Networking

The Networking forum covers all aspects of Networking in Azure, including endpoints, load-balancing, network security, DNS, Traffic Manager, virtual networks, and external connectivity.

Virtual Network:

  • Service overview

  • Technical documentation

  • Pricing details
  • Traffic Manager:

  • Service overview

  • Technical documentation

  • Pricing details
  • Network Watcher:

  • Service overview

  • Technical documentation

  • Pricing details
  • If you have any feedback on any aspect of Azure relating to Networking, we’d love to hear it.

    • Hot ideas
    • Top ideas
    • New ideas
    • My feedback
    1. Add NSG Service Tag "Subnet"

      To make NSGs much more generic, and reusable for multiple subnets, it would be great if you added a Service Tag "Subnet" or "VirtualNetworkSubnet".
      Like the Service Tag "VirtualNetwork" which you already have, it should provide a dynamic way of assigning NSGs to a given subnet without having to specify it's address, like "10.0.3.0/26".

      With this, I could create a common NSG I can assign across all subnets, which would make maintenance and initial creation easy and less time consuming.

      16 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    2. azure application security groups

      Please allow to add any resource to application security groups not only virtual machines. Maybe this is possible, but documentation only references vms.
      Maybe allow to add AD registered apps, managed identities.
      Maybe allow to add resource groups to ASG that covers all resources in that rg. This wil allow all resources in a rg to access resources in another rg.
      Basically it should be easy to add resources to groups as you would users in AD.

      4 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    3. Add a Network Security Group tag for Windows Update

      I'd like to be able to block all outbound traffic on my NSG but still allow windows update to work. This is difficult to do as the windows update depends on quite a few DNS names and the IP address of these apparently changes often.

      If I could specify an "Allow" rule for a service tag called "WindowsUpdate" or similar with a higher priority than my "DenyAll" rule this would acheive this.

      328 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      21 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    4. Add additional IP Protocols ls for NSG Rules

      Add the ability to add additional IP Protocols (i.e. ICMP, EIGRP, so forth) to an NSG rule. The only option today is TCP, UDP, or "*". Currently to allow ICMP you have to allow any protocol "*" and any port "*" in the rule instead of simply adding a rule for ICMP specifically. This inhibits the ability to meet security controls for isolation required in NIST SP800-53.

      43 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      4 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    5. Why does "default route" setting on UDR make licensing rule for NSG disable?

      Usually, if I use Windows VM, traffic to KMS server is allowed by platform rule for NSG by default.
      However this platform rule is disabled if I set default route(0.0.0.0/0) in UDR.

      Security groups
      https://docs.microsoft.com/en-us/azure/virtual-network/security-overview#azure-platform-considerations

      Why UDR make this platform rule on NSG disable?

      For example, when I use Azure Firewall, it requires to set default route setting on UDR to transfer all traffic to Azure Firewall.
      In this case, I need to add NSG rule to allow KMS server(23.102.135.246).

      Why is this behavior needed?

      6 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    6. NSG/ASG management and monitoring

      add capability to modify and monitor NSGs and ASGs.

      48 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  4 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    7. Add other network security group as source while creating rule for nsg

      Like in aws we have feature while creating security group you can give other security group as a source so that it will allow traffic from source security group.
      I am looking for same feature in azure...in Azure we have 3 option for only for source ..1st one is IP or CIDR based..2nd is based on azure service tag..3rd is application security group.

      Let’s take an example if I created one security group A and after that doing creation for security group B so I need option to select security group A as a source so that my all traffic…

      8 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →

      Thanks for the valid suggestion. Your feedback is now open for the user community to upvote which allows us to effectively prioritize your request against our existing feature list and also gives us insight into the potential impact of implementing the suggested feature

    8. Microsoft Block Port 25 for VM?

      Im trying Azure and port 25 is blocked.

