Networking

The Networking forum covers all aspects of Networking in Azure, including endpoints, load-balancing, network security, DNS, Traffic Manager, virtual networks, and external connectivity.

Virtual Network:

  • Service overview

  • Technical documentation

  • Pricing details
  • Traffic Manager:

  • Service overview

  • Technical documentation

  • Pricing details
  • Network Watcher:

  • Service overview

  • Technical documentation

  • Pricing details
  • If you have any feedback on any aspect of Azure relating to Networking, we’d love to hear it.

    How can we improve Azure Networking?

    You've used all your votes and won't be able to post a new idea, but you can still search and comment on existing ideas.

    There are two ways to get more votes:

    • When an admin closes an idea you've voted on, you'll get your votes back from that idea.
    • You can remove your votes from an open idea you support.
    • To see ideas you have already voted on, select the "My feedback" filter and select "My open ideas".
    (thinking…)

    Enter your idea and we'll search to see if someone has already suggested it.

    If a similar idea already exists, you can support and comment on it.

    If it doesn't exist, you can post your idea so others can support it.

    Enter your idea and we'll search to see if someone has already suggested it.

    • Hot ideas
    • Top ideas
    • New ideas
    • My feedback
    1. apply filter ip origen azure in NGS

      apply filter ip origen azure in NGS.
      This option is like "Allow access to Azure services" in "SQL server Azure"

      3 votes
      Vote
      Sign in
      Check!
      (thinking…)
      Reset
      or sign in with
      • facebook
      • google
        Password icon
        I agree to the terms of service
        Signed in as (Sign out)
        You have left! (?) (thinking…)
      • Predefined Access Rules for Every Region

        Microsoft Azure should have predefined access rules for every region.
        For example, if someone wants to block traffic for every region except only one, should choose to allow for the specific one and add block rule for every other region.
        That would be good for DDos attacks.

        1 vote
        Vote
        Sign in
        Check!
        (thinking…)
        Reset
        or sign in with
        • facebook
        • google
          Password icon
          I agree to the terms of service
          Signed in as (Sign out)
          You have left! (?) (thinking…)
        • add a source tag for Office 365 IPs to NSG Rules

          Consider adding support for multiple address ranges in NSG rules or add a source tag for Office 365 IPs.

          Currently it is a nightmare to add all addresses for Exchange Online. We need a NSG policy for each address range :)

          https://feedback.azure.com/forums/217313-networking/suggestions/11716131-add-a-source-tag-for-azure-datacenter-ips-to-nsg-r

          5 votes
          Vote
          Sign in
          Check!
          (thinking…)
          Reset
          or sign in with
          • facebook
          • google
            Password icon
            I agree to the terms of service
            Signed in as (Sign out)
            You have left! (?) (thinking…)
          • WAF - Allow access to configure ModSecurity variables such as tx.high_risk_country_codes

            The tx.high_risk_country_code and other variables like GeoIP database need to be configured for rules in REQUEST-910-IP-REPUTATION to have any affect. These could be defaulted to a value (and documented) for now, but overriding these ModSecurity variables per instance is needed in the future.

            As it stands right now it appears that these are not configured, and are leading to people thinking they are protected by these rules when they are not.

            17 votes
            Vote
            Sign in
            Check!
            (thinking…)
            Reset
            or sign in with
            • facebook
            • google
              Password icon
              I agree to the terms of service
              Signed in as (Sign out)
              You have left! (?) (thinking…)
            • Add Standard set of Network Security Group Rules for Inbound and outbound traffic when creating new rules.

              I would like to see standard set of NSG rules for each new subscription that gets created for securing environment. for example SQL, SCCM, DMZ, App servers(Web servers), RDP etc. where we have ability to change the names according to our naming conventions and populate or have options to choose subnets, single VM.

              1 vote
              Vote
              Sign in
              Check!
              (thinking…)
              Reset
              or sign in with
              • facebook
              • google
                Password icon
                I agree to the terms of service
                Signed in as (Sign out)
                You have left! (?) (thinking…)
              • Provide NSG Tags for PaaS Services

                Provide a way to TAG resoures in NSG - such as Azure Storage, Azure SQL and other PaaS Services or let user define his own custom tags.

