Networking

The Networking forum covers all aspects of Networking in Azure, including endpoints, load-balancing, network security, DNS, Traffic Manager, virtual networks, and external connectivity.

Virtual Network:

  • Service overview

  • Technical documentation

  • Pricing details
  • Traffic Manager:

  • Service overview

  • Technical documentation

  • Pricing details
  • Network Watcher:

  • Service overview

  • Technical documentation

  • Pricing details
  • If you have any feedback on any aspect of Azure relating to Networking, we’d love to hear it.

    • Hot ideas
    • Top ideas
    • New ideas
    • My feedback
    1. Provide certificate-based authentication for S2S VPN

      Can you describe the technical reason why you decide not to offer this option when creating a s2s vpn and you offer only the phase1 pre-shared key method? The communications in Madrid HC Region are administered by Cesus and they follow directives from the Security Group of Madrid Digital (former ICM). In their form to require a s2s vpn only cert based is accepted for ipsec tunnels and without a clear technical reason it is almost impossible to negotiate an exception to shift to pre-shared key based phase 1 vpn

      1 vote
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →

      Thank you for the suggestion. The key reasons for not offering cert-based IKE authentication is due to the additional compliance requirements and validations related to handling certificates. As a result, this is currently not on the roadmap.

      If certificate-based authentication is a requirement, currently customers will need to leverage a VPN appliances available from Azure Marketplace.

      Thanks,
      Yushun [MSFT]

    2. We need a way to Monitor the S2S VPN

      We need a way to Monitor the S2S VPN Policy Based Its Health & If Connection Breaks we should get notify I checked Network Watcher but its not Supported for Policy Based VPN.

      From SCOM also there is no information how to Monitor Azure S2S VPN

      Can some suggest

      19 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    3. We need a way to Monitor the S2S VPN Policy Based Its Health & If Connection Breaks we should get notify I checked Network Watcher but

      We need a way to Monitor the S2S VPN Policy Based Its Health & If Connection Breaks we should get notify I checked Network Watcher but its not Supported for Policy Based VPN.

      From SCOM also there is no information how to Monitor Azure S2S VPN

      Can some suggest

      2 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    4. Allow special chartacters in the pre-shared key for IPSec VPN tunnels

      Allow special chartacters in the pre-shared key for IPSec VPN tunnels

      10 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    5. Point-to-site VPN authentication support for Azure AD

      Instead of only requiring on a certificate for authentication in Azure VPN Point-to-site solutions, it would be nice if the Azure networking team would consider adding support for username (UPN) and password that is authenticated against either Azure AD or ADFS.

      243 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      7 comments  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    6. Support CIDR in Point to Site Networking (RFC1918 bug)

      Azure forces clients to have a class A default route when using 10.x.x.x as their internal network. This should reflect the subnet mask illustrated in the portal

      More information:

      http://serverfault.com/q/818383/51457

      7 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    7. Gateway upgrade notification

      As per my understanding Azure does notify the customer on few of the events like a storage maintenance or a VM maintenance, etc but the gateway is not in the list as of now.

      It would have been nice if Azure notified the stakeholders before such a gateway upgrade was due to occur in advance. Alternatively if that wasn’t possible, then at the very least the stakeholders should be notified that their Site2Site VPN tunnel is down post upgrade.

      12 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      2 comments  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →

      Thank you for your feedback. Alerting for gateway connectivity is a common ask, so it is on our roadmap.
      As of now, you can check connection status of your tunnel via the PowerShell cmdlet Get-AzureRmVirtualNetworkGatewayConnection.

      Thanks,
      Bridget [MSFT]

    8. Allow Static Public IP's on Virtual Network Gateways

      Static Public IP's cannot be used with Virtual Network Gateways. This can potentially be very problematic if a Virtual Network Gateway ever needs to be re-created or re-provisioned.

      Example: what if we have 30 separate tunnels to a Virtual Network Gateway and it needs to be re-created or re-provisioned? This would result in a new Public IP being provisioned (takes about 30-40 minutes - of downtime!) which would require 30 remote VPN Administrators to be engaged to rebuild their side of the tunnel. This could be easily resolved by allowing Static Public IP's to be associated with Virtual Network Gateways.

