Networking
The Networking forum covers all aspects of Networking in Azure, including endpoints, load-balancing, network security, DNS, Traffic Manager, virtual networks, and external connectivity.
Virtual Network:
Traffic Manager:
Network Watcher:
If you have any feedback on any aspect of Azure relating to Networking, we’d love to hear it.
-
Add a Network Security Group tag for Windows Update
I'd like to be able to block all outbound traffic on my NSG but still allow windows update to work. This is difficult to do as the windows update depends on quite a few DNS names and the IP address of these apparently changes often.
If I could specify an "Allow" rule for a service tag called "WindowsUpdate" or similar with a higher priority than my "DenyAll" rule this would acheive this.
742 votesWe are currently working on onboarding this Service Tag. Please stay tuned and check the Service Tag documentation for updates
-Allegra [MSFT]
-
Allow creation of NSG rules based on FQDN along with Ports
NSG gives option to configure NSG rules with IPAddress and Ports. Same like that we need option to configure Inbound/Outbound NSG rules based on the FQDN. Because most of our customers wants to block Internet access from their Azure IaaS VMs, If we do so, we lose the ability to configure Azure Disk Encryption, Azure Keyvault, Azure File Storage Services, Azure Websites...etc. Because all these Azure services requires its endpoints (FQDN) to be reachable from inside the VM
575 votesThis remains on our long-term backlog as something we want to offer
For now we recommend trying Azure Firewall as the prefered solution to control outbound to Internet
-Mario [MSFT]
-
Allow Network Security Groups (NSGs) to Reference Application Security Groups (ASGs) From Different Location
Remove the limitation of restricting Network Security Groups (NSGs) ability to leverage/associate Application Security Groups (ASGs) that are not within the same location of the target Virtual Network (VNET).
This is especially important, to provide granularity and segregation/isolation in a hub-and-spoke networking model (i.e. VNetA-ASG1-to-VNetB-ASG1), in association with VNet Peering.
466 votesThanks for the feedback, we are working on enabling ASG references across subscriptions/VNets, it’s currently on our plans
-
Add Custom Tags to NSG Rules
It would be great if we can define our own on-premise network ranges (using 'Named networks' in AAD?) and add these as Custom Tags to our NSG rules. Now we have our on-premise ip-adresses/subnets as a seperate item in every NSG. When these ip-adresses/subnets change for whatever reason, we have to check every NSG and change this item. If we could use these 'centrally managed' ip-adresses/subnets as 'Custom Tags' in our NSG's rules we don't have to check and change every NSG rule with every ip-address change.
427 votesThis remains on our long-term backlog as something we want to offer
-Mario [MSFT]
-
Allow network security groups to be created and renamed
Currently, it seems I can't create security groups without creating an instance, or rename them for that matter. Or can I?
My use case: I created an instance and and 'SSH' security group with it. Then decided I want to test HTTP as well via public IP. Oh well, I can't rename the SSH group to e.g. 'SSH+HTTP', nor can I create a new group to change the NIC to.
357 votesThis remains on our long-term backlog as something we want to offer
-Mario [MSFT]
-
storage account firewall - Add inbound service tags for storage account.
At the moment, storage account firewall can only be configured to "Allow Trusted MS Services" and the whitelisting of IPs/IP ranges.
Our Power BI service needs to be able to access our storage account with storage account firewall enabled.
Currently we have to manually whitelist data center IP ranges in order for this to work.
Please add the ability to add inbound service tags for storage account firewall like you can with NSGs and add Power BI and other MS services to the "Allow Trusted MS Services".
Thank you.
235 votesvalid suggestion subject to upvote
-
Ability to create source/destination objects containing multiple IP addresses/ranges
When creating NSGs it would be nice to be able to define network object groups that contain a list of IP addresses or ranges which can then be applied to the source or destination addresses of the NSG. If I only want to allow services to a specific set of IPs I have to create a rule for each distinct IP address. Even having the ability to add multiple IPs or IP ranges would work for source/destination but objects would be better so they can be used across multiple rules.
174 votesCustom tags and service tags for Azure public services have been included in our planning. NSG rule grouping has been delivered. Custom tags for explicit IPs is a roadmap item for now.
-
multiple network security groups per NIC
Allow multiple Network Security Groups per NIC. Amazon Web Services allows multiple NSGs to be associated to a NIC. This allows us to define one NSG for "Remote Access", a second for VLAN (it allows itself) and a third for "server role (DC, SQL, etc.)
