Networking

The Networking forum covers all aspects of Networking in Azure, including endpoints, load-balancing, network security, DNS, Traffic Manager, virtual networks, and external connectivity.

Virtual Network:

  • Service overview

  • Technical documentation

  • Pricing details
  • Traffic Manager:

  • Service overview

  • Technical documentation

  • Pricing details
  • Network Watcher:

  • Service overview

  • Technical documentation

  • Pricing details
  • If you have any feedback on any aspect of Azure relating to Networking, we’d love to hear it.

    • Hot ideas
    • Top ideas
    • New ideas
    • My feedback
    1. allow KMS traffic in Azure Firewall

      Azure Firewall currently block by default traffic to Azure KMS servers, this should be included in the built-in to not disrupt license validation.

      12 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      under review  ·  1 comment  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    2. Add NSG Service Tag "Subnet"

      To make NSGs much more generic, and reusable for multiple subnets, it would be great if you added a Service Tag "Subnet" or "VirtualNetworkSubnet".
      Like the Service Tag "VirtualNetwork" which you already have, it should provide a dynamic way of assigning NSGs to a given subnet without having to specify it's address, like "10.0.3.0/26".

      With this, I could create a common NSG I can assign across all subnets, which would make maintenance and initial creation easy and less time consuming.

      10 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    3. Make ASG independant of a VNET like NSG

      While it's possible to attach a NSG to multiple subnet or even different subnet in different VNET, it should be the same for ASG.
      Currently I can add machines only in the same VNET once a single machine had been added to the ASG.

      My usage : I've got different services I deploy in different vnet but identical usage just different environments. Then I have some shared resource such as nsg that are applied to these different instances and I wanted to add the different machines with same role to a single ASG instead of create one ASG/role/environment and just…

      10 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    4. have the ability to use more than one asg in an nsg rule (separated with , for example)

      let's say that i have 2 apps that i want to be able to access any endpoint.

      APP A containing these servers:10.0.0.1,10.0.0.2
      and APP B: 10.0.0.4,10.0.05

      my nsg rule will use :10.0.0.1,10.0.0.2,10.0.0.4,10.0.05
      if i`m moving to work with asg i want the ability to add both app a and app b together in the same nsg rule.

      will it be supported?

      10 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    5. Transparent interception for security appliances

      Allowing a method of transparent interception for network/security appliances to allow them to operate, but still be able to take advantage of configuring new applications completely via ARM.

      e.g. new app has external load balancer, 3 tier of VMs etc. But we could slot an IPS in between Ext Load Balancer and Web tier, or outside ELB etc.. Without having to also configure a Layer 3 policy & NAT on security appliance.

      Ideally have options of both inline, and "SPAN" mode. and be able to attach to Load Balancers, NICs, and where there are tags, eg 'Internet' routes.

      9 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      3 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →

      Hi Peter, Thanks for the suggestion, Looks like you are looking for a way to be able to get ERSPAN or port mirroring functionality that can be transparently switched on any VM , and if you slot in a IPS/advanced inline processing functionality of your choice that acts a collector to obtain and do what it needs to do, that would do the job, is that right?

    6. Ability to use Azure tags as source and/or destination in the Azure firewall

      Some NVA vendors are providing this ability already and it is very useful.

      9 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      2 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    7. Add other network security group as source while creating rule for nsg

      Like in aws we have feature while creating security group you can give other security group as a source so that it will allow traffic from source security group.
      I am looking for same feature in azure...in Azure we have 3 option for only for source ..1st one is IP or CIDR based..2nd is based on azure service tag..3rd is application security group.

      Let’s take an example if I created one security group A and after that doing creation for security group B so I need option to select security group A as a source so that my all traffic…

      8 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →

      Thanks for the valid suggestion. Your feedback is now open for the user community to upvote which allows us to effectively prioritize your request against our existing feature list and also gives us insight into the potential impact of implementing the suggested feature

    8. Network Security Groups - Windows Server Roles and Features Rules

      Can a feature be added to allow easy addition of inbound and outbound rules to an NSG for Windows Server Roles e.g. Active Directory Domain Services to add rules for SMB/LDAP/Kerberos to match the rules created/enable by adding a Feature in Server Manager in Windows Server OSs.

