Networking

The Networking forum covers all aspects of Networking in Azure, including endpoints, load-balancing, network security, DNS, Traffic Manager, virtual networks, and external connectivity.

Virtual Network:

  • Service overview

  • Technical documentation

  • Pricing details
  • Traffic Manager:

  • Service overview

  • Technical documentation

  • Pricing details
  • Network Watcher:

  • Service overview

  • Technical documentation

  • Pricing details
  • If you have any feedback on any aspect of Azure relating to Networking, we’d love to hear it.

    How can we improve Azure Networking?

    You've used all your votes and won't be able to post a new idea, but you can still search and comment on existing ideas.

    There are two ways to get more votes:

    • When an admin closes an idea you've voted on, you'll get your votes back from that idea.
    • You can remove your votes from an open idea you support.
    • To see ideas you have already voted on, select the "My feedback" filter and select "My open ideas".
    (thinking…)

    Enter your idea and we'll search to see if someone has already suggested it.

    If a similar idea already exists, you can support and comment on it.

    If it doesn't exist, you can post your idea so others can support it.

    Enter your idea and we'll search to see if someone has already suggested it.

    • Hot ideas
    • Top ideas
    • New ideas
    • My feedback
    1. Add "Subscription" tag in the NSG rules

      Story:
      As a DevOps engineer
      I want to easily block network access within a subscription with a single NSG rule (for specific resources using a that rule)
      So that I don't have to manage multiple NSG rules.

      Background:
      We would like to ring-fence our subscriptions, so that one (e.g. Production) cannot "talk" to another one (e.g. Non-production).

      We can currently achieve it with multiple NSG rules, where we allow/block IP ranges or vnets.

      It would be much easier to manage this for our purpose if we could add a "subscription" tag in the NSG rules and effectively only allow traffic…

      1 vote
      Vote
      Sign in
      Check!
      (thinking…)
      Reset
      or sign in with
      • facebook
      • google
        Password icon
        Signed in as (Sign out)
        You have left! (?) (thinking…)
      • On Azure portal,under Load balancer the statement of floating IP should be updated.

        Recently i took a case ,customer complained this .On Azure portal,under Load balancer the statement of floating IP "says 'We recommend using this feature only when configuring a SQL Always" needs to be updated.
        The statement needs to be updated as follows :
        We recommend using this feature only when configuring a SQL AlwaysOn Availability Group Listener and SQL Failover Clustered Instance (FCI) IP Address.

        The current statement appears to be old and was true before we started supporting SQL FCI on Azure. You can see the details here
        https://docs.microsoft.com/en-us/azure/virtual-machines/windows/sql/virtual-machines-windows-portal-sql-create-failover-cluster

        1 vote
        Vote
        Sign in
        Check!
        (thinking…)
        Reset
        or sign in with
        • facebook
        • google
          Password icon
          Signed in as (Sign out)
          You have left! (?) (thinking…)
          0 comments  ·  Load Balancing  ·  Flag idea as inappropriate…  ·  Admin →
        • allow granular access control to manage NSG rules.

          Because only a single NSG is allowed per resource (subnet or NIC) it would be nice to subdivide the rules into groups and allow different teams to manage the different groupings, all within the same NSG. This could allow a central team to implement some rules and an application team to implement some rules. For example, let us define groups by priority-range and then allow different access privileges to different groups. Team 1 can manage group 1 and 4 and team 2 can manage group 2. [Manage = add, modify, delete]

          1 vote
          Vote
          Sign in
          Check!
          (thinking…)
          Reset
          or sign in with
          • facebook
          • google
            Password icon
            Signed in as (Sign out)
            You have left! (?) (thinking…)
          • Introduce managed SSL for Microsoft Azure

            This should be the accepted standard for secure Internet communications. Not sure why Microsoft refuses to commit to this after so many customer requests. Instead, charging customers high prices to communicate securely continues. Google Cloud has already implemented this feature.

            3 votes
            Vote
            Sign in
            Check!
            (thinking…)
            Reset
            or sign in with
            • facebook
            • google
              Password icon
              Signed in as (Sign out)
              You have left! (?) (thinking…)
            • Internal vNet endpoints for SQL Databases and Storage Devices to allow private accessible only via Expressroute Gateway

              To justify using Expressroute to "securely" extend the corporate LAN/WAN infrastructure to the cloud.

              Create Internal vNet Endpoints for SQL Databases and Storage Devices to allow private accessible only via Expressroute Gateway.

              Needed to secure sensitive PII, HIPAA, and Company Confidential Databases and storage devices

              1 vote
              Vote
              Sign in
              Check!
              (thinking…)
              Reset
              or sign in with
              • facebook
              • google
                Password icon
                Signed in as (Sign out)
                You have left! (?) (thinking…)
                0 comments  ·  Flag idea as inappropriate…  ·  Admin →
              • WAF on Application Gateway have a function to allow some exceptional access for prevention mode

                It would be great if WAF on Application Gateway have a function to allow some exceptional access for prevention mode.