      71 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  1 comment  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    9. provide troubleshooting features to VPN gateways

      Until Microsoft improves the Azure VPN technology, it would be good and sometimes necessary to provide some VPN troubleshooting tools on the Azure side. The local side logs sometimes are not enough and it gets very difficult to understand the reason of tunnel outages. This feature will also be definitely useful once the Azure VPN technology will be completely stable and reliable, in order to analyse traffic and build monitoring based on it.

      8 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    10. Set up a VPN device script Link as present in the Classic Portal

      I was setting up the Site to Site in New portal and found the link to download the VPN script wasn't present as in Classic portal. It would be good we have that link in new portal so that we can share that Network admins to setup site-site Connection with on-premise and Azure Vnet

      29 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      planned  ·  1 comment  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    11. 52 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      4 comments  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    12. provide diagnostic ability in Azure Resource Manager VPN tunnels

      The PowerShell command that is used in the classic "ASM" VPN troubleshooting is not compatible with the new Azure Resource Manager VPN tunnels. This makes it very difficult to troubleshoot VPN problems.

      The newest Azure PowerShell doesn't provide any start-azureRMvirtualnetworkgatewaydiagnostics like the old azure services manager did.

      13 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      2 comments  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    13. Improve VPN gateways performances and limits

      Using VPN to connect sites to Azure is great. But we are rapidly hitting the gateways limits:
      - One gateway per VNet
      - A max of 30 Tunnels per gateway (10 and 20 for standard)
      - A max of 200 Mb/s per gateway (shared by all VPNs)

      Today, not all regions and customers can afford 'ExpressRoute' to get more bandwidth and scalability. So why this 'very limited' options.

      77 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      2 comments  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    14. Allow Multiple VNETs in a Gateway

      It would be great to be able to have three (or more) regions participating in a VNET. Currently you can deploy a multi-region, multi-subnet architecture using VNETs and their gateways by pointing them at one another with site-to-site. However, if you want to add a third region into that mix, it's not possible with the way Azure infrastructure is right now.

      The use case is AlwaysOn Availability Groups. Right now, I could, say, have East US and West US creating a geographically dispersed solution. However, when it comes to where to put the file share witness, it has to go…

      8 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    15. Manually Assign GatewaySubnet and better field validation

      I want to be able to assign my GatewaySubnet, not have the system pick the next available subnet and crash everytime I try to change it!

      The only way I could get it to use the Subnet I wanted as the gateway was to create 63 other subnets so there was only one that was not in use.

      It also failed to create any virtual network with an Ampersand "&" in the Network name, even though it came up with a green tick next to the name when I tried to create it.

      4 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      under review  ·  0 comments  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    16. Use P2S VPN connection as default gateway (like standard VPN)

      P2S connection is working fine and I can access VMs on VNET.

      It would good to have feature if you enable [Use default gateway on remote network] that you can browse internet and it looks like you are coming from Azure network if you visit some site.
      Something like proxpn, purevpn and similar services.

      108 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →

      Hi,

      This suggestion has two parts:

      1. Use default route or forced tunneling on P2S client rather than split tunneling
      2. Enable Azure VPN gateway as an forward proxy to the Internet

      At this point, these will be considered as long term roadmap items.

      Thanks,
      Yushun [MSFT]

    17. 16 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    18. Stop/Start Virtual Network Gateway - to don't pay when it not in use

      There are two charges related to the Azure VPN service: the compute resource charge at $0.05/hour, and the egress data volume charge. Both are based on resource consumption, Unfortunately, even if the VPN tunnels are not connected, the gateway compute resource is still being consumed and will cost ~$38 monthly!

      This is not really "Pay only for what you use".

      Need functionality to “STOP” (and of course "START") a gateway if the customer is certain that the gateway will not be in use.

      1,908 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      108 comments  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    19. Provide multi-factor authentication capabilities in VPN client

      The ask is pretty self-explanatory.

      We want to host sensitive data in Azure VMs and enable connectivity only via P2S VPN.

      Today, the VPN client only requires having the cert to gain access the Azure Network. As the cert can easily end up in the hands of someone who shouldn't have access to it...it's not very secure.

      For MFA, integration with PhoneFactor would be cool. At a minimum, the VPN client should require a username/password in addition to requiring the cert.

      261 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      14 comments  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    20. 191 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      7 comments  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    1 2 3 5 Next →
    • Don't see your idea?

    Feedback and Knowledge Base