Networking
The Networking forum covers all aspects of Networking in Azure, including endpoints, load-balancing, network security, DNS, Traffic Manager, virtual networks, and external connectivity.
Virtual Network:
Traffic Manager:
Network Watcher:
If you have any feedback on any aspect of Azure relating to Networking, we’d love to hear it.
-
NSG service tag for AzureBastionSubnet
When implementing complicated access controls inside a virtual network, we always need to allow connections from AzureBastionSubnet of the virtual network.
It would be nice we have AzureBastionSubnet service tag which automatically describes a specific Azure Bastion subnet for each virtual network where resources NSG attached reside in.
3 votesThanks for your feedback. Azure Bastion is currently in preview.
We will consider this ask.
- Anavi N [MSFT]
-
VNet peering circular dependency reference due to cross 'dependsOn' between the two VNets
When a peering is set up between two vNets, VNET1 and VNET2, there would be two 'dependsOn' properties in the template generated from the Automation script blade of the resource group. VNET1 would depend on VNET2, and VNET2 would depend on VNET1. This causes a circular dependency error and the deployment of the template would fail. If you manually remove the two 'dependsON' properties, the deployment would succeed with the same result. I think that this should be fixed, I found this suggestion in this post : https://techcommunity.microsoft.com/t5/Azure/Does-vNet-peering-cause-a-circular-dependency-error-in/m-p/369823#M3963
3 votes -
Apply NSG at subnet without applying to NICs
Provide ability to apply an NSG at the subnet level that is NOT applied to each individual NIC as is currently the case.
Say I have five subnets and want to block all inbound traffic to subnet A from the other subnets except for one port.
If I apply a deny all rule to VirtualNetwork, this blocks all communication between VMs in subnet A which breaks cluster type setups unless explicit allow rules are added.
If I don't apply a deny all rule I have to explicitly add the other subnets as deny, but if another subnet is added it…
3 votesThanks for the feedback, please use a security rule to allow subnet to subnet traffic to prevent misconfigurations, we’ll take the feedback and evaluate how to incorporate in future improvements
-
IP-in-IP
Provide the ability to unblock IP-in-IP encapsulated packets in a virtual network.
3 votes -
Dynamic routing within VNET
I would like to have the option to dynamically route traffic within a subnet in Azure.
Example: I have a two VMs acting as tunnel endpoints for 4G<->Network devices. These VMs are connecting to the same endpoints over Internet but use different technologies and have different connection availability. One is fast but unreliable, the other one slow but reliable. This setup is exported from my on premise VMware setup. But for this to work I have to be able to dynamically choose which VM I want to route traffic to, be it using Cisco route tracking or OSPF.I've set…
3 votesHi there – we do not currently have a way to do this. However, you could do this via BGP. Thanks for your feedback. We will look into this.
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-bgp-overview
-
Need ability to update NIC IP configurations for VMs that are stopped but not deallocated
When attempting to update NIC IP configurations for Azure VMs that are stopped but not deallocated, the update request times out after a long time period and subsequent requests for changes to the VM's NIC configuration fail. Users should be able to make this type of change without a failure or a long time-out period.
2 votesWould you like to create a support ticket related to this? Might be a good option to ensure appropriate checks and balances. We will also look into this in parallel.
-
virtual network integration panel is broken (August 2017)
Hi,
The section "IP ADDRESSES ROUTED TO VNET" in the App Service Plan/Networking/Virtual Network Integration panel is no longer working.
This looks like a GUI error. The section is empty - does not show the actual configured routes, and does not provide an input box to add additional routes.
This affects classic VNets - I do not know about RM Vnets.
Regards,
Ben2 votes -
Support for VNET peering when deploying failover groups
There is no support for VNET peering when deploying failover groups (one have to create new IPSec VPN tunnels to test failover across regions)
2 votes -
Name display for next hop types
"The name displayed and referenced for next hop types is different between the Azure portal and command-line tools, and the Azure Resource Manager and classic deployment models."
This should be changed for intuition. I should be forced to remember multiple names for identical configurations. Azure already has unnecessarily given proprietary names for industry standards.
Stop making your product unnecessarily difficult to use.
1 voteThanks for sharing the feedback, we’ll review the consistency on the names across all clients to improve on a future iteration.
-
Make sure no new network adapters are created or the new one inherites the values of the pre existing NIC.
