Networking

The Networking forum covers all aspects of Networking in Azure, including endpoints, load-balancing, network security, DNS, Traffic Manager, virtual networks, and external connectivity.

Virtual Network:

  • Service overview

  • Technical documentation

  • Pricing details
  • Traffic Manager:

  • Service overview

  • Technical documentation

  • Pricing details
  • Network Watcher:

  • Service overview

  • Technical documentation

  • Pricing details
  • If you have any feedback on any aspect of Azure relating to Networking, we’d love to hear it.

    How can we improve Azure Networking?

    You've used all your votes and won't be able to post a new idea, but you can still search and comment on existing ideas.

    There are two ways to get more votes:

    • When an admin closes an idea you've voted on, you'll get your votes back from that idea.
    • You can remove your votes from an open idea you support.
    • To see ideas you have already voted on, select the "My feedback" filter and select "My open ideas".
    (thinking…)

    Enter your idea and we'll search to see if someone has already suggested it.

    If a similar idea already exists, you can support and comment on it.

    If it doesn't exist, you can post your idea so others can support it.

    Enter your idea and we'll search to see if someone has already suggested it.

    • Hot ideas
    • Top ideas
    • New ideas
    • My feedback
    1. To improve portal user experience for Application Gateway configuration

      Application Gateway is a combination of backend pool, backend HTTP settings, listeners, custom probes and rules. Most of the time, to make changes, it is necessary to update more than one of the above mentioned settings (pool, HTTP setting, listeners, rules). Each settings are placed on different UI blades and takes nearly 3 - 10 mins to make single setting change getting reflected.

      Feedback: Make a Wizard kind of interaction that will enable to specify all desired setting changes at once, then let apply these changes in a single shot behind the scenes.

      5 votes
      Vote
      Sign in
      Check!
      (thinking…)
      Reset
      or sign in with
      • facebook
      • google
        Password icon
        I agree to the terms of service
        Signed in as (Sign out)
        You have left! (?) (thinking…)
        0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
      • WAF - Allow access to configure ModSecurity variables such as tx.high_risk_country_codes

        The tx.high_risk_country_code and other variables like GeoIP database need to be configured for rules in REQUEST-910-IP-REPUTATION to have any affect. These could be defaulted to a value (and documented) for now, but overriding these ModSecurity variables per instance is needed in the future.

        As it stands right now it appears that these are not configured, and are leading to people thinking they are protected by these rules when they are not.

        17 votes
        Vote
        Sign in
        Check!
        (thinking…)
        Reset
        or sign in with
        • facebook
        • google
          Password icon
          I agree to the terms of service
          Signed in as (Sign out)
          You have left! (?) (thinking…)
        • Tell the user which objects prevent an object from being deleted

          I wanted to delete a Virtual Network and it kept telling me that it was in use and that I should come back later if I just deleted an object that used this Network.
          However, the actual reason was that the Virtual Network still had a Gateway configured. As this gateway only shows up inside the Virtual Network and not on "All Resources", I wasted hours to figure out why I couldn't delete the network.

          Suggestion:
          If I can't delete an object because it is in use or has children, give me a list of those objects that prevent the…

          3 votes
          Vote
          Sign in
          Check!
          (thinking…)
          Reset
          or sign in with
          • facebook
          • google
            Password icon
            I agree to the terms of service
            Signed in as (Sign out)
            You have left! (?) (thinking…)
            0 comments  ·  Virtual Networks (VNET)  ·  Flag idea as inappropriate…  ·  Admin →
          • Allow multiple hostnames in the same Listener Application Gateway

            Sometimes we share differents hostnames with the same web site.
            Currently, this means that we have to deploy differents listeners in order to provide access to the same backend pool.

            With a 20 listeners limit this solution is a bit expensive...

            Would it be possible to add multiple hostnames/sitenames to listener?