      8 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    9. Ability to group Network Security Groups

      Consider adding some kind of grouping functionality within Network Security Groups. This would make things a lot more simple

      Somekind like this: https://blogs.technet.microsoft.com/isablog/2009/11/25/forefront-tmg-rule-grouping/

      8 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    10. Azure Service Bus Standard support for Firewall rules and VNET service endpoints

      Provide support for Firewall rules and VNET service endpoints in Azure service bus standard.
      Below both things are supported only in premium tier service bus
      https://docs.microsoft.com/en-us/azure/service-bus-messaging/service-bus-ip-filtering

      https://docs.microsoft.com/en-us/azure/service-bus-messaging/service-bus-service-endpoints?toc=%2fazure%2fvirtual-network%2ftoc.json

      The both features should also be available in Azure Service Bus Standard as well.

      7 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    11. Validate Firewall Rules priority conflicts before starting deployment

      When creating a new VM and a new network with inbound firewall rules, if you add two rules with the same priority it will pass validation (see attached screenshot). It will however later fail the deployment with an obscure error message.

      Firewall rule priority conflict detection should happen instantly as you type in the rule textbox. That green checkmark should have been red and saying "there is already another rule with this priority"

      7 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    12. Microsoft maintained UDR for MS services

      MS maintained UDR or firewall rule that enables traffic for MS services to allow outbound traffic from a host in a DMZ. Outbound traffic to all of 443 from a DMZ host to enable backups is a bad design - and using the MS provided IP List includes ALL services including other customers IAS servers - as an attacker all they would need to do to exfil data is to setup an azure host to send it to. It would be better enable outbound traffic for specific services such as backup and have MS maintain a list of that IPs…

      6 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      2 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    13. Auto close/deny port after time

      Leaving RDP open is huge security risk, so I prefer it to set "deny" by default and only open before using RDP. Most likely I do have to remember to close RDP port after doing my work, but it would be nice if there is a timespan that will close the port after it was opened. So if I forgot, I wouldn't leave RDP port open, it would automatically close after given timeout.

      6 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    14. Why does "default route" setting on UDR make licensing rule for NSG disable?

      Usually, if I use Windows VM, traffic to KMS server is allowed by platform rule for NSG by default.
      However this platform rule is disabled if I set default route(0.0.0.0/0) in UDR.

      Security groups
      https://docs.microsoft.com/en-us/azure/virtual-network/security-overview#azure-platform-considerations

      Why UDR make this platform rule on NSG disable?

      For example, when I use Azure Firewall, it requires to set default route setting on UDR to transfer all traffic to Azure Firewall.
      In this case, I need to add NSG rule to allow KMS server(23.102.135.246).

      Why is this behavior needed?

      6 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    15. Support dynamic RPC endpoints for domain controller traffic in NSGs

      Please consider adding dynamic endpoint support in Network Security Group (NSG) to support Domain Controller traffic between subnets. Basically approve specific traffic types between subnets.

      4 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      4 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    16. Allow referencing an Azure resource by id in Network Security Groups

      NSG's should allow the use of Azure resource ID in addition to ip addresses for NSGs. For example, if I reference the ID of a webapp, then the rule will apply to the public IPs of that webapp. If I reference an azure VM, then the rule will apply to the ip address of that vm. And so on. It would make it so much more flexible to build up rules by using resource id's/names than today's very static and cumbersome implementation, especially for complex rules.

      4 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    17. Site Categorization for the new Azure Firewall

      Adding the ability to restrict outbound traffic based on Site Categorization would be great. This would give the ability to restrict outbound access to adult, gambling and other questionable sites.

      4 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      planned  ·  1 comment  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    18. Add Application Security Groups from other Region to NSG

      Would like to be able to select Application Security Groups from Remote regions in an NSG.

      4 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    19. Add "Subscription" tag in the NSG rules

      Story:
      As a DevOps engineer
      I want to easily block network access within a subscription with a single NSG rule (for specific resources using a that rule)
      So that I don't have to manage multiple NSG rules.

      Background:
      We would like to ring-fence our subscriptions, so that one (e.g. Production) cannot "talk" to another one (e.g. Non-production).

      We can currently achieve it with multiple NSG rules, where we allow/block IP ranges or vnets.

      It would be much easier to manage this for our purpose if we could add a "subscription" tag in the NSG rules and effectively only allow traffic…

      4 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    20. 4 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    • Don't see your idea?

    Feedback and Knowledge Base