Networking

The Networking forum covers all aspects of Networking in Azure, including endpoints, load-balancing, network security, DNS, Traffic Manager, virtual networks, and external connectivity.

Virtual Network:

  • Service overview

  • Technical documentation

  • Pricing details
  • Traffic Manager:

  • Service overview

  • Technical documentation

  • Pricing details
  • Network Watcher:

  • Service overview

  • Technical documentation

  • Pricing details
  • If you have any feedback on any aspect of Azure relating to Networking, we’d love to hear it.

    • Hot ideas
    • Top ideas
    • New ideas
    • My feedback
    1. Fix Virtual Network Gateway IKEv2 Security Logging

      Ok, so logging access to enterprise networks is a basic security control which we shouldn't be asking for in year 2018.

      If we deploy P2S/Virtual Network Gateway w/IKEv2/certificate authentication in its current state, we open our networks to the internet and have no idea who logs into it and from where. There are basically NO events logged for an authenticated user. In addition, the "Connection Count" doesn't increment. So If I have 100 users connect via IKEv2, Connection Count still shows 0.

      THIS IS A SIGNIFICANT SECURITY HOLE.

      Microsoft - this product shouldn't have been released, not in its current…

      4 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      2 comments  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    2. VNET Gateway VPN Client should have easy way to refresh routes

      I noticed that you need to download the VPN client again if the peering changes on the VNETs associated with the gateway. Once the client has the routes you can tear down and recreate VNET peerings as often as you like. It would be nice to have an easy way to refresh the routes for your installed VPN client because I see customers wasting a lot of time trying to figure out why they can’t connect to vms. At least to have some warning to customers would be good when they configure vnet peering that they might have to reinstall…

      20 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      4 comments  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →

      Hi Matt,

      Thanks for the feedback. The status of this ask is a bit complicated – it’s partially working, but partially in progress:

      1. For existing SSTP P2S VPN, there is no solution but to download the VPN client package again.

      2. For IKEv2 P2S VPN, it works by P2S client reconnecting to the Azure VPN gateway. Once they connect again, they will get the new routes. This will apply to changes in VNet address spaces (including VNet peering), newly added S2S/VNet-to-VNet connections, or new routes learned via BGP.

      3. The caveat for (2) is that it currently works on Mac and Linux, but Windows require a KB/Update that will be released shortly.

      We will provide an update to this item once the Windows update is available.

      Thanks,
      Yushun [MSFT]

    3. Make P2S (Point-To-Site) VPN work with Active-Active GW

      For running Production workloads in Azure we find that having a HA solution is important, and therefore using an Active-Active VPN GW is a must for us. Though we would also like to still use App Services linked to our custom vNet. At the moment this seems to not be possible as P2S VPN is not supported with a Active-Active GW.

      Therefore please make it compatible so we can connect App Services to our custom vNet and be able to communicate with onprem resources.

      21 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      started  ·  2 comments  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    4. Point to Site VPN Logs/History

      It would be helpful to be able to see a history of point-to-site VPN connections and associated dates and times. This would be helpful in troubleshooting connectivity issues for our remote users.

      4 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      2 comments  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    5. Get Point-to-Site VPN status by Azure CLI

      I want to get health status of Point-to-Site VPN by Azure CLI.
      I can get this status by Azure portal, but Azure CLI can not.

      If I use Azure CLI command without debug, this status can not get.
      But if I use Auzre CLI with debug option, I can get this status.

      This coomand can get P2S status.
      ex) az network vnet-gateway show --resource-group RG --name VPNGW --debug

      I hope improving this issue.

      5 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    6. Create a windows service on the client to insert route tables for P2S client

      Please improve the p2s client so that a windows service with admin rights will insert the route tables. We could then deploy this without the user requiring admin rights.

      7 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    7. To have the possibility to set radius timeout on the VPN gateway point to site confguration

      When using the new radius authentication feature on Azure VPN Gateway it would be nice to be able to control the timeout to the radius server. This would make the usage of Azure MFA for VPN authentication possible. (IT works now if users are very fast at answering the phone)

      19 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      5 comments  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    8. Ability to specify two RADIUS servers

      Ability to specify two or more radius servers in the P2S config for Azure VPN. Round robin by default if one fails.

      13 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    9. Migration of VPN Gateway from old to new SKUs

      Please provide risk mitigation ways to migrate from legacy VPN gateway SKUs to the new gateway SKUs. Currently, the only way is to delete everything and recreate it again.

      57 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →

      Thanks for the suggestion. This is something we are looking into. But no downtime migration will be very challenging due to current platform constraints. We will likely need to take a phased approach with some downtime involved (maintenance windows required) while trying to preserve VPN gateway public IP addresses. Please stay tuned.

      Thanks,
      Yushun [MSFT]

    10. P2S IP address leasing

      Currently our P2S model uses a predefined address space, and then VPN clients are assigned an address out of that pool.

      This is pretty standard.

      What I would like to see is an option to apply lease times to those IP addresses, the same way DHCP normally functions. The reason being most of our VPN connectors are cellular dial-in clients, and they suffer brief disconnects.

