Networking

The Networking forum covers all aspects of Networking in Azure, including endpoints, load-balancing, network security, DNS, Traffic Manager, virtual networks, and external connectivity.

Virtual Network:

  • Service overview

  • Technical documentation

  • Pricing details
  • Traffic Manager:

  • Service overview

  • Technical documentation

  • Pricing details
  • Network Watcher:

  • Service overview

  • Technical documentation

  • Pricing details
  • If you have any feedback on any aspect of Azure relating to Networking, we’d love to hear it.

    How can we improve Azure Networking?

    You've used all your votes and won't be able to post a new idea, but you can still search and comment on existing ideas.

    There are two ways to get more votes:

    • When an admin closes an idea you've voted on, you'll get your votes back from that idea.
    • You can remove your votes from an open idea you support.
    • To see ideas you have already voted on, select the "My feedback" filter and select "My open ideas".
    (thinking…)

    Enter your idea and we'll search to see if someone has already suggested it.

    If a similar idea already exists, you can support and comment on it.

    If it doesn't exist, you can post your idea so others can support it.

    Enter your idea and we'll search to see if someone has already suggested it.

    • Hot ideas
    • Top ideas
    • New ideas
    • My feedback
    1. add a source tag for Azure Datacenter IPs to NSG Rules

      On the following link, we are able to get the list of the azure datacenter / endpoint IPs that are actually used.

      https://www.microsoft.com/EN-US/DOWNLOAD/DETAILS.ASPX?ID=41653

      Please add a source tag like INTERNET or VIRTUALNETWORK to use Azure IP addresses in NSG rules.

      545 votes
      Vote
      Sign in
      Check!
      (thinking…)
      Reset
      or sign in with
      • facebook
      • google
        Password icon
        I agree to the terms of service
        Signed in as (Sign out)
        You have left! (?) (thinking…)
      • Ability to create source/destination objects containing multiple IP addresses/ranges

        When creating NSGs it would be nice to be able to define network object groups that contain a list of IP addresses or ranges which can then be applied to the source or destination addresses of the NSG. If I only want to allow services to a specific set of IPs I have to create a rule for each distinct IP address. Even having the ability to add multiple IPs or IP ranges would work for source/destination but objects would be better so they can be used across multiple rules.

        129 votes
        Vote
        Sign in
        Check!
        (thinking…)
        Reset
        or sign in with
        • facebook
        • google
          Password icon
          I agree to the terms of service
          Signed in as (Sign out)
          You have left! (?) (thinking…)
        • Allow network security groups to be created and renamed

          Currently, it seems I can't create security groups without creating an instance, or rename them for that matter. Or can I?

          My use case: I created an instance and and 'SSH' security group with it. Then decided I want to test HTTP as well via public IP. Oh well, I can't rename the SSH group to e.g. 'SSH+HTTP', nor can I create a new group to change the NIC to.

          94 votes
          Vote
          Sign in
          Check!
          (thinking…)
          Reset
          or sign in with
          • facebook
          • google
            Password icon
            I agree to the terms of service
            Signed in as (Sign out)
            You have left! (?) (thinking…)
          • create predefined NSG for Azure Datacenters IP Range

            Let's say I have a VM that I want to restrict access from the outside. I want this VM to be accessible from my onprem IPs and from Azure IPs (since a part of my infrastructure is on azure). Since at the moment of discussion ARM VMs do not support static IP address, it will be very useful to create a NSG for allowing traffic only from azure IP ranges. Right now you cannot create such NSG because a NSG only allows a maximum of 100 rules. So, it will be a great idea to have predefined NSG to limit…

            71 votes
            Vote
            Sign in
            Check!
            (thinking…)
            Reset
            or sign in with
            • facebook
            • google
              Password icon
              I agree to the terms of service
              Signed in as (Sign out)
              You have left! (?) (thinking…)
            • Add a Network Security Group tag for Azure Service

              Add a Network Security Group tag for Azure Services. Currently, if I create a rule blocking outbound internet traffic for a VNet or Subnet, blob.core.windos.net is blocked, causing all sorts of issues. The only work around now is to create rules to allow MS datacenter public IP’s and this list can change at any time. Having all these services in one tag would allow us to block outbound internet traffic without blocking access to Azure resources.

              66 votes
              Vote
              Sign in
              Check!
              (thinking…)
              Reset
              or sign in with
              • facebook
              • google
                Password icon
                I agree to the terms of service
                Signed in as (Sign out)
                You have left! (?) (thinking…)
              • Setting NSG immediately

                When NSG is set from PowerShell or the portal, the operation successfully completes soon but it takes a few minutes before the NSG setting will take effect.
                Please set NSG setting immediately.

