAll" rule this would acheive this.
391 votesThanks for your feedback, we are working on this.
- Anavi N [MSFT]
-
Add Custom Tags to NSG Rules
It would be great if we can define our own on-premise network ranges (using 'Named networks' in AAD?) and add these as Custom Tags to our NSG rules. Now we have our on-premise ip-adresses/subnets as a seperate item in every NSG. When these ip-adresses/subnets change for whatever reason, we have to check every NSG and change this item. If we could use these 'centrally managed' ip-adresses/subnets as 'Custom Tags' in our NSG's rules we don't have to check and change every NSG rule with every ip-address change.
366 votesThis remains on our long-term backlog as something we want to offer
-Mario [MSFT]
-
Allow Network Security Groups (NSGs) to Reference Application Security Groups (ASGs) From Different Location
Remove the limitation of restricting Network Security Groups (NSGs) ability to leverage/associate Application Security Groups (ASGs) that are not within the same location of the target Virtual Network (VNET).
This is especially important, to provide granularity and segregation/isolation in a hub-and-spoke networking model (i.e. VNetA-ASG1-to-VNetB-ASG1), in association with VNet Peering.
342 votesThanks for the feedback, we are working on enabling ASG references across subscriptions/VNets, it’s currently on our plans
-
Allow network security groups to be created and renamed
Currently, it seems I can't create security groups without creating an instance, or rename them for that matter. Or can I?
My use case: I created an instance and and 'SSH' security group with it. Then decided I want to test HTTP as well via public IP. Oh well, I can't rename the SSH group to e.g. 'SSH+HTTP', nor can I create a new group to change the NIC to.
312 votesThis remains on our long-term backlog as something we want to offer
-Mario [MSFT]
-
Ability to create source/destination objects containing multiple IP addresses/ranges
When creating NSGs it would be nice to be able to define network object groups that contain a list of IP addresses or ranges which can then be applied to the source or destination addresses of the NSG. If I only want to allow services to a specific set of IPs I have to create a rule for each distinct IP address. Even having the ability to add multiple IPs or IP ranges would work for source/destination but objects would be better so they can be used across multiple rules.
166 votesCustom tags and service tags for Azure public services have been included in our planning. NSG rule grouping has been delivered. Custom tags for explicit IPs is a roadmap item for now.
-
Network Security Group
+Feature Request Discussion - There is a continued need for more intelligent NSG's going forward this is not only to provide a more dynamic, distributable scalable network but to replace more traditional models for DMZ designs. Focusing on distributed designs that do not rely on Virtual Appliances.
There following features I believe would put Azure ahead of other cloud providers. These could be canned as a premium offering charged per NSG on any number of measures even number of requests etc..
- DNS Based Rules
- NSG NameSpaces for MS Public Services especially Azure PaaS Servers by Service
- Custom NSG NameSpaces or…
132 votes -
multiple network security groups per NIC
Allow multiple Network Security Groups per NIC. Amazon Web Services allows multiple NSGs to be associated to a NIC. This allows us to define one NSG for "Remote Access", a second for VLAN (it allows itself) and a third for "server role (DC, SQL, etc.)
108 votes -
Copy NSG
I want to copy new NSG from the existing NSG's similar policy.
I don't want to keep making the same or similar to the NSG policy.
The NSG copy function is required.95 votesHi Kimsejum
Thank you for sharing your idea, we’ll take this into consideration for future improvements
-
create predefined NSG for Azure Datacenters IP Range
Let's say I have a VM that I want to restrict access from the outside. I want this VM to be accessible from my onprem IPs and from Azure IPs (since a part of my infrastructure is on azure). Since at the moment of discussion ARM VMs do not support static IP address, it will be very useful to create a NSG for allowing traffic only from azure IP ranges. Right now you cannot create such NSG because a NSG only allows a maximum of 100 rules. So, it will be a great idea to have predefined NSG to limit…
88 votesThanks for the feedback, service tag is called AzureCloud and it’s already available in all regions
https://docs.microsoft.com/en-us/azure/virtual-network/security-overview#service-tags
-
Allow NSG for VPN Gateway Subnet
We want to connect several devices with our Azure VNET via the VPN Gateway. Therefore the VPN Gateway is configured for P2S connections.
We want to restrict the devices so that they can only communicate with certain other devices.
To implement this functionality we need to assign the VPN Gateway subnet a NSG. Furthermore this NSG should be dynamic, because the IPs provided by the VPN Gateway to its clients clould not be predetermined.
Currently NSGs are not supported for VPN Gateway subnets as well as there is no way to control IP allocation for connecting devices.
78 votes -
Enable the application of Network Security Group rules to groups of IPs
Allow the creation of groups that contain multiple IP addresses. Then allow the application of Network Security Group rules to the group. As an example I could create a group, add the IP addresses of all my Domain Controllers to the group, then apply rules to the group, rather than duplicating rules for each Domain Controller where the only difference is the IP address.
70 votesThanks for the feedback, we are looking into expose features for grouping and improve rule definitions, we’ll keep you posted
-
Setting NSG immediately
When NSG is set from PowerShell or the portal, the operation successfully completes soon but it takes a few minutes before the NSG setting will take effect.
Please set NSG setting immediately.69 votes -
NPS Extension for Azure MFA (IP Whitelist)
Can you also add in a feature whereby it allow us to add in a range of subnet instead of a single IP address in the IP Whitelist (NPS Extension for Azure MFA)?
62 votes -
Support enabling and disabling NSG rules
Support enabling and disabling NSG rules
It would be nice if we could disable rules instead of having to delete them like other firewall products support :)
62 votesThanks for your feedback
We’ll review this feature to include it on our roadmap.
-
Add NSG Service Tag for "Office365"
It would be convenient for O365 users who need to set NSG rules that deny all internet access due to their compliance. Without the Service Tag for Office365, we have to deploy Azure Firewall to control the traffic of Office365.
61 votes -
Network Security Rules by MAC address also.
Network Security Rules by MAC address also. Right now the portal only allows filtering via IP address or CIDR block. I would like to allow remote laptops to access but their WAN IP keeps changing.
58 votesHi JMartinez
Thanks for the feedback, we’ll consider this feature for future improvements
-
add a source tag for Office 365 IPs to NSG Rules
Consider adding support for multiple address ranges in NSG rules or add a source tag for Office 365 IPs.
Currently it is a nightmare to add all addresses for Exchange Online. We need a NSG policy for each address range :)
57 votesWe’re addressing this need with “Service Tags” which allow network security group rules to refer to Azure services such as “Storage” or “Sql” and the list of IP addresses is maintained transparently by the Azure platform. See here for more information: https://docs.microsoft.com/en-us/azure/virtual-network/security-overview#service-tags
We’ll be adding tags for additional Azure services over time. -
Extend Locks to Individual Azure NSG Rules
Extend Locks to Individual Azure NSG Rules.
Large corporate environments need the flexibility to offer business units and employees Azure Development and POC environments that can still be secured but still allow flexibility to users.
Companies need to have the ability to lock down block and allow NSG rules at the 100 level so they cannot be deleted by users but still allow users the ability to add / delete / modify other rules. NSG rule locks would provide the needed flexibility and security to these types of Azure environments. In addition, Azure Policy deployIfNotExists would also be needed to…
53 votes -
Rename NSG policy
Allow us to rename previously created NSG policy to another name. It would make naming much easier. Now we have to re-create all policy again
52 votesThanks for your feedback, this feature is under review for future improvements
- Don't see your idea?