162 votes -
Network Security Group
+Feature Request Discussion - There is a continued need for more intelligent NSG's going forward this is not only to provide a more dynamic, distributable scalable network but to replace more traditional models for DMZ designs. Focusing on distributed designs that do not rely on Virtual Appliances.
There following features I believe would put Azure ahead of other cloud providers. These could be canned as a premium offering charged per NSG on any number of measures even number of requests etc..
- DNS Based Rules
- NSG NameSpaces for MS Public Services especially Azure PaaS Servers by Service
- Custom NSG NameSpaces or…
146 votes -
Add NSG Service Tag for "Office365"
It would be convenient for O365 users who need to set NSG rules that deny all internet access due to their compliance. Without the Service Tag for Office365, we have to deploy Azure Firewall to control the traffic of Office365.
125 votes -
NPS Extension for Azure MFA (IP Whitelist)
Can you also add in a feature whereby it allow us to add in a range of subnet instead of a single IP address in the IP Whitelist (NPS Extension for Azure MFA)?
119 votes -
Network Security Rules by MAC address also.
Network Security Rules by MAC address also. Right now the portal only allows filtering via IP address or CIDR block. I would like to allow remote laptops to access but their WAN IP keeps changing.
107 votesHi JMartinez
Thanks for the feedback, we’ll consider this feature for future improvements
-
Copy NSG
I want to copy new NSG from the existing NSG's similar policy.
I don't want to keep making the same or similar to the NSG policy.
The NSG copy function is required.107 votesHi Kimsejum
Thank you for sharing your idea, we’ll take this into consideration for future improvements
-
Allow NSG for VPN Gateway Subnet
We want to connect several devices with our Azure VNET via the VPN Gateway. Therefore the VPN Gateway is configured for P2S connections.
We want to restrict the devices so that they can only communicate with certain other devices.
To implement this functionality we need to assign the VPN Gateway subnet a NSG. Furthermore this NSG should be dynamic, because the IPs provided by the VPN Gateway to its clients clould not be predetermined.
Currently NSGs are not supported for VPN Gateway subnets as well as there is no way to control IP allocation for connecting devices.
103 votes -
add a source tag for Office 365 IPs to NSG Rules
Consider adding support for multiple address ranges in NSG rules or add a source tag for Office 365 IPs.
Currently it is a nightmare to add all addresses for Exchange Online. We need a NSG policy for each address range :)
99 votesWe’re addressing this need with “Service Tags” which allow network security group rules to refer to Azure services such as “Storage” or “Sql” and the list of IP addresses is maintained transparently by the Azure platform. See here for more information: https://docs.microsoft.com/en-us/azure/virtual-network/security-overview#service-tags
We’ll be adding tags for additional Azure services over time. -
Show membership of Application Security Groups
Is there a way to view the membership of Application Security Groups? I would like to be able to easily view which servers are in an ASG. I don't see a way to do this and it seems like a very basic need. Am I missing something?
92 votesCorrection to last status update : this is actually something we’re working on now – stay tuned for more news!
-Allegra [MSFT]
-
Support enabling and disabling NSG rules
Support enabling and disabling NSG rules
It would be nice if we could disable rules instead of having to delete them like other firewall products support :)
88 votesThanks for your feedback
We’ll review this feature to include it on our roadmap.
-
create predefined NSG for Azure Datacenters IP Range
Let's say I have a VM that I want to restrict access from the outside. I want this VM to be accessible from my onprem IPs and from Azure IPs (since a part of my infrastructure is on azure). Since at the moment of discussion ARM VMs do not support static IP address, it will be very useful to create a NSG for allowing traffic only from azure IP ranges. Right now you cannot create such NSG because a NSG only allows a maximum of 100 rules. So, it will be a great idea to have predefined NSG to limit…
88 votesThanks for the feedback, service tag is called AzureCloud and it’s already available in all regions
https://docs.microsoft.com/en-us/azure/virtual-network/security-overview#service-tags
-
Rename NSG policy
Allow us to rename previously created NSG policy to another name. It would make naming much easier. Now we have to re-create all policy again
80 votesThanks for your feedback, this feature is under review for future improvements
-
Service tags based on country/ region assigned IP to implement Geoblocking At NSG LEVEL
Service Tags for specific country/region wise(ex: middle east, India, south east asia) that would contain the whole IP range for the selected country/region. This will help in geoblocking and reduce the rate of ddos attacks.
The Azure/Microsoft can keep updating the list periodically.
This will help in implementing geo-blocking at VM/Server level as currently NSG source address prefix has limitation of 4000 ip address/cidr (country like India/Uae have more than 10000 cidr)
77 votes
- Don't see your idea?