      Each time they disconnect and reconnect they receive a new IP address, and we have a service running that then has to re-establish where the client's listener port is, and do a bunch of housekeeping…

      17 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      2 comments  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    11. Add option to connect or disconnect vpn

      In ASM model, we have an option to connect or disconnect an vpn connection. Now in arm model if we need to disconnect a vpn we need to delete the connection and if we need to connect the vpn we need tonrecreate thw connection

      34 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      3 comments  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    12. BGP Peering IP modification on different subnet

      Hey,
      For business purpose, we wanna offer an idea of selecting peering IP from non-GW subnet while using Azure VPN BGP. this IP was currnetly allocated from ge subnet. but we wanna change to specific IP . let's say our address space range is 10.0.0.0/16, but our GW subnet is 10.0.0.0/24, Peering IP is 10.0.0.254. but one of subnet is 10.13.100.70/28, we wanna change peering IP to 10.13.100.70. but this is impossible, could we make some changes in further?

      1 vote
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    13. configurable MTU

      I've seen several conflicting recommendations for IPSec tunnel MTU/MSS.

      First and foremost, publishing this (preferably inside the tunnel slice/pane) is a good first step, since it'd allow us to know definitively what we can do.

      Second, and more significantly, I'd like to be able to CHANGE it... preferably by increasing the size... it seems that every time I turn around, the MTU needs to shrink - I'd rather leverage jumbo frames to allow higher throughput.

      71 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      2 comments  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →

      Hi Scott,

      Thanks for the feedback – totally understand the pain points and confusion. There are a couple of constraints on the Azure side and also specifically with VPN. The key issue is this is for packets coming over the Internet which we can only assume total packet size of 1500 bytes max. Azure SDN platform performs additional encapsulation on the packets within our datacenter networks, so it will be subtracted from there.

      1. On the Azure VPN gateways, the recommendation is to set TCP MSS clamping to 1350; or if not possible for your device, then set MTU to 1400 bytes on the IPsec tunnel interface. We had updated/clarified the Azure documentation to call that out.

      2. Changing MTU currently is not possible from the Azure VPN gateways. We will take it into configuration, but it will not be possible in the short term due to the scale…

    14. Allow native VPN S2S from Azure to AWS

      Azure coexistence with AWS (and even GCP) is a very common scenario. Currently the only way to connect Azure and AWS is using a combination of Azure Virtual Network Gateway with a VM (Strongswan, OpenVPN, RRAS) deployed in AWS. We have no documentation around it, while Google provides VPN interoperability guidelines (here: https://cloud.google.com/compute/docs/vpn/interop-guides).

      This is complicated to manage when you add things such as High Availability and all the required configuration. Also, these manual configurations are never the most optmized.

      I understand we have a few different parameters vs. AWS and that's why Azure can't set up this S2S…

      127 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      2 comments  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →

      Thanks for the suggestion – this will require the new Azure VPN gateway SKUs to add IKEv1 support. It’s under review but will be in the longer term roadmap. For the short term, please leverage virtual appliances from Azure Marketplace to facilitate this connectivity.

      Thanks,
      Yushun [MSFT]

    15. Provide certificate-based authentication for S2S VPN

      Can you describe the technical reason why you decide not to offer this option when creating a s2s vpn and you offer only the phase1 pre-shared key method? The communications in Madrid HC Region are administered by Cesus and they follow directives from the Security Group of Madrid Digital (former ICM). In their form to require a s2s vpn only cert based is accepted for ipsec tunnels and without a clear technical reason it is almost impossible to negotiate an exception to shift to pre-shared key based phase 1 vpn

      1 vote
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →

      Thank you for the suggestion. The key reasons for not offering cert-based IKE authentication is due to the additional compliance requirements and validations related to handling certificates. As a result, this is currently not on the roadmap.

      If certificate-based authentication is a requirement, currently customers will need to leverage a VPN appliances available from Azure Marketplace.

      Thanks,
      Yushun [MSFT]

    16. We need a way to Monitor the S2S VPN

      We need a way to Monitor the S2S VPN Policy Based Its Health & If Connection Breaks we should get notify I checked Network Watcher but its not Supported for Policy Based VPN.

      From SCOM also there is no information how to Monitor Azure S2S VPN

      Can some suggest

      19 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    17. We need a way to Monitor the S2S VPN Policy Based Its Health & If Connection Breaks we should get notify I checked Network Watcher but

      We need a way to Monitor the S2S VPN Policy Based Its Health & If Connection Breaks we should get notify I checked Network Watcher but its not Supported for Policy Based VPN.

      From SCOM also there is no information how to Monitor Azure S2S VPN

      Can some suggest

      2 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    18. Allow special chartacters in the pre-shared key for IPSec VPN tunnels

      Allow special chartacters in the pre-shared key for IPSec VPN tunnels

      10 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    19. Point-to-site VPN authentication support for Azure AD

      Instead of only requiring on a certificate for authentication in Azure VPN Point-to-site solutions, it would be nice if the Azure networking team would consider adding support for username (UPN) and password that is authenticated against either Azure AD or ADFS.

      204 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      5 comments  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    20. Support CIDR in Point to Site Networking (RFC1918 bug)

      Azure forces clients to have a class A default route when using 10.x.x.x as their internal network. This should reflect the subnet mask illustrated in the portal

      More information:

      http://serverfault.com/q/818383/51457

      7 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    • Don't see your idea?

    Feedback and Knowledge Base