Networking

The Networking forum covers all aspects of Networking in Azure, including endpoints, load-balancing, network security, DNS, Traffic Manager, virtual networks, and external connectivity.

Virtual Network:

  • Service overview

  • Technical documentation

  • Pricing details
  • Traffic Manager:

  • Service overview

  • Technical documentation

  • Pricing details
  • Network Watcher:

  • Service overview

  • Technical documentation

  • Pricing details
  • If you have any feedback on any aspect of Azure relating to Networking, we’d love to hear it.

    • Hot ideas
    • Top ideas
    • New ideas
    • My feedback
    1. Adding multiple NSGs to a NIC

      I have several virtual machines in several different subnets that need to apply a certain set of network security rules. But for each VM there are also their own unique rules. I would like to be able to set multiple NSG for the NIC of each virtual machine. I do not want to copy common rules to each NSG.

      13 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Virtual Network  ·  Flag idea as inappropriate…  ·  Admin →
    2. Allow custom DNS search domain for virtual networks

      Thanks for recently adding the ability to specify custom DNS servers for virtual networks.
      I assume this is implemented with DHCP.
      We are unfortunately not able to rely on this feature yet because we also set a custom DNS domain search.
      This can be done with DHCP option 119, and this is how we have our non-Azure LAN configured.

      13 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Virtual Network  ·  Flag idea as inappropriate…  ·  Admin →
    3. Allow NVAs etc... to establish BGP session directly with VNETs

      To make HA scenarios a lot simpler with NVAs that support BGP (which most of them do nowadays) each VNET should allow you to establish a BGP session directly with it so you can advertise and learn routes dynamically straight to the VNET.

      This would help so many HA scenarios and also making sure traffic flows are symmetric a lot simpler by using BGP local preference, AS Path and Weight attributes.

      Perhaps this could be enabled via a VNET service endpoint on your VNET as required?

      11 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Virtual Network  ·  Flag idea as inappropriate…  ·  Admin →
    4. MS NVA to over come transitive issues and costs for 3rd party NVAs

      Provide an MS NVA to over come the cost of having to implement 3rd party NVA's, to provide routes between Vnets, due the the lack of support for transtive routes, whilst having to useUDRs is very time consuming and creates additional administrative burdens. As well as massive additional costs burdens.

      11 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Virtual Network  ·  Flag idea as inappropriate…  ·  Admin →
    5. Service tag for Azure alert webhooks

      We would like to have a way to whitelist webhook calls from Azure alerts on the NSGs. I have tried using the 'Azure Monitor' service tag, however, it looks like the calls are getting blocked (testing using the Internet service tag which works).

      Could you please let me know if there is a tag for Azure alerts?

      10 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Virtual Network  ·  Flag idea as inappropriate…  ·  Admin →
    6. Allow a UDR to specify any routable "next hop" IP address (not limited to the VNet or Region)

      It would be great if a UDR could point to an IP in another region or on-premises via ExpressRoute. The problem today is that If someone invests in a NGFW virtual appliance, it can only be used from the VNet where it exists or others that are peered to it within the same region. A UDR should be able to route to any routable address... why not?

      10 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Virtual Network  ·  Flag idea as inappropriate…  ·  Admin →
    7. Automatically add Web hosting plan services to virtual network

      I pretty much want to keep storage, SQL database, web app, VMs, and any other service I use within a private network to keep granular control of which services can connect to other services. The "open to all" connection strings to all services is a hard sell to any organization used to securing their IT behind firewalls and networks of networks. Where are you on this today? It must be considered a less secure since these connection strings always tend to leak..

      10 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Virtual Network  ·  Flag idea as inappropriate…  ·  Admin →
    8. Specify internal IP address during creating VM on Azure Portal

      We cannot specify internal IP address during creating VM on Azure Portal, so it's required to specify IP address after VM creation. We want to specify internal IP address during creating VM on Azure Portal.

      10 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Virtual Network  ·  Flag idea as inappropriate…  ·  Admin →
    9. Built-in policy to audit VNet rules / usage of service endpoints

      Built-in policy to audit VNet rules / usage of service endpoints

      More and more services in Azure have the ability to use service endpoints (e.g. Azure SQL Database, Azure Storage Account, Azure Data Lake, ...)

      This is necessary to fulfill IT-Security requirements and helps to restrict the access to critical Azure service resources from only specific virtual networks.

      At the moment there is no built-in policy / initiative to audit the usage of these service endpoints.

      Would be possible provide a built-in policy / initiative for this case?

      10 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Virtual Network  ·  Flag idea as inappropriate…  ·  Admin →
    10. Apply NSG at subnet without applying to NICs

      Provide ability to apply an NSG at the subnet level that is NOT applied to each individual NIC as is currently the case.

      Say I have five subnets and want to block all inbound traffic to subnet A from the other subnets except for one port.

      If I apply a deny all rule to VirtualNetwork, this blocks all communication between VMs in subnet A which breaks cluster type setups unless explicit allow rules are added.