                9 votes
                Vote
                Sign in
                Check!
                (thinking…)
                Reset
                or sign in with
                • facebook
                • google
                  Password icon
                  I agree to the terms of service
                  Signed in as (Sign out)
                  You have left! (?) (thinking…)
                • Network Security Groups - Windows Server Roles and Features Rules

                  Can a feature be added to allow easy addition of inbound and outbound rules to an NSG for Windows Server Roles e.g. Active Directory Domain Services to add rules for SMB/LDAP/Kerberos to match the rules created/enable by adding a Feature in Server Manager in Windows Server OSs.

                  8 votes
                  Vote
                  Sign in
                  Check!
                  (thinking…)
                  Reset
                  or sign in with
                  • facebook
                  • google
                    Password icon
                    I agree to the terms of service
                    Signed in as (Sign out)
                    You have left! (?) (thinking…)
                  • Ability to group Network Security Groups

                    Consider adding some kind of grouping functionality within Network Security Groups. This would make things a lot more simple

                    Somekind like this: https://blogs.technet.microsoft.com/isablog/2009/11/25/forefront-tmg-rule-grouping/

                    7 votes
                    Vote
                    Sign in
                    Check!
                    (thinking…)
                    Reset
                    or sign in with
                    • facebook
                    • google
                      Password icon
                      I agree to the terms of service
                      Signed in as (Sign out)
                      You have left! (?) (thinking…)
                    • Support enabling and disabling NSG rules

                      Support enabling and disabling NSG rules

                      It would be nice if we could disable rules instead of having to delete them like other firewall products support :)

                      17 votes
                      Vote
                      Sign in
                      Check!
                      (thinking…)
                      Reset
                      or sign in with
                      • facebook
                      • google
                        Password icon
                        I agree to the terms of service
                        Signed in as (Sign out)
                        You have left! (?) (thinking…)
                      • Rename NSG policy

                        Allow us to rename previously created NSG policy to another name. It would make naming much easier. Now we have to re-create all policy again

                        17 votes
                        Vote
                        Sign in
                        Check!
                        (thinking…)
                        Reset
                        or sign in with
                        • facebook
                        • google
                          Password icon
                          I agree to the terms of service
                          Signed in as (Sign out)
                          You have left! (?) (thinking…)
                        • BUG in Azure PowerShell interface for creating NSGs

                          There is a bug/conflict between the documentation for creating NSG rules with Azure PowerShell. The tag "VIRTUAL_NETWORK" mentioned in the documentation causes the API to throw a 400, where as the "VirtualNetwork" tag (not mentioned anywhere in the documentation) allows for the successful creation of the rule

                          1 vote
                          Vote
                          Sign in
                          Check!
                          (thinking…)
                          Reset
                          or sign in with
                          • facebook
                          • google
                            Password icon
                            I agree to the terms of service
                            Signed in as (Sign out)
                            You have left! (?) (thinking…)
                          • NSG rule for Azure Backup and Recovery services.

                            Is it possible to have Azure fabric as a preset tag to allow traffic for Backup/ASR when creating NSG rules.

                            4 votes
                            Vote
                            Sign in
                            Check!
                            (thinking…)
                            Reset
                            or sign in with
                            • facebook
                            • google
                              Password icon
                              I agree to the terms of service
                              Signed in as (Sign out)
                              You have left! (?) (thinking…)
                            • Add Custom Tags to NSG Rules

                              It would be great if we can define our own on-premise network ranges (using 'Named networks' in AAD?) and add these as Custom Tags to our NSG rules. Now we have our on-premise ip-adresses/subnets as a seperate item in every NSG. When these ip-adresses/subnets change for whatever reason, we have to check every NSG and change this item. If we could use these 'centrally managed' ip-adresses/subnets as 'Custom Tags' in our NSG's rules we don't have to check and change every NSG rule with every ip-address change.

