Networking

The Networking forum covers all aspects of Networking in Azure, including endpoints, load-balancing, network security, DNS, Traffic Manager, virtual networks, and external connectivity.

Virtual Network:

  • Service overview

  • Technical documentation

  • Pricing details

  • Traffic Manager:

  • Service overview

  • Technical documentation

  • Pricing details

  • Network Watcher:

  • Service overview

  • Technical documentation

  • Pricing details

  • If you have any feedback on any aspect of Azure relating to Networking, we’d love to hear it.

    • Hot ideas
    • Top ideas
    • New ideas
    • My feedback
    1. accsess restrictions to azure service

      In Web App add a option to allow services like Azure Front Door e deny any other IPs.

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    2. Make your Web Application Firewall set up intuitive and smooth

      I've been working with WAF for ILB ISE for about a year now. But when it comes to adding a new app service, for example, the process is just a bag of frustration and misery. Multiple settings for listeners, backend pools, http settings, multiple hosts, certificates... jesus! what a mess!!!

      Please re-think the UI at least, create some "wizards". MAKE IT EASY!
      I have to call for support every second time I add a new backend or app!

      0 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    3. Geographic filter for web server

      Azure can not use geographic filter for http or https.
      If we can use that feature, we can restrict user access by country or location.

      I hope we can use geographic filter with WAF or NSG.

      37 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      2 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    4. NSG Flow log segregation for application gateway.

      Currently, NSG flow logs are segregated by MAC address. This is an issue when trying to track access to Application Gateway using NSG Flow logs.

      Although access logging for Application Gateway is a feature that can be used for this, we would still like to know what the NSG is blocking/allowing to our application gateway as well.

      Currently, MAC addresses for Application gateway cannot be obtained, so it is difficult to track down the correct NSG flow log when you have several application gateways behind an NSG.

      Please change the NSG flow logging to segregate the application gateway traffic in…

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    5. allow KMS traffic in Azure Firewall

      Azure Firewall currently block by default traffic to Azure KMS servers, this should be included in the built-in to not disrupt license validation.

      18 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      under review  ·  1 comment  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    6. Replicate NSG to new region when using Azure Site Recovery

      This is really needed feature!
      The benefit having this is when setup Azure Site Recovery, which replicates VNET and VMs to a different region BUT there is no way to replicate NSGs! Manual work to replicate all security rules from one NSG in source region to another NSG to target region can take up hours if there are 200+ security rules !

      Please implement this.
      Thanks

      41 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      under review  ·  0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    7. Route outbound traffic of a VM attached to a Public IP through Azure firewall

      How do i route outbound traffic of a VM attached to a Public IP through Azure firewall?

      1 vote
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    8. Automated Method to apply NSG's to Subnets

      An automated way in which new subnets receive subnet's are bound with NSG as they are created.

      Also a central way to apply mass NSG to subnets/Network Interfaces.

      1 vote
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    9. Allow NSG for VPN Gateway Subnet

      We want to connect several devices with our Azure VNET via the VPN Gateway. Therefore the VPN Gateway is configured for P2S connections.

      We want to restrict the devices so that they can only communicate with certain other devices.

      To implement this functionality we need to assign the VPN Gateway subnet a NSG. Furthermore this NSG should be dynamic, because the IPs provided by the VPN Gateway to its clients clould not be predetermined.

      Currently NSGs are not supported for VPN Gateway subnets as well as there is no way to control IP allocation for connecting devices.

      82 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    10. Add NSG Rule activity log alert alerts to portal

      Background: Currently, the only way to create a NSG rule activity log alert is through ARM templates. The documentation provided with the Unified Alerts public preview made it ambiguous that NSGs but NOT NSG rules were able to be created in the portal. Otherwise the new Unified Alerts is pretty awesome :)

      Proposed Action: 1) Create an option in the Alerts blade for NSG Rule alerts to be created. 2) Update documentation to be more explicit in differentiating NSGs/NSG rules in activity log alerts.