We use DSC to monitor for compliancy. When someone switches the subnet in Azure a new NIC is created in Windows. The networkingDSC resource enables you to rename a NIC so you can monitor it based on a predictable name for monitoring / orchestration purposes. But when a VM is moved to a new Network subnet it creates a new nic and hides the old one in system devices. DSC is then unable to rename the NIC to the same name as it's config due to the old name being in use.... This behavior breaks the goal of eliminating configuration…
1 vote -
effectiveNetworkSecurityGroups and effectiveRouteTable to have 'read' rather than 'action' t better integrate with Azure RBAC
The 'Microsoft.Network/networkInterfaces/effectiveRouteTable/action' and 'Microsoft.Network/networkInterfaces/effectiveNetworkSecurityGroups/action' provider actions must rather end with a 'read' to better integrate with Azure RBAC. Customers have to write a new role definition for a reader to just be able to read effective NSG rules (while individual NSGs and NSG rules can be read by a reader). The fact that these two actions end with a 'action' makes a reader not have access to leverage this feature.
1 voteThanks for the feedback, we’ll evaluate the improvement and how to incorporate on a future iteration.
-
Service tag for Azure alert webhooks
We would like to have a way to whitelist webhook calls from Azure alerts on the NSGs. I have tried using the 'Azure Monitor' service tag, however, it looks like the calls are getting blocked (testing using the Internet service tag which works).
Could you please let me know if there is a tag for Azure alerts?
1 vote -
Delete a network security group: this description is insufficient. please make it better
Delete a network security group: this description is insufficient. please make it better
1 voteHi Willem,
Do you mean in the Azure Portal?
Let us know and we will update.
- Anavi N [MSFT]
-
There is a bug in firewall settings
in this page:
https://portal.azure.com/#@XXXX/providers/Microsoft.Network/networkSecurityGroups/xxxx/overviewWhere I try to change the ip for more that one inbound rule, there is a validation message says that the port is duplicated (although it is not)
Excepted not to see this message
1 vote -
make SNAT Flows graph tool available to customers
give customers access to the virtual network SNAT Flows graph tool/data, so that a customer can self determine if a Azure VM using default Internet access is actually successfully communicating outbound to the internet. This is impossible to discern from other Azure tools or conclusively know by running packet captures locally on the VM. Support has access to this tool and data, and was able to confirm for me which ruled that out as a problem, and resulted in correct resolution of the root problem.
1 voteThanks for the valid suggestion. Your feedback is now open for the user community to upvote which allows us to effectively prioritize your request against our existing feature list and also gives us insight into the potential impact of implementing the suggested feature
-
Add Ability to create a Dynamic Object "Local Subnet" Route in a Route Table
We have a configuration where we want VMs on the same subnet to communicate directly through the virtual network, and VMs on different subnets to communicate through a firewall. We have done this by defining a unique route table for for each subnet.
It would be far more better to have a "Local Subnet" object so that a single route table could be used for all the subnets in a vnet. For example, create a route with Address Prefix as "Local Subnet" with nexthop "Virtual Network".
1 voteVMs in the same subnet already connect directly through the virtual network. Subnets are part of the virtual network. Not sure your ask is clear. Please elaborate on the overall scenario that requires such configuration.
-
Vnet creation imposes 1 subnet. why not make it optional or allow the creation of all subnet needed at once
upon creating my vnet I can only 1 subnet. an ADD button would be useful to allow the creation of multiple subnet at one time or make it optional
1 vote -
Internal vNet endpoints for SQL Databases and Storage Devices to allow private accessible only via Expressroute Gateway
To justify using Expressroute to "securely" extend the corporate LAN/WAN infrastructure to the cloud.
Create Internal vNet Endpoints for SQL Databases and Storage Devices to allow private accessible only via Expressroute Gateway.
Needed to secure sensitive PII, HIPAA, and Company Confidential Databases and storage devices
1 voteThank you for your suggestion. We are planning to offer this in the future.
-
Complete Network map
Complete Network map - NICs connected to subnet - connected to vnet and NSG rule name
1 vote -
Backup and restore each network resource configuration settings
Network resources configuration like VNET, Traffic Manager, Load Balancer, VPN GW, App GW, UDR, NSG, be able to backup and restore by each compornent.
This would help if configuration ever gets lost, accidentally changes it, corrupt, or we want to recreate a new component and keep some favorite settings.1 vote
- Don't see your idea?