                Now, Web Application Firewall feature would be available as part of Azure Application Gateway.

                Currently, WAF on Application Gateway seems to not have a function to exclude from blocking access by any condition.
                So, I would like to request to add this function for WAF on Application Gateway.

                62 votes
                Vote
                Sign in
                Check!
                (thinking…)
                Reset
                or sign in with
                • facebook
                • google
                  Password icon
                  Signed in as (Sign out)
                  You have left! (?) (thinking…)
                  1 comment  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
                • Traffic manager https

                  Why dont subdomains of trafficmanager.net automatically support https? Similar to azurewebsites.net.

                  3 votes
                  Vote
                  Sign in
                  Check!
                  (thinking…)
                  Reset
                  or sign in with
                  • facebook
                  • google
                    Password icon
                    Signed in as (Sign out)
                    You have left! (?) (thinking…)
                  • BGP Peering IP modification on different subnet

                    Hey,
                    For business purpose, we wanna offer an idea of selecting peering IP from non-GW subnet while using Azure VPN BGP. this IP was currnetly allocated from ge subnet. but we wanna change to specific IP . let's say our address space range is 10.0.0.0/16, but our GW subnet is 10.0.0.0/24, Peering IP is 10.0.0.254. but one of subnet is 10.13.100.70/28, we wanna change peering IP to 10.13.100.70. but this is impossible, could we make some changes in further?

                    1 vote
                    Vote
                    Sign in
                    Check!
                    (thinking…)
                    Reset
                    or sign in with
                    • facebook
                    • google
                      Password icon
                      Signed in as (Sign out)
                      You have left! (?) (thinking…)
                    • Exclude networks in the default Tag "Virtual Network" which are defined in UDR

                      When we are using the default Tag "Virtual Network" in NSG to make a Rule for intra VNE communication, the UDR networks are automatically included in the default Tag "Virtual Network", e.g. I have defined a UDR as route route / network 0.0.0.0/0, it is included in to default Tag "Virtual Network", then the Tag is useless for intra vnet communication as it contain the network 0.0.0.0/0.

                      My Suggestion is to exclude the UDR from default Tag or allow us to make our own Tag. Also when we are creating NSG with multiple destination ip/networks from same source ip/network and…

                      1 vote
                      Vote
                      Sign in
                      Check!
                      (thinking…)
                      Reset
                      or sign in with
                      • facebook
                      • google
                        Password icon
                        Signed in as (Sign out)
                        You have left! (?) (thinking…)
                        0 comments  ·  Virtual Networks (VNET)  ·  Flag idea as inappropriate…  ·  Admin →
                      • Provisioning server sets first NIC as primary NIC

                        Hi -
                        I run into limitation if I want to add a NIC to an existing VM. The error code is that I have to assign a primary NIC before adding a secondary. My wish is that upon creation of VM via portal that the NIC associated with the vm is automatically created as primary. That way it is much easier to add additional NICs later. Thank you - Asger

                        3 votes
                        Vote
                        Sign in
                        Check!
                        (thinking…)
                        Reset
                        or sign in with
                        • facebook
                        • google
                          Password icon
                          Signed in as (Sign out)
                          You have left! (?) (thinking…)
                          0 comments  ·  Flag idea as inappropriate…  ·  Admin →
                        • Add activity alert feature for DNS record add/delete/modify

                          Current activity alert for DNS zones available but not for records. Add activity alert feature for DNS record add/delete/modify also.

                          1 vote
                          Vote
                          Sign in
                          Check!
                          (thinking…)
                          Reset
                          or sign in with
                          • facebook
                          • google
                            Password icon
                            Signed in as (Sign out)
                            You have left! (?) (thinking…)
                          • Predefined Access Rules for Every Region

                            Microsoft Azure should have predefined access rules for every region.
                            For example, if someone wants to block traffic for every region except only one, should choose to allow for the specific one and add block rule for every other region.
                            That would be good for DDos attacks

                            3 votes
                            Vote
                            Sign in
                            Check!
                            (thinking…)
                            Reset
                            or sign in with
                            • facebook
                            • google
                              Password icon
                              Signed in as (Sign out)
                              You have left! (?) (thinking…)
                            • add support of '--idle-timeout' for "az network lb rule update -g lwm2m6 --lb-name lblwm2m6 --idle-timeout 30 -n IPv6Tcp80_8080"

                              Want to configure '--idle-timeout':

                              az network lb rule update -g lwm2m6 --lb-name lblwm2m6 --idle-timeout 30 -n IPv6Tcp80_8080

                              1 vote
                              Vote
                              Sign in
                              Check!
                              (thinking…)
                              Reset
                              or sign in with
                              • facebook
                              • google
                                Password icon
                                Signed in as (Sign out)
                                You have left! (?) (thinking…)
                                0 comments  ·  IPv6  ·  Flag idea as inappropriate…  ·  Admin →
                              • Add Support for Secondary DNS

                                Given events of late concerning DNS outages and DDoS attacks, it would be advantageous if we could configure custom NS records in Azure DNS to use Secondary DNS.

