Networking
The Networking forum covers all aspects of Networking in Azure, including endpoints, load-balancing, network security, DNS, Traffic Manager, virtual networks, and external connectivity.
Virtual Network:
Traffic Manager:
Network Watcher:
If you have any feedback on any aspect of Azure relating to Networking, we’d love to hear it.
-
Adding multiple NSGs to a NIC
I have several virtual machines in several different subnets that need to apply a certain set of network security rules. But for each VM there are also their own unique rules. I would like to be able to set multiple NSG for the NIC of each virtual machine. I do not want to copy common rules to each NSG.
10 votesThank you for your suggestion, we are reviewing it for inclusion in our planning.
-
wants to make my custom service tags for network security group
Is it possible to create and add our own service tag mapping to multiple ip address ranges? These days, we need to have our own service tag for outside cloud vendor's service such as payment or customer review.
10 votesThanks for the valid suggestion. Your feedback is now open for the user community to upvote which allows us to effectively prioritize your request against our existing feature list and also gives us insight into the potential impact of implementing the suggested feature
-
Allow a UDR to specify any routable "next hop" IP address (not limited to the VNet or Region)
It would be great if a UDR could point to an IP in another region or on-premises via ExpressRoute. The problem today is that If someone invests in a NGFW virtual appliance, it can only be used from the VNet where it exists or others that are peered to it within the same region. A UDR should be able to route to any routable address... why not?
10 votesHi Deane, thank you for the feedback, This is a good ask, we are actively looking into it. This is in our road map.
— Anavi N [MSFT]
-
Automatically add Web hosting plan services to virtual network
I pretty much want to keep storage, SQL database, web app, VMs, and any other service I use within a private network to keep granular control of which services can connect to other services. The "open to all" connection strings to all services is a hard sell to any organization used to securing their IT behind firewalls and networks of networks. Where are you on this today? It must be considered a less secure since these connection strings always tend to leak..
10 votesService endpoints for Storage and SQL are available in preview and we have more work in progress for webapps integration.
-
Specify internal IP address during creating VM on Azure Portal
We cannot specify internal IP address during creating VM on Azure Portal, so it's required to specify IP address after VM creation. We want to specify internal IP address during creating VM on Azure Portal.
10 votesWe are working on this.
-
Built-in policy to audit VNet rules / usage of service endpoints
Built-in policy to audit VNet rules / usage of service endpoints
More and more services in Azure have the ability to use service endpoints (e.g. Azure SQL Database, Azure Storage Account, Azure Data Lake, ...)
This is necessary to fulfill IT-Security requirements and helps to restrict the access to critical Azure service resources from only specific virtual networks.
At the moment there is no built-in policy / initiative to audit the usage of these service endpoints.
Would be possible provide a built-in policy / initiative for this case?
10 votesHi Johannes,
Could you say more about your scenario? What would you like thisaudit to show?
Is it just how many servic eendpoints and what services?
- Anavi N [MSFT]
-
Apply NSG at subnet without applying to NICs
Provide ability to apply an NSG at the subnet level that is NOT applied to each individual NIC as is currently the case.
Say I have five subnets and want to block all inbound traffic to subnet A from the other subnets except for one port.
If I apply a deny all rule to VirtualNetwork, this blocks all communication between VMs in subnet A which breaks cluster type setups unless explicit allow rules are added.
If I don't apply a deny all rule I have to explicitly add the other subnets as deny, but if another subnet is added it…
9 votesThanks for the feedback, please use a security rule to allow subnet to subnet traffic to prevent misconfigurations, we’ll take the feedback and evaluate how to incorporate in future improvements
-
Expand vendor support for Azure virtual network TAP
Allow Azure virtual network TAP to send collected data to a VM running Suricata, Snort, riverbed etc, not only the current list of vendors.
9 votes -
Direct Peering of East Asia (Hong Kong) with China Telecom AS4809 next generation backbone
the Hongkong Datacenter should establish a direct Peering with China telecom's AS4809 next generation backbone.
Currently the latency to China is ridiculous high with 40-50ms to Shenzhen / Dongguan area which makes it to slow for some real time applications.
Rackspace Hongkong for example have a direct peering with CT's AS4809 and the latency is just 7-9ms to their datacenter which is perfect.
8 votesThank you for your feedback. We are continuously working to improve our services and we are reviewing this request. We will get back to you shortly with additional insights.
-
Control Whether Secondary NICs get Gateway & DNS settings from DHCP.
Generally we do not want 2 gateways on a server. Allow us to control whether secondary NICs receive Gateway and DNS settings. Generally all we really want is an IP address and Subnet Mask on a secondary NIC for communication on a Private Network within the same subnet.
