Networking
The Networking forum covers all aspects of Networking in Azure, including endpoints, load-balancing, network security, DNS, Traffic Manager, virtual networks, and external connectivity.
Virtual Network:
Traffic Manager:
Network Watcher:
If you have any feedback on any aspect of Azure relating to Networking, we’d love to hear it.
-
Adding multiple NSGs to a NIC
I have several virtual machines in several different subnets that need to apply a certain set of network security rules. But for each VM there are also their own unique rules. I would like to be able to set multiple NSG for the NIC of each virtual machine. I do not want to copy common rules to each NSG.
13 votesThank you for your suggestion, we are reviewing it for inclusion in our planning.
-
Allow custom DNS search domain for virtual networks
Thanks for recently adding the ability to specify custom DNS servers for virtual networks.
I assume this is implemented with DHCP.
We are unfortunately not able to rely on this feature yet because we also set a custom DNS domain search.
This can be done with DHCP option 119, and this is how we have our non-Azure LAN configured.13 votesAzure DNS support for private zones is now in limited preview and custom DNS suffix will be part of that. See http://aka.ms/azureprivatedns for details of the feature.
-
Expand vendor support for Azure virtual network TAP
Allow Azure virtual network TAP to send collected data to a VM running Suricata, Snort, riverbed etc, not only the current list of vendors.
12 votes -
Allow NVAs etc... to establish BGP session directly with VNETs
To make HA scenarios a lot simpler with NVAs that support BGP (which most of them do nowadays) each VNET should allow you to establish a BGP session directly with it so you can advertise and learn routes dynamically straight to the VNET.
This would help so many HA scenarios and also making sure traffic flows are symmetric a lot simpler by using BGP local preference, AS Path and Weight attributes.
Perhaps this could be enabled via a VNET service endpoint on your VNET as required?
11 votes -
MS NVA to over come transitive issues and costs for 3rd party NVAs
Provide an MS NVA to over come the cost of having to implement 3rd party NVA's, to provide routes between Vnets, due the the lack of support for transtive routes, whilst having to useUDRs is very time consuming and creates additional administrative burdens. As well as massive additional costs burdens.
11 votes[Sumeet M]: We appreciate your feedback. We will review it internally. Thanks for making Azure better.
-
Service tag for Azure alert webhooks
We would like to have a way to whitelist webhook calls from Azure alerts on the NSGs. I have tried using the 'Azure Monitor' service tag, however, it looks like the calls are getting blocked (testing using the Internet service tag which works).
Could you please let me know if there is a tag for Azure alerts?
10 votes -
Allow a UDR to specify any routable "next hop" IP address (not limited to the VNet or Region)
It would be great if a UDR could point to an IP in another region or on-premises via ExpressRoute. The problem today is that If someone invests in a NGFW virtual appliance, it can only be used from the VNet where it exists or others that are peered to it within the same region. A UDR should be able to route to any routable address... why not?
10 votesHi Deane, thank you for the feedback, This is a good ask, we are actively looking into it. This is in our road map.
— Anavi N [MSFT]
-
Automatically add Web hosting plan services to virtual network
I pretty much want to keep storage, SQL database, web app, VMs, and any other service I use within a private network to keep granular control of which services can connect to other services. The "open to all" connection strings to all services is a hard sell to any organization used to securing their IT behind firewalls and networks of networks. Where are you on this today? It must be considered a less secure since these connection strings always tend to leak..
10 votesService endpoints for Storage and SQL are available in preview and we have more work in progress for webapps integration.
-
Specify internal IP address during creating VM on Azure Portal
We cannot specify internal IP address during creating VM on Azure Portal, so it's required to specify IP address after VM creation. We want to specify internal IP address during creating VM on Azure Portal.
10 votesWe are working on this.
-
Built-in policy to audit VNet rules / usage of service endpoints
Built-in policy to audit VNet rules / usage of service endpoints
More and more services in Azure have the ability to use service endpoints (e.g. Azure SQL Database, Azure Storage Account, Azure Data Lake, ...)
This is necessary to fulfill IT-Security requirements and helps to restrict the access to critical Azure service resources from only specific virtual networks.
At the moment there is no built-in policy / initiative to audit the usage of these service endpoints.
Would be possible provide a built-in policy / initiative for this case?
10 votesHi Johannes,
Could you say more about your scenario? What would you like thisaudit to show?
Is it just how many servic eendpoints and what services?
