Networking
The Networking forum covers all aspects of Networking in Azure, including endpoints, load-balancing, network security, DNS, Traffic Manager, virtual networks, and external connectivity.
Virtual Network:
Traffic Manager:
Network Watcher:
If you have any feedback on any aspect of Azure relating to Networking, we’d love to hear it.
-
Wildcard mask support for NSG's
It would be great if NSG's would support Wildcard masks to deny/permit traffic in a more granular way. The way most network vendors do it.
This would make it much easier to permit and deny traffic based on a subnet scheme4 votesThank you for your suggestion. We are reviewing it and will get back to you.
-
Network Security Rules by MAC address also.
Network Security Rules by MAC address also. Right now the portal only allows filtering via IP address or CIDR block. I would like to allow remote laptops to access but their WAN IP keeps changing.
118 votesHi JMartinez
Thanks for the feedback, we’ll consider this feature for future improvements
-
Support dynamic RPC endpoints for domain controller traffic in NSGs
Please consider adding dynamic endpoint support in Network Security Group (NSG) to support Domain Controller traffic between subnets. Basically approve specific traffic types between subnets.
5 votesThanks for the input. We will consider adding this feature to our roadmap.
-
Allow network security groups to be created and renamed
Currently, it seems I can't create security groups without creating an instance, or rename them for that matter. Or can I?
My use case: I created an instance and and 'SSH' security group with it. Then decided I want to test HTTP as well via public IP. Oh well, I can't rename the SSH group to e.g. 'SSH+HTTP', nor can I create a new group to change the NIC to.
373 votesThis remains on our long-term backlog as something we want to offer
-Mario [MSFT]
-
Network and Service object group support for NSG
Network and Service object group support is missing in Network security Group (NSG). This makes NSG more difficult to Manage and control. Please consider this to make NSG more efficient.
34 votesThanks for the feedback! we are looking into exposing system tags for STORAGE and SQL in the near term.
System Tag for is also on our roadmap for future improvements -
Service Groups (tcp/udp) for Network Secrurity Group (NSG) for complex services.
Some time for services to work we need many tcp/udp ports. For example to limit access from DMZ to AD in another subnet we need to create a lot-lot-lot of rules.
Is it possible to create object with needed tcp/udp ports group and apply this service group to one NSG rule.23 votesThank you! This is a great suggestion – we are currently reviewing this for future updates to NSGs.
-
Be able to manage Role/Action at subnet level inside a vnet
In ARM and RBAC model : Possiblity to have the subnet as an independant resource to be able to say using RBAC : "i want my user1 to be able to deploy VM to subnet 1 and 2 but not 3 because subnet 3 is an infrastructure subnet unhautorized to users."
56 votesThank you for your suggestion, we added this to our roadmap.
-
network security group
the portal saying NSG updated succeed. But usually it may 1-2 mins until rule taking effect
it will be better if the status are synchronized between NSG portal and VM VFP applying
1 voteThank you for your suggestion. We are working to improve this experience.
-
ACLs for restricting access to ClearDB
I have a cheap titan cleardb database. I'd like to make it only accessible from within Azure and perhaps from a fixed set of whitelisted IPs.
3 votesThank you for your suggestion. We are reviewing it and will get back to you.
-
NSG flow log in classic
We can not use flow log in classic portal.
I hope we will be able to use this feature in classic too.1 vote -
Validate Firewall Rules priority conflicts before starting deployment
When creating a new VM and a new network with inbound firewall rules, if you add two rules with the same priority it will pass validation (see attached screenshot). It will however later fail the deployment with an obscure error message.
Firewall rule priority conflict detection should happen instantly as you type in the rule textbox. That green checkmark should have been red and saying "there is already another rule with this priority"
7 votesHi Kirill, thanks for the feedback. This seems like an issue with Portal validation. We will look into fixing this and update the status as appropriate.
-
Auto close/deny port after time
Leaving RDP open is huge security risk, so I prefer it to set "deny" by default and only open before using RDP. Most likely I do have to remember to close RDP port after doing my work, but it would be nice if there is a timespan that will close the port after it was opened. So if I forgot, I wouldn't leave RDP port open, it would automatically close after given timeout.
6 votesHi Akash,
This is really good feedback. We will look into this.— Anavi N [MSFT]
-
Improved audit when NSG is removed/added to a subnet
When an NSG is associated or removed from a subnet I only see "Microsoft.Network/virtualNetworks/subnets/write" in the audit log. It is not clear whether this is a NSG which has been removed or some other activity like additon or removal of a route table on the subnet. It would be useful to see what actually happened for auditing purposes.
3 votesThanks for the feedback
We can expose the entire configuration change with previous and new version including all properties, we’ll review it for future improvement.
-
Predefined Access Rules for Every Region
Microsoft Azure should have predefined access rules for every region.
For example, if someone wants to block traffic for every region except only one, should choose to allow for the specific one and add block rule for every other region.
That would be good for DDos attacks.1 voteThanks for the feedback
We are reviewing different approaches to simplify the experience and make our default model easier to implement. -
Add Standard set of Network Security Group Rules for Inbound and outbound traffic when creating new rules.
I would like to see standard set of NSG rules for each new subscription that gets created for securing environment. for example SQL, SCCM, DMZ, App servers(Web servers), RDP etc. where we have ability to change the names according to our naming conventions and populate or have options to choose subnets, single VM.
1 voteThanks for the feedback
We are evaluating how to implement this template based NSG for customers.
-
Azure GUI BUG Network Security Group for Gateway
Portal allowing to associating an NSG to a gateway subnet
1 voteHi Harish
Thanks for your share, we’ll investigate and fix the issue. -
create predefined NSG for Azure Datacenters IP Range
Let's say I have a VM that I want to restrict access from the outside. I want this VM to be accessible from my onprem IPs and from Azure IPs (since a part of my infrastructure is on azure). Since at the moment of discussion ARM VMs do not support static IP address, it will be very useful to create a NSG for allowing traffic only from azure IP ranges. Right now you cannot create such NSG because a NSG only allows a maximum of 100 rules. So, it will be a great idea to have predefined NSG to limit…
88 votesThanks for the feedback, service tag is called AzureCloud and it’s already available in all regions
https://docs.microsoft.com/en-us/azure/virtual-network/security-overview#service-tags
-
Add my client ip to allowed list in Inbound NSG
Please, add "add client ip" button for inbound security rules like we have for sql azure
Example why/when we need it: I'm it admin, all my deployment in azure(no site/point to site vpn). I want to have a full access to my azure resources for a next 1-2h. Now I can manually add this rule, but I will spend some time to clarify my current client ip. With this button it will be faster.
Maybe it's sound like keys from kingdom and it's not secured, but I can do it manually anyway. Maybe you could create a temporary inbound rule…
3 votesThanks for the feedback, please help us with some clarifications about this feature with some examples on how to determinate source IP and destination IP to apply a temporary rule.
-
4 votes
Thanks for the feedback, we’ll consider this improvement for future
- Don't see your idea?