      14 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    11. We NEED URL support in NSG

      We need NSG to support URL as many vendors use global based load balancer. we need URL in NSG to avoid keep adding new IPs in the NSG.

      1 vote
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    12. Add service tags for Azure PowerShell authentication and execution

      When we currently authenticate and execute Azure PowerShell on Azure VM, we have to permit the Internet access on Firewall (e.g. NSG). But most customers want to restrict the Internet access as much as possible. I think it is important for more control and improving network security on Azure VM to add service tags for Azure PowerShell authentication and execution.

      17 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    13. Enable dynamic ASG membership application

      Develop a method of dynamically applying ASG memberships to machines. This could be achieved through tags. If a VM has a tag of DMZ or WWW or some other label, automatically apply the ASG that has the corresponding membership definition. This would allow easy editing of ASG memberships in an automated fashion.

      1 vote
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    14. Add Application Security Groups from other Region to NSG

      Would like to be able to select Application Security Groups from Remote regions in an NSG.

      4 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    15. NPS Extension for Azure MFA (IP Whitelist)

      Can you also add in a feature whereby it allow us to add in a range of subnet instead of a single IP address in the IP Whitelist (NPS Extension for Azure MFA)?

      88 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      under review  ·  9 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    16. Add DNS names to NSG source/ destination options like we currently can with IP addresses and tags

      Enable NSGs to use DNS names instead of only IP addresses, Tags and any. A lot of services have very dynamic IP adresses. Using DNS names would help a lot.

      35 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      4 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    17. add a source tag for Office 365 IPs to NSG Rules

      Consider adding support for multiple address ranges in NSG rules or add a source tag for Office 365 IPs.

      Currently it is a nightmare to add all addresses for Exchange Online. We need a NSG policy for each address range :)

      https://feedback.azure.com/forums/217313-networking/suggestions/11716131-add-a-source-tag-for-azure-datacenter-ips-to-nsg-r

      77 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      4 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →

      We’re addressing this need with “Service Tags” which allow network security group rules to refer to Azure services such as “Storage” or “Sql” and the list of IP addresses is maintained transparently by the Azure platform. See here for more information: https://docs.microsoft.com/en-us/azure/virtual-network/security-overview#service-tags
      We’ll be adding tags for additional Azure services over time.

    18. Support for IKEv2 VPN clients to connect to an Azure based RRAS server (Allow ESP traffic through NSG)

      Currently, Network Security Groups only support rules for TCP and UDP traffic. This request is for the addition of rules for ESP traffic which is required for IKEv2 clients to connect to an RRAS server running on Azure.
      We use ExpressRoute Point-to-Site is not an option as they cannot coexist. We currently use SSTP for our clients to connect but lack the resiliency that comes with an IKEv2 connection.

      Alternatively, support for Expressroute/Point-to-Site coexistence would also satisfy our requirement and eliminate the need to maintain an RRAS server in Azure.

      34 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      2 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    19. Allow creation of NSG rules based on FQDN along with Ports

      NSG gives option to configure NSG rules with IPAddress and Ports. Same like that we need option to configure Inbound/Outbound NSG rules based on the FQDN. Because most of our customers wants to block Internet access from their Azure IaaS VMs, If we do so, we lose the ability to configure Azure Disk Encryption, Azure Keyvault, Azure File Storage Services, Azure Websites...etc. Because all these Azure services requires its endpoints (FQDN) to be reachable from inside the VM

      484 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      10 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    20. Add Custom Tags to NSG Rules

      It would be great if we can define our own on-premise network ranges (using 'Named networks' in AAD?) and add these as Custom Tags to our NSG rules. Now we have our on-premise ip-adresses/subnets as a seperate item in every NSG. When these ip-adresses/subnets change for whatever reason, we have to check every NSG and change this item. If we could use these 'centrally managed' ip-adresses/subnets as 'Custom Tags' in our NSG's rules we don't have to check and change every NSG rule with every ip-address change.

      381 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      18 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    • Don't see your idea?

    Feedback and Knowledge Base