                62 votes
                Vote
                Sign in
                Check!
                (thinking…)
                Reset
                or sign in with
                • facebook
                • google
                  Password icon
                  I agree to the terms of service
                  Signed in as (Sign out)
                  You have left! (?) (thinking…)
                • Provide operation logs for Network Security Rules

                  Hi,
                  I have spend a large amount of time troubleshooting network security rules (added to a group and attached to a subnet). While they appear rather simple at first, the complexity comes when the source and destination IP is either DIP,PIP,VIP or RIP depending on the connection and the ports are dynamic or randomly allocated. Add to this the fun of trying to work out a load-balanced incoming IP, and I dream of the day I can open the log and resolve my issue.

                  58 votes
                  Vote
                  Sign in
                  Check!
                  (thinking…)
                  Reset
                  or sign in with
                  • facebook
                  • google
                    Password icon
                    I agree to the terms of service
                    Signed in as (Sign out)
                    You have left! (?) (thinking…)
                  • Add Custom Tags to NSG Rules

                    It would be great if we can define our own on-premise network ranges (using 'Named networks' in AAD?) and add these as Custom Tags to our NSG rules. Now we have our on-premise ip-adresses/subnets as a seperate item in every NSG. When these ip-adresses/subnets change for whatever reason, we have to check every NSG and change this item. If we could use these 'centrally managed' ip-adresses/subnets as 'Custom Tags' in our NSG's rules we don't have to check and change every NSG rule with every ip-address change.

                    55 votes
                    Vote
                    Sign in
                    Check!
                    (thinking…)
                    Reset
                    or sign in with
                    • facebook
                    • google
                      Password icon
                      I agree to the terms of service
                      Signed in as (Sign out)
                      You have left! (?) (thinking…)
                    • Enable the application of Network Security Group rules to groups of IPs

                      Allow the creation of groups that contain multiple IP addresses. Then allow the application of Network Security Group rules to the group. As an example I could create a group, add the IP addresses of all my Domain Controllers to the group, then apply rules to the group, rather than duplicating rules for each Domain Controller where the only difference is the IP address.

                      47 votes
                      Vote
                      Sign in
                      Check!
                      (thinking…)
                      Reset
                      or sign in with
                      • facebook
                      • google
                        Password icon
                        I agree to the terms of service
                        Signed in as (Sign out)
                        You have left! (?) (thinking…)
                      • add tags for NSG on a portal with datacnters ranges

                        We have a ranges of IP for each datacenter

                        Instead of current tags (internet, azureloadbalance) we could add AzureWestUS,AzureNorthEurope
                        https://www.microsoft.com/en-us/download/details.aspx?id=41653

                        47 votes
                        Vote
                        Sign in
                        Check!
                        (thinking…)
                        Reset
                        or sign in with
                        • facebook
                        • google
                          Password icon
                          I agree to the terms of service
                          Signed in as (Sign out)
                          You have left! (?) (thinking…)
                        • Allow specification of multiple ports in a single NSG rule

                          Allow a comma separated list of port numbers to allow a single rule to provide (for example) access to a domain controller (which would normally require the following ports opened: 53, 88, 135, 139, 389, 445, 464, 636, 1025, 3268-3269, 5722, 9389, 49152-65535).
                          This seems to be basic functionality for firewall applications, but the absence of this ability within NSG rules means that the 200 soft limit (400 hard limit) is reached extremely quickly in a corporate environment.

                          40 votes
                          Vote
                          Sign in
                          Check!
                          (thinking…)
                          Reset
                          or sign in with
                          • facebook
                          • google
                            Password icon
                            I agree to the terms of service
                            Signed in as (Sign out)
                            You have left! (?) (thinking…)
                          • Copy NSG

                            I want to copy new NSG from the existing NSG's similar policy.
                            I don't want to keep making the same or similar to the NSG policy.
                            The NSG copy function is required.

                            31 votes
                            Vote
                            Sign in
                            Check!
                            (thinking…)
                            Reset
                            or sign in with
                            • facebook
                            • google
                              Password icon
                              I agree to the terms of service
                              Signed in as (Sign out)
                              You have left! (?) (thinking…)
                            • Network and Service object group support for NSG

                              Network and Service object group support is missing in Network security Group (NSG). This makes NSG more difficult to Manage and control. Please consider this to make NSG more efficient.

                              30 votes
                              Vote
                              Sign in
                              Check!
                              (thinking…)
                              Reset
                              or sign in with
                              • facebook
                              • google
                                Password icon
                                I agree to the terms of service
                                Signed in as (Sign out)
                                You have left! (?) (thinking…)
                              • Dealing with NSG in Azure portal

                                It will be great to have the ability to deal with Network Security Groups in Azure portal. Currently the ability is there only using PS scripts.