            Thanks in advance

            3 votes
            Vote
            Sign in
            Check!
            (thinking…)
            Reset
            or sign in with
            • facebook
            • google
              Password icon
              I agree to the terms of service
              Signed in as (Sign out)
              You have left! (?) (thinking…)
              0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
            • To have the possibility to set radius timeout on the VPN gateway point to site confguration

              When using the new radius authentication feature on Azure VPN Gateway it would be nice to be able to control the timeout to the radius server. This would make the usage of Azure MFA for VPN authentication possible. (IT works now if users are very fast at answering the phone)

              1 vote
              Vote
              Sign in
              Check!
              (thinking…)
              Reset
              or sign in with
              • facebook
              • google
                Password icon
                I agree to the terms of service
                Signed in as (Sign out)
                You have left! (?) (thinking…)
              • Add "Subscription" tag in the NSG rules

                Story:
                As a DevOps engineer
                I want to easily block network access within a subscription with a single NSG rule (for specific resources using a that rule)
                So that I don't have to manage multiple NSG rules.

                Background:
                We would like to ring-fence our subscriptions, so that one (e.g. Production) cannot "talk" to another one (e.g. Non-production).

                We can currently achieve it with multiple NSG rules, where we allow/block IP ranges or vnets.

                It would be much easier to manage this for our purpose if we could add a "subscription" tag in the NSG rules and effectively only allow traffic…

                1 vote
                Vote
                Sign in
                Check!
                (thinking…)
                Reset
                or sign in with
                • facebook
                • google
                  Password icon
                  I agree to the terms of service
                  Signed in as (Sign out)
                  You have left! (?) (thinking…)
                • Change some config on load balancer it takes more than 3 minutes to take effect on it after i saw the succeed returned result on portal.

                  This is a customer's comment:
                  When changing some config on load balancer it takes more than 3 minutes to take effect on it after i saw the succeed returned result on portal.So the message shows on the portal is not real-time status of the config effecting.

                  1 vote
                  Vote
                  Sign in
                  Check!
                  (thinking…)
                  Reset
                  or sign in with
                  • facebook
                  • google
                    Password icon
                    I agree to the terms of service
                    Signed in as (Sign out)
                    You have left! (?) (thinking…)
                    0 comments  ·  Load Balancing  ·  Flag idea as inappropriate…  ·  Admin →
                  • On Azure portal,under Load balancer the statement of floating IP should be updated.

                    Recently i took a case ,customer complained this .On Azure portal,under Load balancer the statement of floating IP "says 'We recommend using this feature only when configuring a SQL Always" needs to be updated.
                    The statement needs to be updated as follows :
                    We recommend using this feature only when configuring a SQL AlwaysOn Availability Group Listener and SQL Failover Clustered Instance (FCI) IP Address.

                    The current statement appears to be old and was true before we started supporting SQL FCI on Azure. You can see the details here
                    https://docs.microsoft.com/en-us/azure/virtual-machines/windows/sql/virtual-machines-windows-portal-sql-create-failover-cluster

                    1 vote
                    Vote
                    Sign in
                    Check!
                    (thinking…)
                    Reset
                    or sign in with
                    • facebook
                    • google
                      Password icon
                      I agree to the terms of service
                      Signed in as (Sign out)
                      You have left! (?) (thinking…)
                      0 comments  ·  Load Balancing  ·  Flag idea as inappropriate…  ·  Admin →
                    • Support for IKEv2 VPN clients to connect to an Azure based RRAS server (Allow ESP traffic through NSG)

                      Currently, Network Security Groups only support rules for TCP and UDP traffic. This request is for the addition of rules for ESP traffic which is required for IKEv2 clients to connect to an RRAS server running on Azure.
                      We use ExpressRoute Point-to-Site is not an option as they cannot coexist. We currently use SSTP for our clients to connect but lack the resiliency that comes with an IKEv2 connection.

                      Alternatively, support for Expressroute/Point-to-Site coexistence would also satisfy our requirement and eliminate the need to maintain an RRAS server in Azure.