                              123 votes
                              Vote
                              Sign in
                              Check!
                              (thinking…)
                              Reset
                              or sign in with
                              • facebook
                              • google
                                Password icon
                                I agree to the terms of service
                                Signed in as (Sign out)
                                You have left! (?) (thinking…)
                              • Allow creation of NSG rules based on FQDN along with Ports

                                NSG gives option to configure NSG rules with IPAddress and Ports. Same like that we need option to configure Inbound/Outbound NSG rules based on the FQDN. Because most of our customers wants to block Internet access from their Azure IaaS VMs, If we do so, we lose the ability to configure Azure Disk Encryption, Azure Keyvault, Azure File Storage Services, Azure Websites...etc. Because all these Azure services requires its endpoints (FQDN) to be reachable from inside the VM

                                54 votes
                                Vote
                                Sign in
                                Check!
                                (thinking…)
                                Reset
                                or sign in with
                                • facebook
                                • google
                                  Password icon
                                  I agree to the terms of service
                                  Signed in as (Sign out)
                                  You have left! (?) (thinking…)
                                • Allow network security to allow or deny other network security groups

                                  Amazon Web Services allows a security group to allow or deny other security groups (including itself). This allows you to easily group NICs (VMs) into the same "VLAN", or to allow one "server role" to access another "server role" (for example allow the WAP security group to access the ADFS security group)

                                  10 votes
                                  Vote
                                  Sign in
                                  Check!
                                  (thinking…)
                                  Reset
                                  or sign in with
                                  • facebook
                                  • google
                                    Password icon
                                    I agree to the terms of service
                                    Signed in as (Sign out)
                                    You have left! (?) (thinking…)
                                  • multiple network security groups per NIC

                                    Allow multiple Network Security Groups per NIC. Amazon Web Services allows multiple NSGs to be associated to a NIC. This allows us to define one NSG for "Remote Access", a second for VLAN (it allows itself) and a third for "server role (DC, SQL, etc.)

                                    49 votes
                                    Vote
                                    Sign in
                                    Check!
                                    (thinking…)
                                    Reset
                                    or sign in with
                                    • facebook
                                    • google
                                      Password icon
                                      I agree to the terms of service
                                      Signed in as (Sign out)
                                      You have left! (?) (thinking…)
                                    • Azure Networking Traffic Simulator

                                      You should consider adding a Azure Networking Traffic Simulator somewhere in Azure to provide better tooling for troubleshooting and configuring NSG firewall rules.

                                      2 votes
                                      Vote
                                      Sign in
                                      Check!
                                      (thinking…)
                                      Reset
                                      or sign in with
                                      • facebook
                                      • google
                                        Password icon
                                        I agree to the terms of service
                                        Signed in as (Sign out)
                                        You have left! (?) (thinking…)
                                      • Support dynamic RPC endpoints for domain controller traffic in NSGs

                                        Please consider adding dynamic endpoint support in Network Security Group (NSG) to support Domain Controller traffic between subnets. Basically approve specific traffic types between subnets.

                                        1 vote
                                        Vote
                                        Sign in
                                        Check!
                                        (thinking…)
                                        Reset
                                        or sign in with
                                        • facebook
                                        • google
                                          Password icon
                                          I agree to the terms of service
                                          Signed in as (Sign out)
                                          You have left! (?) (thinking…)
                                        • Log all requests including source IP for NSG

                                          I need to generate a report of all source IPs over port 80 for a given day for a specific VM.

                                          9 votes
                                          Vote
                                          Sign in
                                          Check!
                                          (thinking…)
                                          Reset
                                          or sign in with
                                          • facebook
                                          • google
                                            Password icon
                                            I agree to the terms of service
                                            Signed in as (Sign out)
                                            You have left! (?) (thinking…)
                                          • Allow referencing an Azure resource by id in Network Security Groups

                                            NSG's should allow the use of Azure resource ID in addition to ip addresses for NSGs. For example, if I reference the ID of a webapp, then the rule will apply to the public IPs of that webapp. If I reference an azure VM, then the rule will apply to the ip address of that vm. And so on. It would make it so much more flexible to build up rules by using resource id's/names than today's very static and cumbersome implementation, especially for complex rules.

                                            4 votes
                                            Vote
                                            Sign in
                                            Check!
                                            (thinking…)
                                            Reset
                                            or sign in with
                                            • facebook
                                            • google
                                              Password icon
                                              I agree to the terms of service
                                              Signed in as (Sign out)
                                              You have left! (?) (thinking…)
                                            ← Previous 1 3
                                            • Don't see your idea?

                                            Feedback and Knowledge Base