Networking

The Networking forum covers all aspects of Networking in Azure, including endpoints, load-balancing, network security, DNS, Traffic Manager, virtual networks, and external connectivity.

Virtual Network:

  • Service overview

  • Technical documentation

  • Pricing details

  • Traffic Manager:

  • Service overview

  • Technical documentation

  • Pricing details

  • Network Watcher:

  • Service overview

  • Technical documentation

  • Pricing details

  • If you have any feedback on any aspect of Azure relating to Networking, we’d love to hear it.

    • Hot ideas
    • Top ideas
    • New ideas
    • My feedback
    1. Allow network security to allow or deny other network security groups

      Amazon Web Services allows a security group to allow or deny other security groups (including itself). This allows you to easily group NICs (VMs) into the same "VLAN", or to allow one "server role" to access another "server role" (for example allow the WAP security group to access the ADFS security group)

      19 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      planned  ·  1 comment  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    2. allow KMS traffic in Azure Firewall

      Azure Firewall currently block by default traffic to Azure KMS servers, this should be included in the built-in to not disrupt license validation.

      18 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      under review  ·  1 comment  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    3. Add service tags for Azure PowerShell authentication and execution

      When we currently authenticate and execute Azure PowerShell on Azure VM, we have to permit the Internet access on Firewall (e.g. NSG). But most customers want to restrict the Internet access as much as possible. I think it is important for more control and improving network security on Azure VM to add service tags for Azure PowerShell authentication and execution.

      17 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    4. Network Security Group Source Azure Services option

      My scenario include two Virtual Machines acting as Web Servers and a Traffic Manager in-place if the primary node fails I can switch to the other VM that is in a different datacenter. However they are accessible only by specific public IPs and to get Traffic Manager working, I had to create a rule in a different port for ANY.

      Wouldn't be easier to have an option on Source Azure Services, like there is in Azure SQL Server firewall?

      17 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    5. 17 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    6. ASG across vNets

      ASG are absolutely wonderful stuff.Would be good to have added features of ASG across subscriptions/Vnets and any possibility of specifying Hostnames

      17 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →

      Thanks for the valid suggestion. Your feedback is now open for the user community to upvote which allows us to effectively prioritize your request against our existing feature list and also gives us insight into the potential impact of implementing the suggested feature

    7. Allow the Front Door WAF to block/allow by the Socket IP, and not just the Client IP

      Currently, the option to block by IP on the Azure Front Door WAF only allows you to block by the RemoteAddr IP, which is the Client IP. We use a reverse proxy so need the ability to block by what is called the SocketIP in the Azure WAF Logs.

      15 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →

      Thanks for the valid suggestion. Your feedback is now open for the user community to upvote which allows us to effectively prioritize your request against our existing feature list and also gives us insight into the potential impact of implementing the suggested feature

    8. Provide NSG Tags for PaaS Services

      Provide a way to TAG resoures in NSG - such as Azure Storage, Azure SQL and other PaaS Services or let user define his own custom tags.

      15 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    9. Add NSG Rule activity log alert alerts to portal

      Background: Currently, the only way to create a NSG rule activity log alert is through ARM templates. The documentation provided with the Unified Alerts public preview made it ambiguous that NSGs but NOT NSG rules were able to be created in the portal. Otherwise the new Unified Alerts is pretty awesome :)

      Proposed Action: 1) Create an option in the Alerts blade for NSG Rule alerts to be created. 2) Update documentation to be more explicit in differentiating NSGs/NSG rules in activity log alerts.

      14 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    10. Add ability to use a Network Security Group (NSG) as a rule source/target

      Currently NSG rules have the concept of the source or target being a Tag, and there are a couple predefined tags (Internet, VirtualNetwork, and AzureLoadBalancer). It would be nice if there was a similar feature where you could select the source or target being another network security group. Resources would be considered part of a NSG if they have their network interface associated with that NSG, they are in a subnet associated with that NSG, or they are in a VNET associated with that NSG. This essentially creates a subnet that has a dynamic address space.

      13 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    11. NSG Rule

      I have a suggestion for NSG rule configuration, when we have multiple source or destination IP and ports for same type of rule we need to configure rules for individual IP and port. Here the number of rule increases. If it is possible to have option to create ip/net group and port group, it will be easier to configure rules and maintain.

