Networking

The Networking forum covers all aspects of Networking in Azure, including endpoints, load-balancing, network security, DNS, Traffic Manager, virtual networks, and external connectivity.

Virtual Network:

  • Service overview

  • Technical documentation

  • Pricing details

  • Traffic Manager:

  • Service overview

  • Technical documentation

  • Pricing details

  • Network Watcher:

  • Service overview

  • Technical documentation

  • Pricing details

  • If you have any feedback on any aspect of Azure relating to Networking, we’d love to hear it.

    • Hot ideas
    • Top ideas
    • New ideas
    • My feedback
    1. Show membership of Application Security Groups

      Is there a way to view the membership of Application Security Groups? I would like to be able to easily view which servers are in an ASG. I don't see a way to do this and it seems like a very basic need. Am I missing something?

      71 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      5 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    2. Could we add service tag about specific country like Singapore for Network Security Group?

      Could we add service tag about specific country like Singapore for Network Security Group?

      We have some service tag for NSG like internet/ Virtual network.
      Since we have some feedback that customer need allow/block traffic from specific country for security reason.

      Please advise.

      6 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    3. Can we add GEO service tag in NSG?

      Some customer need this feature since they wanted to quickly whitelist/blacklist request from given geographic region. Please consider to add this feature in future.

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    4. Add NSG Service Tag "Subnet"

      To make NSGs much more generic, and reusable for multiple subnets, it would be great if you added a Service Tag "Subnet" or "VirtualNetworkSubnet".
      Like the Service Tag "VirtualNetwork" which you already have, it should provide a dynamic way of assigning NSGs to a given subnet without having to specify it's address, like "10.0.3.0/26".

      With this, I could create a common NSG I can assign across all subnets, which would make maintenance and initial creation easy and less time consuming.

      34 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      2 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    5. Allow Application Security Groups to Include load balanced IP

      Very often Application Servers are Load Balanced and there is currently no way to put the virtual IP address into the application security group.

      4 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    6. 1 vote
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    7. Allow Custom Network Security Group rules based on custom tags

      One of the biggest issue I have with Azure’s interpretation of Security Groups is the inability to apply custom tags to the ruleset. I should be able to filter traffic based on tags I generated for my resources. A good example would be creating a tag on an Azure IaaS VM called “app-x-webserver” and then tagging my Azure SQL Db with “app-x-sqldb”.

      While I know that you can use an Application Security Group for the IaaS part, it’s not supported on PaaS. It also is limited to a specific vNET inside of a single Region. This severely limits the usefulness…

      2 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    8. Harmonize the offer types

      It would be nice to have a way to describe the reason for a given NSG rule.
      https://www.ckitchen.com/
      This would greatly simplify, for instance, bookkeeping for PCI DSS 3.1 item 1.1.6 which demands a business notification for each NSG rule.

      Name field allows 80 chars but type description there is just not the right thing. Specially when you need to refer to a given rule while using CLI tools. Huge plus if it appears as a column while listing rules.

      1 vote
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    9. Add a Network Security Group tag for Windows Update

      I'd like to be able to block all outbound traffic on my NSG but still allow windows update to work. This is difficult to do as the windows update depends on quite a few DNS names and the IP address of these apparently changes often.

      If I could specify an "Allow" rule for a service tag called "WindowsUpdate" or similar with a higher priority than my "DenyAll" rule this would acheive this.

      555 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      29 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    10. Why does "default route" setting on UDR make licensing rule for NSG disable?

      Usually, if I use Windows VM, traffic to KMS server is allowed by platform rule for NSG by default.
      However this platform rule is disabled if I set default route(0.0.0.0/0) in UDR.

      Security groups
      https://docs.microsoft.com/en-us/azure/virtual-network/security-overview#azure-platform-considerations

      Why UDR make this platform rule on NSG disable?

      For example, when I use Azure Firewall, it requires to set default route setting on UDR to transfer all traffic to Azure Firewall.
      In this case, I need to add NSG rule to allow KMS server(23.102.135.246).