                      3 votes
                      Vote
                      Sign in
                      Check!
                      (thinking…)
                      Reset
                      or sign in with
                      • facebook
                      • google
                        Password icon
                        I agree to the terms of service
                        Signed in as (Sign out)
                        You have left! (?) (thinking…)
                      • Accept a list of allowed ports separated by comma in network security group

                        Please allow the ability to specify a list of non-continuous ports for inbound and outbound rules on network security groups. Currently adding several non-continuous ports to allow specific subnets requires one rule for each combination of port and subnet.

                        13 votes
                        Vote
                        Sign in
                        Check!
                        (thinking…)
                        Reset
                        or sign in with
                        • facebook
                        • google
                          Password icon
                          I agree to the terms of service
                          Signed in as (Sign out)
                          You have left! (?) (thinking…)
                        • allow granular access control to manage NSG rules.

                          Because only a single NSG is allowed per resource (subnet or NIC) it would be nice to subdivide the rules into groups and allow different teams to manage the different groupings, all within the same NSG. This could allow a central team to implement some rules and an application team to implement some rules. For example, let us define groups by priority-range and then allow different access privileges to different groups. Team 1 can manage group 1 and 4 and team 2 can manage group 2. [Manage = add, modify, delete]

                          1 vote
                          Vote
                          Sign in
                          Check!
                          (thinking…)
                          Reset
                          or sign in with
                          • facebook
                          • google
                            Password icon
                            I agree to the terms of service
                            Signed in as (Sign out)
                            You have left! (?) (thinking…)
                          • Introduce managed SSL for Microsoft Azure

                            This should be the accepted standard for secure Internet communications. Not sure why Microsoft refuses to commit to this after so many customer requests. Instead, charging customers high prices to communicate securely continues. Google Cloud has already implemented this feature.

                            3 votes
                            Vote
                            Sign in
                            Check!
                            (thinking…)
                            Reset
                            or sign in with
                            • facebook
                            • google
                              Password icon
                              I agree to the terms of service
                              Signed in as (Sign out)
                              You have left! (?) (thinking…)
                            • Application Gateway WAF support EV certificates

                              Application Gateway WAF does not support EV certificates

                              7 votes
                              Vote
                              Sign in
                              Check!
                              (thinking…)
                              Reset
                              or sign in with
                              • facebook
                              • google
                                Password icon
                                I agree to the terms of service
                                Signed in as (Sign out)
                                You have left! (?) (thinking…)
                                0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
                              • Route Tables attached to NIC

                                I love using Route tables attached to the Subnet under the Virtual Network, could we have Route table attached to NIC as well ?

                                1 vote
                                Vote
                                Sign in
                                Check!
                                (thinking…)
                                Reset
                                or sign in with
                                • facebook
                                • google
                                  Password icon
                                  I agree to the terms of service
                                  Signed in as (Sign out)
                                  You have left! (?) (thinking…)
                                  0 comments  ·  Virtual Networks (VNET)  ·  Flag idea as inappropriate…  ·  Admin →
                                • Application Gateway instances support weak TLS cipher

                                  We are using azure app services behind an Application Gateway WAF with end-to-end SSL.

                                  The Azure App Services no longer support this weak TLS 1.0, 1.1, 1.2 cipher:
                                  TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) WEAK

                                  If you pen test a site behind an Application Gateway, the instances will still support this weak cipher.

                                  Here's the link of the Azure App Services removing that cipher.

                                  https://social.msdn.microsoft.com/Forums/azure/en-US/6530d35a-9321-4e61-a496-39b66c63a1a0/we-are-updating-our-tlsssl-cipher-suites-to-improve-security?forum=windowsazurewebsitespreview

                                  14 votes
                                  Vote
                                  Sign in
                                  Check!
                                  (thinking…)
                                  Reset
                                  or sign in with
                                  • facebook
                                  • google
                                    Password icon
                                    I agree to the terms of service
                                    Signed in as (Sign out)
                                    You have left! (?) (thinking…)
                                    0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
                                  • Adding multiple NSGs to a NIC

                                    I have several virtual machines in several different subnets that need to apply a certain set of network security rules. But for each VM there are also their own unique rules. I would like to be able to set multiple NSG for the NIC of each virtual machine. I do not want to copy common rules to each NSG.

