Networking

The Networking forum covers all aspects of Networking in Azure, including endpoints, load-balancing, network security, DNS, Traffic Manager, virtual networks, and external connectivity.

Virtual Network:

  • Service overview

  • Technical documentation

  • Pricing details
  • Traffic Manager:

  • Service overview

  • Technical documentation

  • Pricing details
  • Network Watcher:

  • Service overview

  • Technical documentation

  • Pricing details
  • If you have any feedback on any aspect of Azure relating to Networking, we’d love to hear it.

    How can we improve Azure Networking?

    You've used all your votes and won't be able to post a new idea, but you can still search and comment on existing ideas.

    There are two ways to get more votes:

    • When an admin closes an idea you've voted on, you'll get your votes back from that idea.
    • You can remove your votes from an open idea you support.
    • To see ideas you have already voted on, select the "My feedback" filter and select "My open ideas".
    (thinking…)

    Enter your idea and we'll search to see if someone has already suggested it.

    If a similar idea already exists, you can support and comment on it.

    If it doesn't exist, you can post your idea so others can support it.

    Enter your idea and we'll search to see if someone has already suggested it.

    • Hot ideas
    • Top ideas
    • New ideas
    • My feedback
    1. Add DNS names to NSG source/ destination options like we currently can with IP addresses and tags

      Enable NSGs to use DNS names instead of only IP addresses, Tags and any. A lot of services have very dynamic IP adresses. Using DNS names would help a lot.

      3 votes
      Vote
      Sign in
      Check!
      (thinking…)
      Reset
      or sign in with
      • facebook
      • google
        Password icon
        I agree to the terms of service
        Signed in as (Sign out)
        You have left! (?) (thinking…)
      • Auto close/deny port after time

        Leaving RDP open is huge security risk, so I prefer it to set "deny" by default and only open before using RDP. Most likely I do have to remember to close RDP port after doing my work, but it would be nice if there is a timespan that will close the port after it was opened. So if I forgot, I wouldn't leave RDP port open, it would automatically close after given timeout.

        3 votes
        Vote
        Sign in
        Check!
        (thinking…)
        Reset
        or sign in with
        • facebook
        • google
          Password icon
          I agree to the terms of service
          Signed in as (Sign out)
          You have left! (?) (thinking…)
        • Validate Firewall Rules priority conflicts before starting deployment

          When creating a new VM and a new network with inbound firewall rules, if you add two rules with the same priority it will pass validation (see attached screenshot). It will however later fail the deployment with an obscure error message.

          Firewall rule priority conflict detection should happen instantly as you type in the rule textbox. That green checkmark should have been red and saying "there is already another rule with this priority"

          3 votes
          Vote
          Sign in
          Check!
          (thinking…)
          Reset
          or sign in with
          • facebook
          • google
            Password icon
            I agree to the terms of service
            Signed in as (Sign out)
            You have left! (?) (thinking…)
          • Add "Subscription" tag in the NSG rules

            Story:
            As a DevOps engineer
            I want to easily block network access within a subscription with a single NSG rule (for specific resources using a that rule)
            So that I don't have to manage multiple NSG rules.

            Background:
            We would like to ring-fence our subscriptions, so that one (e.g. Production) cannot "talk" to another one (e.g. Non-production).

            We can currently achieve it with multiple NSG rules, where we allow/block IP ranges or vnets.

            It would be much easier to manage this for our purpose if we could add a "subscription" tag in the NSG rules and effectively only allow traffic…

            1 vote
            Vote
            Sign in
            Check!
            (thinking…)
            Reset
            or sign in with
            • facebook
            • google
              Password icon
              I agree to the terms of service
              Signed in as (Sign out)
              You have left! (?) (thinking…)
            • NSG feature (multiple explicit IP addresses, CIDR ranges, and ports)

              Creating rules manually from Portal its creating susscessfully, but same rule not creating using powershell commands.

              Powershell helps us when multiple rules required to create.

              https://docs.microsoft.com/en-us/azure/virtual-network/security-
              overview#augmented-security-rules

              4 votes
              Vote
              Sign in
              Check!
              (thinking…)
              Reset
              or sign in with
              • facebook
              • google
                Password icon
                I agree to the terms of service
                Signed in as (Sign out)
                You have left! (?) (thinking…)
              • Add a Network Security Group tag for Windows Update

                I'd like to be able to block all outbound traffic on my NSG but still allow windows update to work. This is difficult to do as the windows update depends on quite a few DNS names and the IP address of these apparently changes often.

                If I could specify an "Allow" rule for a service tag called "WindowsUpdate" or similar with a higher priority than my "DenyAll" rule this would acheive this.