      Why is this behavior needed?

      9 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    11. Azure Service Bus and Azure Relay with firewall configuration like Azure Storage to restrict access to VNET and/or IP Ranges

      Azure Service Bus and Azure Relay should provide a mechanism to restrict access to specified IP Ranges (CIDR Blocks) and Specified VNET's just like Azure Storage. This would allow for better security in the event that the SASToken is ever compromised.

      10 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    12. azure application security groups

      Please allow to add any resource to application security groups not only virtual machines. Maybe this is possible, but documentation only references vms.
      Maybe allow to add AD registered apps, managed identities.
      Maybe allow to add resource groups to ASG that covers all resources in that rg. This wil allow all resources in a rg to access resources in another rg.
      Basically it should be easy to add resources to groups as you would users in AD.

      5 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    13. Allow FQDN rules in Windows Firewall for other that http or https

      See support ticket 119022221000848.

      Problem description from support ticket:

      We have an internal DNS server on prem that should be accessible from our azure environment. That IP address is 10.0.0.10.

      I want to make a rule that allows tcp:139, tcp:445, udp:137, and udp:138 from all sources in our Azure environment to a server on prem. The IP address of the destination is 10.0.12.118 and the machine name is cl-sav1.domain.removed. I'd like to use the machine name instead of hard coding the IP address. Is this possible?

      6 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    14. Add additional IP Protocols ls for NSG Rules

      Add the ability to add additional IP Protocols (i.e. ICMP, EIGRP, so forth) to an NSG rule. The only option today is TCP, UDP, or "". Currently to allow ICMP you have to allow any protocol "" and any port "*" in the rule instead of simply adding a rule for ICMP specifically. This inhibits the ability to meet security controls for isolation required in NIST SP800-53.

      49 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      4 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    15. Make ASG independant of a VNET like NSG

      While it's possible to attach a NSG to multiple subnet or even different subnet in different VNET, it should be the same for ASG.
      Currently I can add machines only in the same VNET once a single machine had been added to the ASG.

      My usage : I've got different services I deploy in different vnet but identical usage just different environments. Then I have some shared resource such as nsg that are applied to these different instances and I wanted to add the different machines with same role to a single ASG instead of create one ASG/role/environment and just…

      30 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    16. NSG/ASG management and monitoring

      add capability to modify and monitor NSGs and ASGs.

      58 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      5 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    17. have the ability to use more than one asg in an nsg rule (separated with , for example)

      let's say that i have 2 apps that i want to be able to access any endpoint.

      APP A containing these servers:10.0.0.1,10.0.0.2
      and APP B: 10.0.0.4,10.0.05

      my nsg rule will use :10.0.0.1,10.0.0.2,10.0.0.4,10.0.05
      if i`m moving to work with asg i want the ability to add both app a and app b together in the same nsg rule.

      will it be supported?

      13 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    18. Add other network security group as source while creating rule for nsg

      Like in aws we have feature while creating security group you can give other security group as a source so that it will allow traffic from source security group.
      I am looking for same feature in azure...in Azure we have 3 option for only for source ..1st one is IP or CIDR based..2nd is based on azure service tag..3rd is application security group.

      Let’s take an example if I created one security group A and after that doing creation for security group B so I need option to select security group A as a source so that my all traffic…

      8 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →

      Thanks for the valid suggestion. Your feedback is now open for the user community to upvote which allows us to effectively prioritize your request against our existing feature list and also gives us insight into the potential impact of implementing the suggested feature

    19. Microsoft Block Port 25 for VM?

      Im trying Azure and port 25 is blocked.

      AWS not have that restrition

      1 vote
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    20. Ability to use Azure tags as source and/or destination in the Azure firewall

      Some NVA vendors are providing this ability already and it is very useful.

      9 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      2 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    • Don't see your idea?

    Feedback and Knowledge Base