Networking

The Networking forum covers all aspects of Networking in Azure, including endpoints, load-balancing, network security, DNS, Traffic Manager, virtual networks, and external connectivity.

Virtual Network:

  • Service overview

  • Technical documentation

  • Pricing details

  • Traffic Manager:

  • Service overview

  • Technical documentation

  • Pricing details

  • Network Watcher:

  • Service overview

  • Technical documentation

  • Pricing details

  • If you have any feedback on any aspect of Azure relating to Networking, we’d love to hear it.

    • Hot ideas
    • Top ideas
    • New ideas
    • My feedback
    1. Allow Internal Load Balancer Internet Access

      In an Internal Azure Load Balancer {Standard SKU}, VMs within the Load Balancer do not have internet access except:
      1) If they have a public IP address
      2) If they are part of a public Load Balancer
      3) If they have load balancer rules statically configured.

      There are instances that VMs may need access to the internet as 'internal' servers may need internet access.

      I think there should be an option for "Allow VMs in this Internal LB to access the internet" on the internal load balancer. This would allow security checks for public certificate validation or other tests that…

      12 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      2 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    2. Send FIN after probe confirms healthy

      The current behaviour of the four way handshake of the health probe is to not send the FIN until the next probe is due.

      The FIN should be sent as soon as the health has been confirmed.

      For example:
      We've got an Azure Load Balancer running over a RabbitMQ cluster with a health probe set to check port 5672 every 60 seconds.

      A packet capture shows the following:


      1. Load balancer SYN

      2. RabbitMQ ACK

      3. Load Balancer ACK

      4. 10 seconds later RabbitMQ RST

      5. Another 50 seconds later Load Balancer FIN

      Azure load balancer documentation declares that it does a four way handshake…

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →

      Thank you for the feedback. We don’t have any near term plans to change probe behavior.

      A possible workaround may be to use an HTTP endpoint and configure an HTTP probe or increase the RabbitMQ timeout.

      Or you can instead substitute Azure Service Bus which also support AMQP.
      — Christian

    3. Azure standard loadbalancer - force all UDP traffic bidirectionally back over the LB

      Currently a single specific session with the same source and destination port on UDP will be routed correctly. But when the system behind the loadbalancer stars creating multiple sessions with the same destination port but different source ports (Random) it will be routed directly back bypassing the loadbalancer fully. This breaks functionality for certain UDP based designs....

      Please make it possible to route the traffic always via the loadbalancer

      6 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    4. standard internal loadbalancer

      Access to public address does not work for standard internal loadbalancer (according to MS by design). In order to be able to access public resources a public IP need to be assigned.
      However there are cases where public IP should not be assigned to allow only private traffic. There are two services which however require (via UDR) access to public.
      Reaching the KMS license server (Windows) and Redhat repositories (for both the recommendation is to use UDR).
      So access to those services is not possible once you do a standard internal loadbalancer and your policy prohibits use of public IP. …

      1 vote
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    5. Provide rapid failover away from unhealth and/or removed VMs from the Load Balancer backend pool

      Presently, the Standard SKU Load Balancer takes up to several minutes to stop sending traffic to backend VMs which have been identified as unhealthy by Health probes and/or have been manually removed from a backend pool through a configuration change.

      This delay prevents using the Load Balancer as an SLA/availability solution and is counter-intuitive. A preferable design would be to immediately cease sending any additional traffic to an unhealthy VM once it has been marked as unhealthy (unless it is the only VM in the backend pool.)

      6 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    6. Azure SLB: suggestion for display of frontend ip addresses

      On the portal, we can see public IP address which is assigned to each VM in "overview" of VM resource.
      If VM is bound to loadbalancing rule or inbound NAT rule of SLB, SLB's frontend IP address is displayed in "Public IP address" field.

      However, even if SLB has multiple frontend addresses, not all public addresses are not displayed, but only a single public address is displayed in this field. Sometimes it confuses operators. Please consider to modify this like below:


      • not to display any frontend IP address of SLB in "Public IP address" field
        or

      • display all frontend IP…
      0 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      declined  ·  0 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    7. Allow Basic Port Forwarding With Network Load Balancer for all Services

      Azure Network Load Balancer should support basic port forwarding, many customers have firewall rules that block PaaS Services. Today you can create a port forwarder with NLB, but only to its supported endpoints. Ideally you could forward to any Azure hostname or IP address.

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    8. Tcpdump and TCP session stats on Azure Standard LB

      Currently, there are bare minimum stats available for TCP sessions on Azure Standard LB. Can you add more traffic flow stats showing the client IP address hitting Azur LB?
      Secondly, tcpdump is the basic tool for operational troubleshooting.

      6 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →

      Thank you for the feedback. Load Balancer is a pass through network load balancer and does not terminate connections. The handshake is directly between the client and the application on a VM.

      You can use Network Watcher to initate packet captures.
      — Christian

    9. Test alert for diag log.

      I want to confirm whether LB can send diagnostic log to the storage account but I couldn't happen to put any logs intentionally. So I hope we can use test alert for diagnostic log.

