Networking

The Networking forum covers all aspects of Networking in Azure, including endpoints, load-balancing, network security, DNS, Traffic Manager, virtual networks, and external connectivity.

Virtual Network:

  • Service overview

  • Technical documentation

  • Pricing details
  • Traffic Manager:

  • Service overview

  • Technical documentation

  • Pricing details
  • Network Watcher:

  • Service overview

  • Technical documentation

  • Pricing details
  • If you have any feedback on any aspect of Azure relating to Networking, we’d love to hear it.

    • Hot ideas
    • Top ideas
    • New ideas
    • My feedback
    1. Application Gateway V2 support of UDR

      Deploying a Application Gateway in a subnet with an UDR is needed in enterprise networks. For example if you advertise the default route from a ExpressRoute connection,.

      175 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      6 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →

      Thanks for the valid suggestion. Your feedback is now open for the user community to upvote which allows us to effectively prioritize your request against our existing feature list and also gives us insight into the potential impact of implementing the suggested feature

    2. Application gateway V2 subnet to support UDR

      We need to support UDR association with Appgw V2 subnet, since as of now it's not yet support while Appgw V1 does support. Please add this feature.

      50 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    3. TLS 1.3 and HSTS Support for Azure Application Gateway

      This is about a feature request for an Azure Application Gateway to support TLS 1.3 and HSTS.
      At least HSTS is just a secure header which should be trivial to implement.
      I`m looking forward to a feedback.

      30 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →

      Thanks for the valid suggestion. Your feedback is now open for the user community to upvote which allows us to effectively prioritize your request against our existing feature list and also gives us insight into the potential impact of implementing the suggested feature

    4. App GW with load balance should use single internal IP for single session

      App GW with auto-scaling enabled have Multiple internal IP for communicating hosted web service. The worst part is its communicating same session from client with Multiple IP internally because of load balance it has multiple machine for APP GW.

      e.g

      https://groups.google.com/forum/#!msg/pwm-general/miljylSaFjA/1qqhNS7lQgAJ;context-place=msg/pwm-general/za94hdmqPL4/tafnzLq5yUIJ

      We are using application with which
      NSG/IP restriction cannot be used because application is designed in such way it doesn’t allow same session from multiple IPs for security purposes and if we white list backend IP doesn’t makes sense because they always will be same from backend pools.
      Let’s suppose during some session of user some attacker hooks…

      43 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →

      Thanks for the valid suggestion. Your feedback is now open for the user community to upvote which allows us to effectively prioritize your request against our existing feature list and also gives us insight into the potential impact of implementing the suggested feature

    5. Content Compression and Response Caching in App Gateway

      I'd like to see a feature in Application Gateway that allows configuring Content Compression and Response Caching per backend rule. This would be similar to, for example, what Nginx supports through "proxy_cache", "proxy_cache_valid" and "proxy_cache_path" directives.

      64 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    6. Add functionality to Application Gateway for routing based on HTTP headers

      The ability to route traffic to backend pools depending on HTTP headers would be much appreciated. At the moment the only way to do this is with a function app.

      32 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    7. mutual TLS authentication on Application Gateway

      To verify authenticity of client sending traffic to Application Gateway, its required to have mutual TLS authentication.
      For use cases such as : Using a 3rd party caching or WAF tier like Akamai send traffic to AG, we would require mutual TLS.

      Currently we could limit source by IPs by putting an NSG rule. But cryptographic identity verification is the correct approach. Towards this I would like to request Mutual TLS.

      31 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    8. Pure internal standard_v2 application gateway

      Currently standard_v2 application gateway must have a public IP to work. Please make it be able to work only with private IP address. This capability is available in standard sku but not in standard_v2.

      80 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    9. Remove NSG validation from App Gateway V2 deployment

      This is more of a bug report than an idea.
      I tried deploying new WAF_V2 app gateway through ARM templates. My gateway subnet has a hardened NSG applied.
      Validation is applied to check whether certain traffic is blocked to the gateway. I have many problems with this:

      1) The validation is never satisfied with my rules. It will only be satisfied when I have my entire VNET way too open.
      I am refering to this error message when deploying:
      "Network security group <NSG_ID> blocks incoming internet traffic on ports 65200 - 65535 to subnet <SUBNET_ID>, associated with Application Gateway <GATEWAY_ID>.…

      36 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      4 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    10. Application Gateway (WAF) - document how to get firewall logs

      Please create documentation about how to retrieve Azure App GW firewall log.

      Microsoft does not mention a word about this. - Correct me if I'm wrong. Finally I found a solution on third party (!!!) site: http://francescomolfese.it/en/2018/07/azure-application-gateway-come-monitorarlo-con-log-analytics/.