      12 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    12. Redesign default NSG rules to allow only VNET filtering

      When using a hub-spoke model with an Azure Firewall in the hub vnet, we are facing the issue that too much traffic will be allowed by default NSG rules on the hub and spoke vnets.
      (https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke)

      The reason for this is the fact that the virtual network service tag "VirtualNetwork" will contain 0.0.0.0 as soon as we create a UDR 0.0.0.0 that points to the Azure Firewall.
      (https://docs.microsoft.com/en-us/azure/virtual-network/service-tags-overview)

      The default NSG rule 65000 "AllowVnetInBound" will by now accept source 0.0.0.0 to destination 0.0.0.0.
      The next rule (that we do need), 65001 "AllowAzureLoadBalancerInBound" will never be triggered,…

      12 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    13. Ability to group Network Security Groups

      Consider adding some kind of grouping functionality within Network Security Groups. This would make things a lot more simple

      Somekind like this: https://blogs.technet.microsoft.com/isablog/2009/11/25/forefront-tmg-rule-grouping/

      11 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    14. have the ability to use more than one asg in an nsg rule (separated with , for example)

      let's say that i have 2 apps that i want to be able to access any endpoint.

      APP A containing these servers:10.0.0.1,10.0.0.2
      and APP B: 10.0.0.4,10.0.05

      my nsg rule will use :10.0.0.1,10.0.0.2,10.0.0.4,10.0.05
      if i`m moving to work with asg i want the ability to add both app a and app b together in the same nsg rule.

      will it be supported?

      10 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    15. Transparent interception for security appliances

      Allowing a method of transparent interception for network/security appliances to allow them to operate, but still be able to take advantage of configuring new applications completely via ARM.

      e.g. new app has external load balancer, 3 tier of VMs etc. But we could slot an IPS in between Ext Load Balancer and Web tier, or outside ELB etc.. Without having to also configure a Layer 3 policy & NAT on security appliance.

      Ideally have options of both inline, and "SPAN" mode. and be able to attach to Load Balancers, NICs, and where there are tags, eg 'Internet' routes.

      9 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      3 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →

      Hi Peter, Thanks for the suggestion, Looks like you are looking for a way to be able to get ERSPAN or port mirroring functionality that can be transparently switched on any VM , and if you slot in a IPS/advanced inline processing functionality of your choice that acts a collector to obtain and do what it needs to do, that would do the job, is that right?

    16. Add ability to use source type "IP group" in NSG rules

      A nice new Azure feature is the option to create an "IP group", and it would be nice. if we are able to use these "IP group(s)" in our NSG rules.

      https://docs.microsoft.com/en-us/azure/firewall/ip-groups

      9 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    17. Ability to use Azure tags as source and/or destination in the Azure firewall

      Some NVA vendors are providing this ability already and it is very useful.

      9 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      2 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    18. Why does "default route" setting on UDR make licensing rule for NSG disable?

      Usually, if I use Windows VM, traffic to KMS server is allowed by platform rule for NSG by default.
      However this platform rule is disabled if I set default route(0.0.0.0/0) in UDR.

      Security groups
      https://docs.microsoft.com/en-us/azure/virtual-network/security-overview#azure-platform-considerations

      Why UDR make this platform rule on NSG disable?

      For example, when I use Azure Firewall, it requires to set default route setting on UDR to transfer all traffic to Azure Firewall.
      In this case, I need to add NSG rule to allow KMS server(23.102.135.246).

      Why is this behavior needed?

      9 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    19. Add other network security group as source while creating rule for nsg

      Like in aws we have feature while creating security group you can give other security group as a source so that it will allow traffic from source security group.
      I am looking for same feature in azure...in Azure we have 3 option for only for source ..1st one is IP or CIDR based..2nd is based on azure service tag..3rd is application security group.

      Let’s take an example if I created one security group A and after that doing creation for security group B so I need option to select security group A as a source so that my all traffic…

      8 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →

      Thanks for the valid suggestion. Your feedback is now open for the user community to upvote which allows us to effectively prioritize your request against our existing feature list and also gives us insight into the potential impact of implementing the suggested feature

    20. Network Security Groups - Windows Server Roles and Features Rules

      Can a feature be added to allow easy addition of inbound and outbound rules to an NSG for Windows Server Roles e.g. Active Directory Domain Services to add rules for SMB/LDAP/Kerberos to match the rules created/enable by adding a Feature in Server Manager in Windows Server OSs.

      8 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    • Don't see your idea?

    Feedback and Knowledge Base