                4 votes
                Vote
                Sign in
                Check!
                (thinking…)
                Reset
                or sign in with
                • facebook
                • google
                  Password icon
                  I agree to the terms of service
                  Signed in as (Sign out)
                  You have left! (?) (thinking…)
                • Named network sets (avoid repeated network rules in every Azure service)

                  Both SQL Server and Storage now support firewall for inbound requests, where I can inform authorized IP addresses or virtual networks that have access. It is expected that other Azure services will follow that (Key Vault? Data Lake?).

                  The problem is that if I have a subset of services that use same firewall rules, I have to repeat these rules over and over.

                  The suggestion is that Azure Network allows definition of a named network set, or simply named network definition, and then in each service I simply inform that name, instead of repeating the rules again,

                  This way if…

                  3 votes
                  Vote
                  Sign in
                  Check!
                  (thinking…)
                  Reset
                  or sign in with
                  • facebook
                  • google
                    Password icon
                    I agree to the terms of service
                    Signed in as (Sign out)
                    You have left! (?) (thinking…)
                  • Microsoft maintained UDR for MS services

                    MS maintained UDR or firewall rule that enables traffic for MS services to allow outbound traffic from a host in a DMZ. Outbound traffic to all of 443 from a DMZ host to enable backups is a bad design - and using the MS provided IP List includes ALL services including other customers IAS servers - as an attacker all they would need to do to exfil data is to setup an azure host to send it to. It would be better enable outbound traffic for specific services such as backup and have MS maintain a list of that IPs…

                    1 vote
                    Vote
                    Sign in
                    Check!
                    (thinking…)
                    Reset
                    or sign in with
                    • facebook
                    • google
                      Password icon
                      I agree to the terms of service
                      Signed in as (Sign out)
                      You have left! (?) (thinking…)
                    • Support for IKEv2 VPN clients to connect to an Azure based RRAS server (Allow ESP traffic through NSG)

                      Currently, Network Security Groups only support rules for TCP and UDP traffic. This request is for the addition of rules for ESP traffic which is required for IKEv2 clients to connect to an RRAS server running on Azure.
                      We use ExpressRoute Point-to-Site is not an option as they cannot coexist. We currently use SSTP for our clients to connect but lack the resiliency that comes with an IKEv2 connection.

                      Alternatively, support for Expressroute/Point-to-Site coexistence would also satisfy our requirement and eliminate the need to maintain an RRAS server in Azure.

                      3 votes
                      Vote
                      Sign in
                      Check!
                      (thinking…)
                      Reset
                      or sign in with
                      • facebook
                      • google
                        Password icon
                        I agree to the terms of service
                        Signed in as (Sign out)
                        You have left! (?) (thinking…)
                      • allow granular access control to manage NSG rules.

                        Because only a single NSG is allowed per resource (subnet or NIC) it would be nice to subdivide the rules into groups and allow different teams to manage the different groupings, all within the same NSG. This could allow a central team to implement some rules and an application team to implement some rules. For example, let us define groups by priority-range and then allow different access privileges to different groups. Team 1 can manage group 1 and 4 and team 2 can manage group 2. [Manage = add, modify, delete]

                        1 vote
                        Vote
                        Sign in
                        Check!
                        (thinking…)
                        Reset
                        or sign in with
                        • facebook
                        • google
                          Password icon
                          I agree to the terms of service
                          Signed in as (Sign out)
                          You have left! (?) (thinking…)
                        • Introduce managed SSL for Microsoft Azure

                          This should be the accepted standard for secure Internet communications. Not sure why Microsoft refuses to commit to this after so many customer requests. Instead, charging customers high prices to communicate securely continues. Google Cloud has already implemented this feature.

                          3 votes
                          Vote
                          Sign in
                          Check!
                          (thinking…)
                          Reset
                          or sign in with
                          • facebook
                          • google
                            Password icon
                            I agree to the terms of service
                            Signed in as (Sign out)
                            You have left! (?) (thinking…)
                          • NPS Extension for Azure MFA (IP Whitelist)

                            Can you also add in a feature whereby it allow us to add in a range of subnet instead of a single IP address in the IP Whitelist (NPS Extension for Azure MFA)?

                            3 votes
                            Vote
                            Sign in
                            Check!
                            (thinking…)
                            Reset
                            or sign in with
                            • facebook
                            • google
                              Password icon
                              I agree to the terms of service
                              Signed in as (Sign out)
                              You have left! (?) (thinking…)
                            • apply filter ip origen azure in NGS

                              apply filter ip origen azure in NGS.
                              This option is like "Allow access to Azure services" in "SQL server Azure"

                              3 votes
                              Vote
                              Sign in
                              Check!
                              (thinking…)
                              Reset
                              or sign in with
                              • facebook
                              • google
                                Password icon
                                I agree to the terms of service
                                Signed in as (Sign out)
                                You have left! (?) (thinking…)
                              • Predefined Access Rules for Every Region

                                Microsoft Azure should have predefined access rules for every region.
                                For example, if someone wants to block traffic for every region except only one, should choose to allow for the specific one and add block rule for every other region.
                                That would be good for DDos attacks.