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    10. Load Balancer should drop all packets for ports not configured

      Load Balancer should drop all packets for ports not configured before they get to my NSGs. See REG: 119012221000062 for additional information. Basically, the Azure LB installed as part of the Azure AD service is configured for port 443. But my NSG flow logs show packets arriving on a port other than 443 and incidentally for the destination as the public IP associated with the LB. My initial complaint was why do I see such a public IP address and I was told this is unavoidable because SNAT is enabled on this LB. I have no control over this LB…

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →

      Thank you for the feedback. As per the information provided (accurately) in the support case, the packet does not reach your VM but does show up in NSG flow logs as dropped. This is by design and a result of Load Balancer being a pass through network load balancer, particular when SNAT ports are open. What you are observing is not packets reaching the virtual machine.
      — Christian

    11. Standard load balancer - last rule warning

      I just caused an outage, because I deleted the last rule of the standard frontend load balancer in front of the firewalls.
      The root cause is clear based on the documentation:
      "The Load Balancer resource must be configured with a load balancer rule to create a link between the public IP frontend with the backend pool."
      That means, I am forced to have a rule, regardless whether it is nonsense like some random high port, in order to enable the backend VMs to connect to internet. So even I do not want to have a connection from internet, I still…

      1 vote
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    12. Test alert for LoadBalancerAlertEvent.

      I can't confirm whether ALB can put diagnostic logs to a storage account. I hope we will be able to put test alert in future.

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    13. Support Proxy Protocol

      The current Azure Load Balancer implementation does not support the Proxy Protocol as AWS does (https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-proxy-protocol.html).

      This makes implementing Openshift on Azure troublesome as the real client IP is not available to backends (https://docs.openshift.com/container-platform/3.9/installconfig/router/proxyprotocol.html).

      The proxy protocol allows pass through of real client IP's to the backend application for TCP load balancer setups. This may be particular important for Openshift deployments or alike, where the certificate management should be done in the PaaS platform (on the router) and not on the ELB.

      Right now the Openshift template from MS (https://github.com/Microsoft/openshift-origin) uses TCP…

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      4 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →

      Thank you for your feedback.

      Azure Load Balancer does not terminate connections, it is not a proxy, and does always preserve the source IP address of the inbound flow.

      We don’t provide logging from the Load Balancer resource itself, but you can use NSG flow logs to retrieve flow information as needed.

    14. Internal load balancer Log Analytics

      Log analytics currently works only for Internet facing load balancers.
      We need this very urgent for our Internal facing load balancers!

      90 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      5 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →

      Thank you for the feedback. Please use Standard internal LB which provides multi-dimensional metrics in Azure Monitor.

      “Request logs” is not something that can be provided. The service is a pass through network load balancer and the handshake is between the client and the VM’s application directly. You can use NSG flow logs in Network Watcher to generate flow records for any VM’s traffic, including that which traverses the Load Balancer resource. This is described here: docs.microsoft.com/en-us/azure/network-watc..

      — Christian

    15. Allow the load balancer to support Azure databases as a backend pool

      It would be great if, in addition to Availability Sets and VMs, the various databases from Azure (MySQL, and PostgreSQL) could be part of a back end pool.

      2 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    16. Load Balancing on Linux servers - net.ipv4.tcp_tw_recycle & reuse settings

      Currently you don't allow net.ipv4.tcptwrecycle, net.ipv4.tcptwreuse and net.ipv4.tcptwtimestamps to be set to 1. You require them to be set to default 0. For our MapR performance improvements, we are required to set them to 1 - which prevents the wait time for the socket to become available and reuses existing.

      It will be nice if you could allow us to use the Load Balancer even when we set the reuse and recycle flag to 1.

      20 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    17. response substring matcher in load balancer

      Support the common load balancer feature of matching a substring in probe responses as well as checking response codes. For one or both of Azure LB or Application Gateway products.

      This permits simple and dynamic switching of servers between load balancer pools (eg: live and staging pools, or dedicated and public pools) by updating a health check page without reconfiguration and/or restarts.

      1 vote
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      2 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    18. Load Balancer support for on-premise VMs

      When on-premise is connected to Azure, I would like to use the Azure Load Balancer to direct traffic to on-premise VMs and replace my on-premise load balancer which is near end of life. Next step would be to migrate on-premise VM to Azure, but that requires much more work in my IaaS scenario.

      5 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      2 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    19. How to configure SSL on Azure LoadBalancer

      Hi,

      We have configured 2 Windows resources and it has Apache server. now we have enabled Load balancer for these 2 instances and its working fine.

      I need to configure SSL for the load balancer . pls share the steps/guide to configure SSL on Azure load balancer.

      1 vote
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    20. reserved custom public IP range - bring my own public IPs to azure datacenter

      I want to move parts of my onpremise data Center to azure. it's used to host a service for my customers. therefore i have a public IP-Range. So my customers already have implemented a security setting to allow traffic to my public IP-Range and my public Services.

      When i will migrate to azure data center,then i have no option to take the public ip range with me. This means, i have to inform all my Customers about my move to azure and have to wait until all customers have implemented the new IP Setting.

      In azure a can use reserved…

      12 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      8 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    ← Previous 1 3
    • Don't see your idea?

    Feedback and Knowledge Base