It would be great if NSG's would support Wildcard masks to deny/permit traffic in a more granular way. The way most network vendors do it.
This would make it much easier to permit and deny traffic based on a subnet scheme1 vote
Thank you for your suggestion. We are reviewing it and will get back to you.
Im trying Azure and port 25 is blocked.
AWS not have that restrition1 vote
Add traffic logging for peering services to identify source, destination and application consuming bandwidth - similar to NSG diagnositics1 vote
An automated way in which new subnets receive subnet's are bound with NSG as they are created.
Also a central way to apply mass NSG to subnets/Network Interfaces.1 vote
Microsoft Azure should have predefined access rules for every region.
For example, if someone wants to block traffic for every region except only one, should choose to allow for the specific one and add block rule for every other region.
That would be good for DDos attacks.1 vote
Thanks for the feedback
We are reviewing different approaches to simplify the experience and make our default model easier to implement.
See support ticket 119022221000848.
Problem description from support ticket:
We have an internal DNS server on prem that should be accessible from our azure environment. That IP address is 10.0.0.10.
I want to make a rule that allows tcp:139, tcp:445, udp:137, and udp:138 from all sources in our Azure environment to a server on prem. The IP address of the destination is 10.0.12.118 and the machine name is cl-sav1.domain.removed. I'd like to use the machine name instead of hard coding the IP address. Is this possible?1 vote
Very often Application Servers are Load Balanced and there is currently no way to put the virtual IP address into the application security group.1 vote
We can not use flow log in classic portal.
I hope we will be able to use this feature in classic too.1 vote
We need NSG to support URL as many vendors use global based load balancer. we need URL in NSG to avoid keep adding new IPs in the NSG.1 vote
allow port 25 for testing mail/exchange/office 365 hybrid in azure for developers / MSDN subscription through Microsoft partners. I understand the reasons why this was locked down, however Microsoft partners should be trusted not to be spamming from their accounts.1 vote
Portal allowing to associating an NSG to a gateway subnet1 vote
Thanks for your share, we’ll investigate and fix the issue.
It would be nice to have a way to describe the reason for a given NSG rule.
This would greatly simplify, for instance, bookkeeping for PCI DSS 3.1 item 1.1.6 which demands a business notification for each NSG rule.
Name field allows 80 chars but type description there is just not the right thing. Specially when you need to refer to a given rule while using CLI tools. Huge plus if it appears as a column while listing rules.1 vote
Develop a method of dynamically applying ASG memberships to machines. This could be achieved through tags. If a VM has a tag of DMZ or WWW or some other label, automatically apply the ASG that has the corresponding membership definition. This would allow easy editing of ASG memberships in an automated fashion.1 vote
Because only a single NSG is allowed per resource (subnet or NIC) it would be nice to subdivide the rules into groups and allow different teams to manage the different groupings, all within the same NSG. This could allow a central team to implement some rules and an application team to implement some rules. For example, let us define groups by priority-range and then allow different access privileges to different groups. Team 1 can manage group 1 and 4 and team 2 can manage group 2. [Manage = add, modify, delete]1 vote
Thanks Craig for the feedback, we are evaluating options to implement this capability on NSG, multiple roles with write permissions on the same resource it’s an interesting requirement we are looking to implement.
Add Standard set of Network Security Group Rules for Inbound and outbound traffic when creating new rules.
I would like to see standard set of NSG rules for each new subscription that gets created for securing environment. for example SQL, SCCM, DMZ, App servers(Web servers), RDP etc. where we have ability to change the names according to our naming conventions and populate or have options to choose subnets, single VM.1 vote
Thanks for the feedback
We are evaluating how to implement this template based NSG for customers.
I've been working with WAF for ILB ISE for about a year now. But when it comes to adding a new app service, for example, the process is just a bag of frustration and misery. Multiple settings for listeners, backend pools, http settings, multiple hosts, certificates... jesus! what a mess!!!
Please re-think the UI at least, create some "wizards". MAKE IT EASY!
I have to call for support every second time I add a new backend or app!0 votes
- Don't see your idea?