- Anavi N [MSFT]
-
Apply NSG at subnet without applying to NICs
Provide ability to apply an NSG at the subnet level that is NOT applied to each individual NIC as is currently the case.
Say I have five subnets and want to block all inbound traffic to subnet A from the other subnets except for one port.
If I apply a deny all rule to VirtualNetwork, this blocks all communication between VMs in subnet A which breaks cluster type setups unless explicit allow rules are added.
If I don't apply a deny all rule I have to explicitly add the other subnets as deny, but if another subnet is added it…
9 votesThanks for the feedback, please use a security rule to allow subnet to subnet traffic to prevent misconfigurations, we’ll take the feedback and evaluate how to incorporate in future improvements
-
Direct Peering of East Asia (Hong Kong) with China Telecom AS4809 next generation backbone
the Hongkong Datacenter should establish a direct Peering with China telecom's AS4809 next generation backbone.
Currently the latency to China is ridiculous high with 40-50ms to Shenzhen / Dongguan area which makes it to slow for some real time applications.
Rackspace Hongkong for example have a direct peering with CT's AS4809 and the latency is just 7-9ms to their datacenter which is perfect.
8 votesThank you for your feedback. We are continuously working to improve our services and we are reviewing this request. We will get back to you shortly with additional insights.
-
Control Whether Secondary NICs get Gateway & DNS settings from DHCP.
Generally we do not want 2 gateways on a server. Allow us to control whether secondary NICs receive Gateway and DNS settings. Generally all we really want is an IP address and Subnet Mask on a secondary NIC for communication on a Private Network within the same subnet.
8 votesThank you for your suggestion. We included this in our roadmap.
-
NSG service tag for AzureBastionSubnet
When implementing complicated access controls inside a virtual network, we always need to allow connections from AzureBastionSubnet of the virtual network.
It would be nice we have AzureBastionSubnet service tag which automatically describes a specific Azure Bastion subnet for each virtual network where resources NSG attached reside in.
7 votesThanks for your feedback. Azure Bastion is currently in preview.
We will consider this ask.
- Anavi N [MSFT]
-
Simplify Network Peering across Tenants
When you need to peer networks across tenants, you need to create a user in each tenant, and then add them as guests to the other tenants. You also need to ensure that the guest users have the appropriate access. This doesn't meet the need-to-know and least-privilege requirements, especially if you don't fully trust the other party. This also makes it incredibly difficult to automate due to the dependency on user accounts.
Simplify the peering process by allowing both parties to share keys and network ids in order to peer. Allow service principals to create the peers and only connect…
7 votesThanks for the valid suggestion. Your feedback is now open for the user community to upvote which allows us to effectively prioritize your request against our existing feature list and also gives us insight into the potential impact of implementing the suggested feature
-
I would like to be able to define DNS Servers on a subnet level and not just at the vNet level
I sometimes have different DNS Servers that I want to assign to each subnet within a vNet. I currently can't find a way to do that except for changing the DNS Servers on each VM's NIC in the subnet.
7 votes -
Distribute DNS Suffix through Virtual Nerwork
Distribute DNS Suffix through Virtual Nerwork for all OS, in most of case, mainly Linux OS, we need to set a dns suffix to resolve internal names.
6 votesvalid suggestion subject to upvote
-
Tell the user which objects prevent an object from being deleted
I wanted to delete a Virtual Network and it kept telling me that it was in use and that I should come back later if I just deleted an object that used this Network.
However, the actual reason was that the Virtual Network still had a Gateway configured. As this gateway only shows up inside the Virtual Network and not on "All Resources", I wasted hours to figure out why I couldn't delete the network.Suggestion:
If I can't delete an object because it is in use or has children, give me a list of those objects that prevent the…6 votesHi Daniel, we’ve made some updates here, our error messages tell you what resources are preventing delete VNet.
Further, we created a diagnostic in the support work flow (Azure Portal, support ticket creation: Virtual Network > Management > Cannot delete VNet) to tell you exactly what resources are preventing delete, too!
Hope this helps, let us know your feedback
- Anavi N [MSFT]
-
Add metrics for routes in route tables
Add metrics for routes to provide an easy way to utilize backup routes in Azure.
6 votes -
Support for VNET peering when deploying failover groups
There is no support for VNET peering when deploying failover groups (one have to create new IPSec VPN tunnels to test failover across regions)
5 votesHello,
Thanks for the feedback! We will look into this.
Allegra [MSFT]
- Don't see your idea?