Networking

The Networking forum covers all aspects of Networking in Azure, including endpoints, load-balancing, network security, DNS, Traffic Manager, virtual networks, and external connectivity.

Virtual Network:

  • Service overview

  • Technical documentation

  • Pricing details
  • Traffic Manager:

  • Service overview

  • Technical documentation

  • Pricing details
  • Network Watcher:

  • Service overview

  • Technical documentation

  • Pricing details
  • If you have any feedback on any aspect of Azure relating to Networking, we’d love to hear it.

    • Hot ideas
    • Top ideas
    • New ideas
    • My feedback
    1. vpn gateway slow to create

      Why does it take upwards of 30 minutes to create a vnet gateway?
      If I am doing a PowerShell script or a CI/CD deployment, the whole world stops while the VPN takes 30-odd minutes to be initialised and start. Can this please be addressed?

      105 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      planned  ·  17 comments  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    2. VPN Connection Status Alert

      It would be nice to have built in alerting for when VPN connections are dropped/connecting. We've had to setup an hourly runbook to call a PowerShell command that pushes data to OMS and then create an alert. All of the data is available in resource health so it shouldn't be a difficult enhancement, we just have no native way to pull/alert the data.

      89 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      6 comments  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    3. Classic to ARM VNet Migration - Recreate Site-to-Site connections

      I have recently migrated a classic virtual network with a Site-to-Site VPN connection to an ARM VNet using platform-supported migration.

      When the connection between the 2 networks was recreated under the ARM platform it defaulted to a VNet-to-VNet connection which meant a loss of connectivity between the 2 networks. I had to add create another LNG and recreate the connection as a Site-to-Site.

      Now I understand the benefits of VNet-to-VNet connections but I would like the platform-supported migration to respect the existing connection type and recreate this correctly.

      1 vote
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      under review  ·  1 comment  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    4. VNET GW packet filter

      Hi All.

      I would like to set up a packet filter for VPN GW.
      It is the same as RRAS packet filter setting.
      Inbound IP address and port range filter, and outbound IP address and port range filter.

      Our VNET is connecting between sites with customers' VNET and VNET GW. Even if it is attacked from outside the customer's VNET, I do not want to endanger our VNET. I would like to filter traffic arriving at VNET with source IP and destination port number.

      How can it be realized?

      regards.

      1 vote
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    5. 1 vote
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    6. Static IP for VPN Client over Azure P2S Solution

      Concurrently, we can allocate Static Private Address space for all VPN Client (using SSL VPN) via our On-Premise network.

      Since Azure offers P2S solution as VPN Client access, there is no configuration where we can do the same as with On-Premise network.

      Though it is very much efficient if P2S can be further modify to allow us more control over IP allocation as we can do the same via On-Premise VPN Client, hoping that this solution can be look upon by your Product Team.

      11 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  3 comments  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    7. List the private IP address of a virtual network gateway

      Show the private IP address of a virtual network gateway in the "Connected devices" blade.

      12 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      4 comments  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →

      Hi,

      Currently, the gateway private IP addresses are not required for configurations or operations, other than the GatewaySubnet range. They should have been hidden from users. The gateway resource model does not have a field for those either.

      There may be use cases for new features down the road. We will update the gateway resource model accordingly and expose those properly.

      Thanks,
      Yushun [MSFT]

    8. Please provide metric for Point-to-Site VPN traffic

      We can't meter Point-to-Site VPN usage now.
      Please provide metric for Point-to-Site VPN traffic like Site-to-Site tunnnel metric.

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      planned  ·  1 comment  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    9. Validate YAMAHA RTX830 and RTX1210 for Azure VPN Gateway

      YAMAHA RTX router series ( https://network.yamaha.com/products/routers )
      are not validated as VPN devices:
      https://docs.microsoft.com/ja-jp/azure/vpn-gateway/vpn-gateway-about-vpn-devices

      Nevertheless I or some Japanese are struggling to connect Azure VPN Gateway with YAMAHA RTX routers.
      we are able to have connection but there are some troubles reported on blogs.
      We need to verification.

      At kakaku.com(the most popular Bestbuy ranking site in Japan),
      YAMAHA RTX830 and RTX1210 are the top 2 selling products nowadays.
      Previous models are also popular for a couple of decades in Japan.
      I think the verification will have huge impact in Japan to support VPN Gateway at SOHO environments.

      4 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →

      Folks,

      Thanks for reaching out to us regarding the VPN device issues. In general, our team needs to work with the VPN device vendor, in this case, Yamaha, to validate their VPN devices connecting to Azure VPN gateways.

      To get things started, we will need someone from Yamaha to contact us, either via Microsoft Japan if that’s easier, or open an issue on the page directly. Once we establish the contact, we can proceed to work with Yamaha to validate their VPN devices.

      Thanks,
      Yushun [MSFT]

    10. Adjust route based VPN vNet gateway traffic selectors

      We use routes based VPNs for most connectivity to Azure. However, we do have some policy based VPNs that need access to Azure as well.

      Unfortunately, it doesn’t appear that Azure lets you configure the local network prefix When using traffic selectors in IPSEC.