                                1 vote
                                Vote
                                Sign in
                                Check!
                                (thinking…)
                                Reset
                                or sign in with
                                • facebook
                                • google
                                  Password icon
                                  I agree to the terms of service
                                  Signed in as (Sign out)
                                  You have left! (?) (thinking…)
                                • add a source tag for Office 365 IPs to NSG Rules

                                  Consider adding support for multiple address ranges in NSG rules or add a source tag for Office 365 IPs.

                                  Currently it is a nightmare to add all addresses for Exchange Online. We need a NSG policy for each address range :)

                                  https://feedback.azure.com/forums/217313-networking/suggestions/11716131-add-a-source-tag-for-azure-datacenter-ips-to-nsg-r

                                  14 votes
                                  Vote
                                  Sign in
                                  Check!
                                  (thinking…)
                                  Reset
                                  or sign in with
                                  • facebook
                                  • google
                                    Password icon
                                    I agree to the terms of service
                                    Signed in as (Sign out)
                                    You have left! (?) (thinking…)
                                  • WAF - Allow access to configure ModSecurity variables such as tx.high_risk_country_codes

                                    The tx.high_risk_country_code and other variables like GeoIP database need to be configured for rules in REQUEST-910-IP-REPUTATION to have any affect. These could be defaulted to a value (and documented) for now, but overriding these ModSecurity variables per instance is needed in the future.

                                    As it stands right now it appears that these are not configured, and are leading to people thinking they are protected by these rules when they are not.

                                    17 votes
                                    Vote
                                    Sign in
                                    Check!
                                    (thinking…)
                                    Reset
                                    or sign in with
                                    • facebook
                                    • google
                                      Password icon
                                      I agree to the terms of service
                                      Signed in as (Sign out)
                                      You have left! (?) (thinking…)
                                    • Add Standard set of Network Security Group Rules for Inbound and outbound traffic when creating new rules.

                                      I would like to see standard set of NSG rules for each new subscription that gets created for securing environment. for example SQL, SCCM, DMZ, App servers(Web servers), RDP etc. where we have ability to change the names according to our naming conventions and populate or have options to choose subnets, single VM.

                                      1 vote
                                      Vote
                                      Sign in
                                      Check!
                                      (thinking…)
                                      Reset
                                      or sign in with
                                      • facebook
                                      • google
                                        Password icon
                                        I agree to the terms of service
                                        Signed in as (Sign out)
                                        You have left! (?) (thinking…)
                                      • Provide NSG Tags for PaaS Services

                                        Provide a way to TAG resoures in NSG - such as Azure Storage, Azure SQL and other PaaS Services or let user define his own custom tags.

                                        12 votes
                                        Vote
                                        Sign in
                                        Check!
                                        (thinking…)
                                        Reset
                                        or sign in with
                                        • facebook
                                        • google
                                          Password icon
                                          I agree to the terms of service
                                          Signed in as (Sign out)
                                          You have left! (?) (thinking…)
                                        • Network Security Groups - Windows Server Roles and Features Rules

                                          Can a feature be added to allow easy addition of inbound and outbound rules to an NSG for Windows Server Roles e.g. Active Directory Domain Services to add rules for SMB/LDAP/Kerberos to match the rules created/enable by adding a Feature in Server Manager in Windows Server OSs.

                                          8 votes
                                          Vote
                                          Sign in
                                          Check!
                                          (thinking…)
                                          Reset
                                          or sign in with
                                          • facebook
                                          • google
                                            Password icon
                                            I agree to the terms of service
                                            Signed in as (Sign out)
                                            You have left! (?) (thinking…)
                                          • network security group

                                            the portal saying NSG updated succeed. But usually it may 1-2 mins until rule taking effect

                                            it will be better if the status are synchronized between NSG portal and VM VFP applying

                                            1 vote
                                            Vote
                                            Sign in
                                            Check!
                                            (thinking…)
                                            Reset
                                            or sign in with
                                            • facebook
                                            • google
                                              Password icon
                                              I agree to the terms of service
                                              Signed in as (Sign out)
                                              You have left! (?) (thinking…)
                                            ← Previous 1 3 4
                                            • Don't see your idea?

                                            Feedback and Knowledge Base