                                At the same time, support for AXFR records should be added to allow outbound zone transfers to be configured so that the Secondary DNS zone can be kept in sync automatically.

                                This would then allow us to point to a Secondary DNS service like BuddyNS or DNSMadyEasy.

                                8 votes
                                Vote
                                Sign in
                                Check!
                                (thinking…)
                                Reset
                                or sign in with
                                • facebook
                                • google
                                  Password icon
                                  Signed in as (Sign out)
                                  You have left! (?) (thinking…)
                                  0 comments  ·  Flag idea as inappropriate…  ·  Admin →
                                • network security group

                                  the portal saying NSG updated succeed. But usually it may 1-2 mins until rule taking effect

                                  it will be better if the status are synchronized between NSG portal and VM VFP applying

                                  1 vote
                                  Vote
                                  Sign in
                                  Check!
                                  (thinking…)
                                  Reset
                                  or sign in with
                                  • facebook
                                  • google
                                    Password icon
                                    Signed in as (Sign out)
                                    You have left! (?) (thinking…)
                                  • ACLs for restricting access to ClearDB

                                    I have a cheap titan cleardb database. I'd like to make it only accessible from within Azure and perhaps from a fixed set of whitelisted IPs.

                                    3 votes
                                    Vote
                                    Sign in
                                    Check!
                                    (thinking…)
                                    Reset
                                    or sign in with
                                    • facebook
                                    • google
                                      Password icon
                                      Signed in as (Sign out)
                                      You have left! (?) (thinking…)
                                    • All Azure quotes should be exposed via API and portal. For example the number of frontend IP addresses allowed on an external load balancer

                                      All Azure quotes should be exposed via API and portal. For example the number of frontend IP addresses allowed on an external load balancer

                                      All Azure quotas should be exposed via API and portal.
                                      For example the number of frontend IP addresses permitted for an external load balancer is not exposed in the portal, via Powershell or even API.
                                      This makes it easier to anticipate when nearing a configured quota.

                                      1 vote
                                      Vote
                                      Sign in
                                      Check!
                                      (thinking…)
                                      Reset
                                      or sign in with
                                      • facebook
                                      • google
                                        Password icon
                                        Signed in as (Sign out)
                                        You have left! (?) (thinking…)
                                        under review  ·  0 comments  ·  IP addresses  ·  Flag idea as inappropriate…  ·  Admin →
                                      • Wildcard mask support for NSG's

                                        It would be great if NSG's would support Wildcard masks to deny/permit traffic in a more granular way. The way most network vendors do it.
                                        This would make it much easier to permit and deny traffic based on a subnet scheme

                                        1 vote
                                        Vote
                                        Sign in
                                        Check!
                                        (thinking…)
                                        Reset
                                        or sign in with
                                        • facebook
                                        • google
                                          Password icon
                                          Signed in as (Sign out)
                                          You have left! (?) (thinking…)
                                        • Develop a tool that will import DNS zone files hosted at other providers like Route53

                                          Since many DNS providers do not allow you to export your zone files create a utility that will harvest them in a format that could be used to import them into Azure DNS.

                                          1 vote
                                          Vote
                                          Sign in
                                          Check!
                                          (thinking…)
                                          Reset
                                          or sign in with
                                          • facebook
                                          • google
                                            Password icon
                                            Signed in as (Sign out)
                                            You have left! (?) (thinking…)
                                          • Add "LocalSubnet" and "GateWay" tags to NSG.

                                            Our subnets rules always have a "Deny All" rule with a priority of 4096 to override the default rule with priority 65000 which allows all VNET traffic. We want to allow all traffic within the same local subnet and all traffic from the Gateway subnet. It would be handy to have tags for these subnets without having to resort to CIDR ranges for each subnet.

                                            2 votes
                                            Vote
                                            Sign in
                                            Check!
                                            (thinking…)
                                            Reset
                                            or sign in with
                                            • facebook
                                            • google
                                              Password icon
                                              Signed in as (Sign out)
                                              You have left! (?) (thinking…)
                                              under review  ·  1 comment  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
                                            ← Previous 1 3 4 5 18 19
                                            • Don't see your idea?

                                            Feedback and Knowledge Base