                                    4 votes
                                    Vote
                                    Sign in
                                    Check!
                                    (thinking…)
                                    Reset
                                    or sign in with
                                    • facebook
                                    • google
                                      Password icon
                                      I agree to the terms of service
                                      Signed in as (Sign out)
                                      You have left! (?) (thinking…)
                                      0 comments  ·  Flag idea as inappropriate…  ·  Admin →
                                    • Add MTOM support to the Microsoft WAF

                                      We currently have a use case for utilizing MTOM to more efficiently transmit binary data in a SOAP-based service.

                                      We are also trying to place the application behind a Microsoft WAF in Azure, but are unable to do so due with the WAF in prevention mode as the WAF does not currently support/allow MTOM requests.

                                      We reached out to Azure support and were told that:

                                      "MTOM is not supported and it's not yet on implementations plans".

                                      We are requesting that the Microsoft WAF team add support for making MTOM calls to a service that go through the WAF.

                                      9 votes
                                      Vote
                                      Sign in
                                      Check!
                                      (thinking…)
                                      Reset
                                      or sign in with
                                      • facebook
                                      • google
                                        Password icon
                                        I agree to the terms of service
                                        Signed in as (Sign out)
                                        You have left! (?) (thinking…)
                                        0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
                                      • Add Azure and AWS IP ranges to easily restrict traffic without using Powershell

                                        Currently adding Azure or AWS IP addresses need to be done by Powershell commands and also need to be updated every time an IP Address change. People need this to be easily configurable

                                        4 votes
                                        Vote
                                        Sign in
                                        Check!
                                        (thinking…)
                                        Reset
                                        or sign in with
                                        • facebook
                                        • google
                                          Password icon
                                          I agree to the terms of service
                                          Signed in as (Sign out)
                                          You have left! (?) (thinking…)
                                          0 comments  ·  IP addresses  ·  Flag idea as inappropriate…  ·  Admin →
                                        • Internal vNet endpoints for SQL Databases and Storage Devices to allow private accessible only via Expressroute Gateway

                                          To justify using Expressroute to "securely" extend the corporate LAN/WAN infrastructure to the cloud.

                                          Create Internal vNet Endpoints for SQL Databases and Storage Devices to allow private accessible only via Expressroute Gateway.

                                          Needed to secure sensitive PII, HIPAA, and Company Confidential Databases and storage devices

                                          1 vote
                                          Vote
                                          Sign in
                                          Check!
                                          (thinking…)
                                          Reset
                                          or sign in with
                                          • facebook
                                          • google
                                            Password icon
                                            I agree to the terms of service
                                            Signed in as (Sign out)
                                            You have left! (?) (thinking…)
                                            0 comments  ·  Flag idea as inappropriate…  ·  Admin →
                                          • Not to convert the service for famous port number when confirgurating the NSG rule

                                            Currently when creating a new NSG rule in portal or PowerShell with a famous port number as the service, the service will be convert to the pre-defined one even if I choose custom service. I want that the service remains to be the custom one.

                                            3 votes
                                            Vote
                                            Sign in
                                            Check!
                                            (thinking…)
                                            Reset
                                            or sign in with
                                            • facebook
                                            • google
                                              Password icon
                                              I agree to the terms of service
                                              Signed in as (Sign out)
                                              You have left! (?) (thinking…)
                                              0 comments  ·  Flag idea as inappropriate…  ·  Admin →
                                            ← Previous 1 3 4 5 15 16
                                            • Don't see your idea?

                                            Feedback and Knowledge Base