8 votesThank you for your suggestion. We included this in our roadmap.
-
Add Service Tags to Route Tables/UDR
Include the ability to add Service Tags to UDRs. We have experienced that while many times services require NSGs to be open for a Service, many users have a default route in the Route Tables to push traffic through network virtual appliances. To circumvent having to put an entire datacenter range IP on UDRs to get services to work, there should be Service Tags in the UDR destination field in order to be able to add specific services the ability to talk to VNET-joined services. A good example of this is API Management. While the team does not support a…
8 votes -
Simplify Network Peering across Tenants
When you need to peer networks across tenants, you need to create a user in each tenant, and then add them as guests to the other tenants. You also need to ensure that the guest users have the appropriate access. This doesn't meet the need-to-know and least-privilege requirements, especially if you don't fully trust the other party. This also makes it incredibly difficult to automate due to the dependency on user accounts.
Simplify the peering process by allowing both parties to share keys and network ids in order to peer. Allow service principals to create the peers and only connect…
7 votesThanks for the valid suggestion. Your feedback is now open for the user community to upvote which allows us to effectively prioritize your request against our existing feature list and also gives us insight into the potential impact of implementing the suggested feature
-
I would like to be able to define DNS Servers on a subnet level and not just at the vNet level
I sometimes have different DNS Servers that I want to assign to each subnet within a vNet. I currently can't find a way to do that except for changing the DNS Servers on each VM's NIC in the subnet.
7 votes -
NSG service tag for AzureBastionSubnet
When implementing complicated access controls inside a virtual network, we always need to allow connections from AzureBastionSubnet of the virtual network.
It would be nice we have AzureBastionSubnet service tag which automatically describes a specific Azure Bastion subnet for each virtual network where resources NSG attached reside in.
6 votesThanks for your feedback. Azure Bastion is currently in preview.
We will consider this ask.
- Anavi N [MSFT]
-
Distribute DNS Suffix through Virtual Nerwork
Distribute DNS Suffix through Virtual Nerwork for all OS, in most of case, mainly Linux OS, we need to set a dns suffix to resolve internal names.
6 votesvalid suggestion subject to upvote
-
Tell the user which objects prevent an object from being deleted
I wanted to delete a Virtual Network and it kept telling me that it was in use and that I should come back later if I just deleted an object that used this Network.
However, the actual reason was that the Virtual Network still had a Gateway configured. As this gateway only shows up inside the Virtual Network and not on "All Resources", I wasted hours to figure out why I couldn't delete the network.Suggestion:
If I can't delete an object because it is in use or has children, give me a list of those objects that prevent the…6 votesHi Daniel, we’ve made some updates here, our error messages tell you what resources are preventing delete VNet.
Further, we created a diagnostic in the support work flow (Azure Portal, support ticket creation: Virtual Network > Management > Cannot delete VNet) to tell you exactly what resources are preventing delete, too!
Hope this helps, let us know your feedback
- Anavi N [MSFT]
-
Enable "vNet peering" as UDR next hop
Enable "vNet peering" as UDR next hop. Currently if you have a large range, a /16 for example, set in a UDR with a next hop of an NVA it is not possible to override or point a single subnet, for example a /24, in the /16 at the vNet Peering. This would be useful to bypass an NVA for certain subnets or IPs.
6 votes -
Support Longest Prefix Match in VNet Peering
Allow VNet Peering between two VNets that may have overlapped IPs by supporting Longest Prefix Match in routing.
4 votesThanks for the valid suggestion. Your feedback is now open for the user community to upvote which allows us to effectively prioritize your request against our existing feature list and also gives us insight into the potential impact of implementing the suggested feature
-
Attach second network interface to already running instance
I would like to be able to attach new network interface to already started instance (single VM or VM in scale set)
Reason for that is for example:
https://www.credera.com/blog/technology-solutions/how-to-automate-zookeeper-in-aws/ (Option 3)4 votesThis is not currently, planned.
We would like to gather more feedback from the community.
- Anavi N [MSFT]
-
Exclude networks in the default Tag "Virtual Network" which are defined in UDR
When we are using the default Tag "Virtual Network" in NSG to make a Rule for intra VNE communication, the UDR networks are automatically included in the default Tag "Virtual Network", e.g. I have defined a UDR as route route / network 0.0.0.0/0, it is included in to default Tag "Virtual Network", then the Tag is useless for intra vnet communication as it contain the network 0.0.0.0/0.
My Suggestion is to exclude the UDR from default Tag or allow us to make our own Tag. Also when we are creating NSG with multiple destination ip/networks from same source ip/network and…
4 votesThank you for your suggestion. We are considering this for inclusion in our roadmap.
- Don't see your idea?