      Application GW produces these types of logs:
      1. ApplicationGatewayAccessLog
      2. ApplicationGatewayPerformanceLog
      3. ApplicationGatewayFirewallLog – the most important one as it contains logs about security operations (reasons for blocking connections, etc...)

      To retrieve these logs (or at least first 2 of the 3 mentioned above), you have to do this:
      o Go to Log Analytics workspaces in Azure portal --> create or choose…

      49 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    11. Support for header content size configuration

      After many issues we run into an unsolvable 502 Bad Gateway error, simular to https://stackoverflow.com/questions/48964429/net-core-behind-nginx-returns-502-bad-gateway-after-authentication-by-identitys where the content size is too large in sign-oidc for open id connect post.

      Please add support to edit the values that end up into nginx.conf

      For now we cannot use the Application Gateway and looking into Cloudflare or Nginx Plus with WAF.

      83 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      6 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    12. downgrade attack prevention - TLS_FALLBACK_SCSV

      Downgrade attack prevention should be a necessary addition to the Azure Application Gateway.

      All security audits (SSL Labs among others) show this to be a necessary security measure and as such they all downgrade your security compliance if you dont have it.

      5 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  1 comment  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    13. Application Gateway frontend PublicIP should allow a Reverse FQDN

      Currently Application Gateways can have Public IPs with a DNS label, however modifying the Public IP adding an FQDN via:

      $pip.DnsSettings.ReverseFqdn = "<my.domain.com>"

      is currently not allowed. This is a request to allow Reverse FQDNs for Application Gateway frontend Public IPs.

      -Chris Jackson

      17 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →

      Thanks for the valid suggestion. Your feedback is now open for the user community to upvote which allows us to effectively prioritize your request against our existing feature list and also gives us insight into the potential impact of implementing the suggested feature

    14. Allow IP range whitelist for Application Gateway WAF IPS/IDS

      We have a range of web apps behind an Application Gateway (WAF in IPS mode) that need to be scanned on at least monthly basis for PCI compliance. We need to be able to whitelist the range of the scanners used by Qualys otherwise we get a FAIL for "Possible Scan Interference".

      Threat:
      Possible scan interference detected.

      A PCI scan must be allowed to perform scanning without interference from intrusion detection systems or intrusion prevention systems.
      The PCI ASV is required to post fail if scan interference is detected.

      9 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    15. Monitor Application Gateway Load

      Provide a way to monitor Application Gateway CPU/Memory in order to track load. It's hard to know only based on current access/http errors when the WAF is under heavy preasure and we need to scale it up.

      144 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      2 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →

      There is no plan currently to offer these system level metrics for Application Gateway Standard (V1). However, we are planning to offer more observability with our new Autoscaling version (V2) of Application Gateway/WAF. We already offer Capacity Units as a metric which gives you a sense of the traffic load on your Application Gateway. More are planned for V2. Please send in your specific feedback via https://aka.ms/ApplicationGatewayCohort

    16. Azure Application Gateway CPU Utilization Metric

      The Application Gateway offering provides quite a few useful metrics, but lacks some core performance metrics. Please, at a minimum, provide a metric and alert for CPU utilization of the instances behind an Application Gateway. When CPU utilization is not monitored at this level, it can affect the performance of dependent applications.

      13 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    17. Reduce price for V2 SKUs

      Reduce price for V2 SKUs to make them more affordable for small workload projects

      12 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    18. "Azure Managed" SSL certificates for Application gateway for SSL offloading

      Please add the ability to use a Azure managed certificate for the application gateway for the use of SSL offloading. This feature would be nice so that we would not have to manage the certificate and it would auto update instead of us having to keep the certificate up to date.

      9 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    19. Application gateway support multi-site listening on Private and Public Frontend IPs

      Currently the web application firewall can be configured with multiple Frontend IPs, such as Public & Private. However, multi-site listeners cannot be configured on standard web ports (80 & 443) on both frontend IPs. No port overlap is allowed. User must decide which of the two frontend IPs gets to listen on standard web ports, and the other must be configured on alternate ports. This is not usable for non-technical end users, and many of us require both public and private frontend IPs to support internal-only sites (such as a company intranet) in addition to customer-facing ones.

      50 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    20. Azure WAF v2 is not recognized by Azure Security Center as security solution and it has not mentioned anywhere.

      Azure WAF v2 is not recognized by Azure Security Center as a security solution and it has not mentioned anywhere. The details that are provided is not enough to understand that it is not being recognized as below.

      Partner solution name: Application Gateway

      Type: Saas-based Web Application Firewall
      Integration mode: Semi-automatically provisioned
      Status : Not reported

      Status has never been reported to Azure Security Center. Usually this means that this security solution isn't configured yet. It is recommended you login to the security solution management console to finalize the initial configuration

      7 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  1 comment  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    ← Previous 1 3 4 5 8 9
    • Don't see your idea?

    Feedback and Knowledge Base