                                The real value add is when you have RBAC for NSG and enable it in portal, lot of project teams can decide and chose the relevant NSG groups to apply based on RABC- if they can or not.

                                28 votes
                                Vote
                                Sign in
                                Check!
                                (thinking…)
                                Reset
                                or sign in with
                                • facebook
                                • google
                                  Password icon
                                  I agree to the terms of service
                                  Signed in as (Sign out)
                                  You have left! (?) (thinking…)
                                • Please raise the Endpoint ACL Limitation

                                  Please raise the maximum number of Endpoint ACL limitation so we can set over 50 rules.
                                  As you know, we can set 400 rules in NSG.

                                  - Japanese
                                  エンドポイント ACL の最大数を 50 個以上設定できるようにしてほしい

                                  19 votes
                                  Vote
                                  Sign in
                                  Check!
                                  (thinking…)
                                  Reset
                                  or sign in with
                                  • facebook
                                  • google
                                    Password icon
                                    I agree to the terms of service
                                    Signed in as (Sign out)
                                    You have left! (?) (thinking…)

                                    Unfortunately, we will not be able to support a higher number of rules on endpoint ACLs. NSGs could be used in place of endpoint ACLs for easier management of ACLs as well as higher scalability. Would NSGs work for your scenario?

                                  • multiple network security groups per NIC

                                    Allow multiple Network Security Groups per NIC. Amazon Web Services allows multiple NSGs to be associated to a NIC. This allows us to define one NSG for "Remote Access", a second for VLAN (it allows itself) and a third for "server role (DC, SQL, etc.)

                                    18 votes
                                    Vote
                                    Sign in
                                    Check!
                                    (thinking…)
                                    Reset
                                    or sign in with
                                    • facebook
                                    • google
                                      Password icon
                                      I agree to the terms of service
                                      Signed in as (Sign out)
                                      You have left! (?) (thinking…)
                                    • When Network Security Group applied for Subnet or changes writes this Azure Log.

                                      We need records in log when someone apply or remove NSG for subnet. Also it would be great to log changes to NSR rules.

                                      16 votes
                                      Vote
                                      Sign in
                                      Check!
                                      (thinking…)
                                      Reset
                                      or sign in with
                                      • facebook
                                      • google
                                        Password icon
                                        I agree to the terms of service
                                        Signed in as (Sign out)
                                        You have left! (?) (thinking…)
                                      • Be able to manage Role/Action at subnet level inside a vnet

                                        In ARM and RBAC model : Possiblity to have the subnet as an independant resource to be able to say using RBAC : "i want my user1 to be able to deploy VM to subnet 1 and 2 but not 3 because subnet 3 is an infrastructure subnet unhautorized to users."

                                        16 votes
                                        Vote
                                        Sign in
                                        Check!
                                        (thinking…)
                                        Reset
                                        or sign in with
                                        • facebook
                                        • google
                                          Password icon
                                          I agree to the terms of service
                                          Signed in as (Sign out)
                                          You have left! (?) (thinking…)
                                        • Add a "comment" property to Network Security Group rules

                                          It's possible to tag a whole group, but not an individual inbound or outbound rule. I often find myself adding a bunch of IPs to a NSG, and it would be really great to see this in the console. If it's a property, it could be managed via the ARM templates too

                                          14 votes
                                          Vote
                                          Sign in
                                          Check!
                                          (thinking…)
                                          Reset
                                          or sign in with
                                          • facebook
                                          • google
                                            Password icon
                                            I agree to the terms of service
                                            Signed in as (Sign out)
                                            You have left! (?) (thinking…)
                                          • Allow creation of NSG rules based on FQDN along with Ports

                                            NSG gives option to configure NSG rules with IPAddress and Ports. Same like that we need option to configure Inbound/Outbound NSG rules based on the FQDN. Because most of our customers wants to block Internet access from their Azure IaaS VMs, If we do so, we lose the ability to configure Azure Disk Encryption, Azure Keyvault, Azure File Storage Services, Azure Websites...etc. Because all these Azure services requires its endpoints (FQDN) to be reachable from inside the VM

                                            13 votes
                                            Vote
                                            Sign in
                                            Check!
                                            (thinking…)
                                            Reset
                                            or sign in with
                                            • facebook
                                            • google
                                              Password icon
                                              I agree to the terms of service
                                              Signed in as (Sign out)
                                              You have left! (?) (thinking…)
                                            ← Previous 1 3
                                            • Don't see your idea?

                                            Feedback and Knowledge Base