      If I don't apply a deny all rule I have to explicitly add the other subnets as deny, but if another subnet is added it…

      9 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Virtual Network  ·  Flag idea as inappropriate…  ·  Admin →
    11. Expand vendor support for Azure virtual network TAP

      Allow Azure virtual network TAP to send collected data to a VM running Suricata, Snort, riverbed etc, not only the current list of vendors.

      9 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      started  ·  1 comment  ·  Virtual Network  ·  Flag idea as inappropriate…  ·  Admin →
    12. Direct Peering of East Asia (Hong Kong) with China Telecom AS4809 next generation backbone

      the Hongkong Datacenter should establish a direct Peering with China telecom's AS4809 next generation backbone.

      Currently the latency to China is ridiculous high with 40-50ms to Shenzhen / Dongguan area which makes it to slow for some real time applications.

      Rackspace Hongkong for example have a direct peering with CT's AS4809 and the latency is just 7-9ms to their datacenter which is perfect.

      8 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Virtual Network  ·  Flag idea as inappropriate…  ·  Admin →
    13. Control Whether Secondary NICs get Gateway & DNS settings from DHCP.

      Generally we do not want 2 gateways on a server. Allow us to control whether secondary NICs receive Gateway and DNS settings. Generally all we really want is an IP address and Subnet Mask on a secondary NIC for communication on a Private Network within the same subnet.

      8 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Virtual Network  ·  Flag idea as inappropriate…  ·  Admin →
    14. Simplify Network Peering across Tenants

      When you need to peer networks across tenants, you need to create a user in each tenant, and then add them as guests to the other tenants. You also need to ensure that the guest users have the appropriate access. This doesn't meet the need-to-know and least-privilege requirements, especially if you don't fully trust the other party. This also makes it incredibly difficult to automate due to the dependency on user accounts.

      Simplify the peering process by allowing both parties to share keys and network ids in order to peer. Allow service principals to create the peers and only connect…

      7 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      2 comments  ·  Virtual Network  ·  Flag idea as inappropriate…  ·  Admin →

      Thanks for the valid suggestion. Your feedback is now open for the user community to upvote which allows us to effectively prioritize your request against our existing feature list and also gives us insight into the potential impact of implementing the suggested feature

    15. I would like to be able to define DNS Servers on a subnet level and not just at the vNet level

      I sometimes have different DNS Servers that I want to assign to each subnet within a vNet. I currently can't find a way to do that except for changing the DNS Servers on each VM's NIC in the subnet.

      7 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      under review  ·  0 comments  ·  Virtual Network  ·  Flag idea as inappropriate…  ·  Admin →
    16. NSG service tag for AzureBastionSubnet

      When implementing complicated access controls inside a virtual network, we always need to allow connections from AzureBastionSubnet of the virtual network.

      It would be nice we have AzureBastionSubnet service tag which automatically describes a specific Azure Bastion subnet for each virtual network where resources NSG attached reside in.

      6 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Virtual Network  ·  Flag idea as inappropriate…  ·  Admin →
    17. Distribute DNS Suffix through Virtual Nerwork

      Distribute DNS Suffix through Virtual Nerwork for all OS, in most of case, mainly Linux OS, we need to set a dns suffix to resolve internal names.

      6 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Virtual Network  ·  Flag idea as inappropriate…  ·  Admin →
    18. Tell the user which objects prevent an object from being deleted

      I wanted to delete a Virtual Network and it kept telling me that it was in use and that I should come back later if I just deleted an object that used this Network.
      However, the actual reason was that the Virtual Network still had a Gateway configured. As this gateway only shows up inside the Virtual Network and not on "All Resources", I wasted hours to figure out why I couldn't delete the network.

      Suggestion:
      If I can't delete an object because it is in use or has children, give me a list of those objects that prevent the…

      6 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Virtual Network  ·  Flag idea as inappropriate…  ·  Admin →

      Hi Daniel, we’ve made some updates here, our error messages tell you what resources are preventing delete VNet.

      Further, we created a diagnostic in the support work flow (Azure Portal, support ticket creation: Virtual Network > Management > Cannot delete VNet) to tell you exactly what resources are preventing delete, too!

      Hope this helps, let us know your feedback

      https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-troubleshoot-cannot-delete-vnet

      - Anavi N [MSFT]

    19. Support for VNET peering when deploying failover groups

      There is no support for VNET peering when deploying failover groups (one have to create new IPSec VPN tunnels to test failover across regions)

      5 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Virtual Network  ·  Flag idea as inappropriate…  ·  Admin →
    20. Support Longest Prefix Match in VNet Peering

      Allow VNet Peering between two VNets that may have overlapped IPs by supporting Longest Prefix Match in routing.

      4 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Virtual Network  ·  Flag idea as inappropriate…  ·  Admin →

      Thanks for the valid suggestion. Your feedback is now open for the user community to upvote which allows us to effectively prioritize your request against our existing feature list and also gives us insight into the potential impact of implementing the suggested feature

    • Don't see your idea?

    Feedback and Knowledge Base