      AWS not have that restrition

      1 vote
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    9. have the ability to use more than one asg in an nsg rule (separated with , for example)

      let's say that i have 2 apps that i want to be able to access any endpoint.

      APP A containing these servers:10.0.0.1,10.0.0.2
      and APP B: 10.0.0.4,10.0.05

      my nsg rule will use :10.0.0.1,10.0.0.2,10.0.0.4,10.0.05
      if i`m moving to work with asg i want the ability to add both app a and app b together in the same nsg rule.

      will it be supported?

      10 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    10. Ability to use Azure tags as source and/or destination in the Azure firewall

      Some NVA vendors are providing this ability already and it is very useful.

      9 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      2 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    11. accsess restrictions to azure service

      In Web App add a option to allow services like Azure Front Door e deny any other IPs.

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    12. Make your Web Application Firewall set up intuitive and smooth

      I've been working with WAF for ILB ISE for about a year now. But when it comes to adding a new app service, for example, the process is just a bag of frustration and misery. Multiple settings for listeners, backend pools, http settings, multiple hosts, certificates... jesus! what a mess!!!

      Please re-think the UI at least, create some "wizards". MAKE IT EASY!
      I have to call for support every second time I add a new backend or app!

      0 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    13. NSG Flow log segregation for application gateway.

      Currently, NSG flow logs are segregated by MAC address. This is an issue when trying to track access to Application Gateway using NSG Flow logs.

      Although access logging for Application Gateway is a feature that can be used for this, we would still like to know what the NSG is blocking/allowing to our application gateway as well.

      Currently, MAC addresses for Application gateway cannot be obtained, so it is difficult to track down the correct NSG flow log when you have several application gateways behind an NSG.

      Please change the NSG flow logging to segregate the application gateway traffic in…

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    14. Geographic filter for web server

      Azure can not use geographic filter for http or https.
      If we can use that feature, we can restrict user access by country or location.

      I hope we can use geographic filter with WAF or NSG.

      31 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      2 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    15. Allow FQDN rules in Windows Firewall for other that http or https

      See support ticket 119022221000848.

      Problem description from support ticket:

      We have an internal DNS server on prem that should be accessible from our azure environment. That IP address is 10.0.0.10.

      I want to make a rule that allows tcp:139, tcp:445, udp:137, and udp:138 from all sources in our Azure environment to a server on prem. The IP address of the destination is 10.0.12.118 and the machine name is cl-sav1.domain.removed. I'd like to use the machine name instead of hard coding the IP address. Is this possible?

      1 vote
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    16. Route outbound traffic of a VM attached to a Public IP through Azure firewall

      How do i route outbound traffic of a VM attached to a Public IP through Azure firewall?

      1 vote
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    17. Automated Method to apply NSG's to Subnets

      An automated way in which new subnets receive subnet's are bound with NSG as they are created.

      Also a central way to apply mass NSG to subnets/Network Interfaces.

      1 vote
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    18. allow KMS traffic in Azure Firewall

      Azure Firewall currently block by default traffic to Azure KMS servers, this should be included in the built-in to not disrupt license validation.

      12 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      under review  ·  1 comment  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    19. Allow NSG for VPN Gateway Subnet

      We want to connect several devices with our Azure VNET via the VPN Gateway. Therefore the VPN Gateway is configured for P2S connections.

      We want to restrict the devices so that they can only communicate with certain other devices.

      To implement this functionality we need to assign the VPN Gateway subnet a NSG. Furthermore this NSG should be dynamic, because the IPs provided by the VPN Gateway to its clients clould not be predetermined.

      Currently NSGs are not supported for VPN Gateway subnets as well as there is no way to control IP allocation for connecting devices.

      66 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  2 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    20. We NEED URL support in NSG

      We need NSG to support URL as many vendors use global based load balancer. we need URL in NSG to avoid keep adding new IPs in the NSG.

      1 vote
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    • Don't see your idea?

    Feedback and Knowledge Base