      This is extremely common on network equipment outside of Azure. I’ll reference an example with a Juniper SRX.

      https://www.juniper.net/documentation/en_US/junos/topics/example/ipsec-vpn-traffic-selector-configuring.html

      Azure automatically uses every prefix configured within a vNet as the local prefix. It’s my hope that we can configure this per ‘Connection’ when using traffic selectors.

      Can we have this feature considered?

      Thank you.

      26 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    11. Fix Virtual Network Gateway IKEv2 Security Logging

      Ok, so logging access to enterprise networks is a basic security control which we shouldn't be asking for in year 2018.

      If we deploy P2S/Virtual Network Gateway w/IKEv2/certificate authentication in its current state, we open our networks to the internet and have no idea who logs into it and from where. There are basically NO events logged for an authenticated user. In addition, the "Connection Count" doesn't increment. So If I have 100 users connect via IKEv2, Connection Count still shows 0.

      THIS IS A SIGNIFICANT SECURITY HOLE.

      Microsoft - this product shouldn't have been released, not in its current…

      4 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      2 comments  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    12. VNET Gateway VPN Client should have easy way to refresh routes

      I noticed that you need to download the VPN client again if the peering changes on the VNETs associated with the gateway. Once the client has the routes you can tear down and recreate VNET peerings as often as you like. It would be nice to have an easy way to refresh the routes for your installed VPN client because I see customers wasting a lot of time trying to figure out why they can’t connect to vms. At least to have some warning to customers would be good when they configure vnet peering that they might have to reinstall…

      20 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      4 comments  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →

      Hi Matt,

      Thanks for the feedback. The status of this ask is a bit complicated – it’s partially working, but partially in progress:

      1. For existing SSTP P2S VPN, there is no solution but to download the VPN client package again.

      2. For IKEv2 P2S VPN, it works by P2S client reconnecting to the Azure VPN gateway. Once they connect again, they will get the new routes. This will apply to changes in VNet address spaces (including VNet peering), newly added S2S/VNet-to-VNet connections, or new routes learned via BGP.

      3. The caveat for (2) is that it currently works on Mac and Linux, but Windows require a KB/Update that will be released shortly.

      We will provide an update to this item once the Windows update is available.

      Thanks,
      Yushun [MSFT]

    13. Make P2S (Point-To-Site) VPN work with Active-Active GW

      For running Production workloads in Azure we find that having a HA solution is important, and therefore using an Active-Active VPN GW is a must for us. Though we would also like to still use App Services linked to our custom vNet. At the moment this seems to not be possible as P2S VPN is not supported with a Active-Active GW.

      Therefore please make it compatible so we can connect App Services to our custom vNet and be able to communicate with onprem resources.

      21 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      started  ·  2 comments  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    14. Point to Site VPN Logs/History

      It would be helpful to be able to see a history of point-to-site VPN connections and associated dates and times. This would be helpful in troubleshooting connectivity issues for our remote users.

      5 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      2 comments  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    15. Get Point-to-Site VPN status by Azure CLI

      I want to get health status of Point-to-Site VPN by Azure CLI.
      I can get this status by Azure portal, but Azure CLI can not.

      If I use Azure CLI command without debug, this status can not get.
      But if I use Auzre CLI with debug option, I can get this status.

      This coomand can get P2S status.
      ex) az network vnet-gateway show --resource-group RG --name VPNGW --debug

      I hope improving this issue.

      5 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    16. Create a windows service on the client to insert route tables for P2S client

      Please improve the p2s client so that a windows service with admin rights will insert the route tables. We could then deploy this without the user requiring admin rights.

      7 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    17. To have the possibility to set radius timeout on the VPN gateway point to site confguration

      When using the new radius authentication feature on Azure VPN Gateway it would be nice to be able to control the timeout to the radius server. This would make the usage of Azure MFA for VPN authentication possible. (IT works now if users are very fast at answering the phone)

      19 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      5 comments  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    18. Ability to specify two RADIUS servers

      Ability to specify two or more radius servers in the P2S config for Azure VPN. Round robin by default if one fails.

      13 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    19. Migration of VPN Gateway from old to new SKUs

      Please provide risk mitigation ways to migrate from legacy VPN gateway SKUs to the new gateway SKUs. Currently, the only way is to delete everything and recreate it again.

      61 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →

      Thanks for the suggestion. This is something we are looking into. But no downtime migration will be very challenging due to current platform constraints. We will likely need to take a phased approach with some downtime involved (maintenance windows required) while trying to preserve VPN gateway public IP addresses. Please stay tuned.

      Thanks,
      Yushun [MSFT]

    20. P2S IP address leasing

      Currently our P2S model uses a predefined address space, and then VPN clients are assigned an address out of that pool.

      This is pretty standard.

      What I would like to see is an option to apply lease times to those IP addresses, the same way DHCP normally functions. The reason being most of our VPN connectors are cellular dial-in clients, and they suffer brief disconnects.

      Each time they disconnect and reconnect they receive a new IP address, and we have a service running that then has to re-establish where the client's listener port is, and do a bunch of housekeeping…

      20 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      2 comments  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    • Don't see your idea?

    Feedback and Knowledge Base