Networking
The Networking forum covers all aspects of Networking in Azure, including endpoints, load-balancing, network security, DNS, Traffic Manager, virtual networks, and external connectivity.
Virtual Network:
Traffic Manager:
Network Watcher:
If you have any feedback on any aspect of Azure relating to Networking, we’d love to hear it.
-
NSG Master Rule list
NSG Master Rule list
It should be possible to define the list of rules as a master list independent of NSG.
Once defined, one should be able to use the rules with any NSG from the defined list.
In most cases, we need to define the same rule again and again for different NSG.
It becomes very difficult to maintain rules.There should also be an option to logically group the rules in the master rule list so that they are easy to search and apply.
Maybe while creating NSG, all rules in the group of master rule list should…47 votesHi Subodh,
This is an interesting idea! NSG rule organization is something we’re currently discussing as part of potential custom service tag groups. There will be more information on this to come.
-Allegra [MSFT]
-
Ability to select multiple protocols for NSGs
Simplify creating NSG rules by allowing selecting one or multiple protocols for a single rule.
For instance, 3389 requires both UDP and TCP. Instead of creating two seperate rules, one could simply select both TCP and UDP in a single rule.
2 votesThanks for the feedback! We will review this idea and post an update on whether or not we’ll add it to our planning for the coming semester soon.
-Allegra [MSFT]
-
NSG/ASG management and monitoring
add capability to modify and monitor NSGs and ASGs.
70 votesHi all,
We understand this is an important ask. NSG/ASG and general network management tools are something we are currently planning. Stay tuned!
-Allegra [MSFT]
-
have the ability to use more than one asg in an nsg rule (separated with , for example)
let's say that i have 2 apps that i want to be able to access any endpoint.
APP A containing these servers:10.0.0.1,10.0.0.2
and APP B: 10.0.0.4,10.0.05my nsg rule will use :10.0.0.1,10.0.0.2,10.0.0.4,10.0.05
if i`m moving to work with asg i want the ability to add both app a and app b together in the same nsg rule.will it be supported?
13 votesThanks for the feedback, we have this improvement on the roadmap, today you’ll need to create 2 induvidual rules to achieve the same goal
We’ll incorporate the improvement on a future iteration.
-
allow KMS traffic in Azure Firewall
Azure Firewall currently block by default traffic to Azure KMS servers, this should be included in the built-in to not disrupt license validation.
20 votes -
Replicate NSG to new region when using Azure Site Recovery
This is really needed feature!
The benefit having this is when setup Azure Site Recovery, which replicates VNET and VMs to a different region BUT there is no way to replicate NSGs! Manual work to replicate all security rules from one NSG in source region to another NSG to target region can take up hours if there are 200+ security rules !Please implement this.
Thanks47 votes -
NPS Extension for Azure MFA (IP Whitelist)
Can you also add in a feature whereby it allow us to add in a range of subnet instead of a single IP address in the IP Whitelist (NPS Extension for Azure MFA)?
126 votes -
Add Application Security Groups from other Region to NSG
Would like to be able to select Application Security Groups from Remote regions in an NSG.
4 votesThanks for the feedback, we’ll evaluate for ASG roadmap.
The scope might change to NSG and ASG across regions since both are features tide to an specific region.
-
Add DNS names to NSG source/ destination options like we currently can with IP addresses and tags
Enable NSGs to use DNS names instead of only IP addresses, Tags and any. A lot of services have very dynamic IP adresses. Using DNS names would help a lot.
41 votes[Sumeet M]: Thanks for your feedback. Currently we are focusing on Tags. We will review the suggestion in subsequent milestones.
-
add a source tag for Office 365 IPs to NSG Rules
Consider adding support for multiple address ranges in NSG rules or add a source tag for Office 365 IPs.
Currently it is a nightmare to add all addresses for Exchange Online. We need a NSG policy for each address range :)
127 votesWe’re addressing this need with “Service Tags” which allow network security group rules to refer to Azure services such as “Storage” or “Sql” and the list of IP addresses is maintained transparently by the Azure platform. See here for more information: https://docs.microsoft.com/en-us/azure/virtual-network/security-overview#service-tags
We’ll be adding tags for additional Azure services over time. -
Allow creation of NSG rules based on FQDN along with Ports
NSG gives option to configure NSG rules with IPAddress and Ports. Same like that we need option to configure Inbound/Outbound NSG rules based on the FQDN. Because most of our customers wants to block Internet access from their Azure IaaS VMs, If we do so, we lose the ability to configure Azure Disk Encryption, Azure Keyvault, Azure File Storage Services, Azure Websites...etc. Because all these Azure services requires its endpoints (FQDN) to be reachable from inside the VM
615 votesThis remains on our long-term backlog as something we want to offer
For now we recommend trying Azure Firewall as the prefered solution to control outbound to Internet
-Mario [MSFT]
-
Add Custom Tags to NSG Rules
It would be great if we can define our own on-premise network ranges (using 'Named networks' in AAD?) and add these as Custom Tags to our NSG rules. Now we have our on-premise ip-adresses/subnets as a seperate item in every NSG. When these ip-adresses/subnets change for whatever reason, we have to check every NSG and change this item. If we could use these 'centrally managed' ip-adresses/subnets as 'Custom Tags' in our NSG's rules we don't have to check and change every NSG rule with every ip-address change.
448 votesThis remains on our long-term backlog as something we want to offer
-Mario [MSFT]
-
Support enabling and disabling NSG rules
Support enabling and disabling NSG rules
It would be nice if we could disable rules instead of having to delete them like other firewall products support :)
93 votesThanks for your feedback
We’ll review this feature to include it on our roadmap.
-
Rename NSG policy
Allow us to rename previously created NSG policy to another name. It would make naming much easier. Now we have to re-create all policy again
80 votesThanks for your feedback, this feature is under review for future improvements
-
WAF - Allow access to configure ModSecurity variables such as tx.high_risk_country_codes
The tx.highriskcountry_code and other variables like GeoIP database need to be configured for rules in REQUEST-910-IP-REPUTATION to have any affect. These could be defaulted to a value (and documented) for now, but overriding these ModSecurity variables per instance is needed in the future.
As it stands right now it appears that these are not configured, and are leading to people thinking they are protected by these rules when they are not.
28 votesThank you for your suggestion. We are reviewing it and will get back to you.
-
allow granular access control to manage NSG rules.
Because only a single NSG is allowed per resource (subnet or NIC) it would be nice to subdivide the rules into groups and allow different teams to manage the different groupings, all within the same NSG. This could allow a central team to implement some rules and an application team to implement some rules. For example, let us define groups by priority-range and then allow different access privileges to different groups. Team 1 can manage group 1 and 4 and team 2 can manage group 2. [Manage = add, modify, delete]
7 votesThanks Craig for the feedback, we are evaluating options to implement this capability on NSG, multiple roles with write permissions on the same resource it’s an interesting requirement we are looking to implement.
-
Add "Subscription" tag in the NSG rules
Story:
As a DevOps engineer
I want to easily block network access within a subscription with a single NSG rule (for specific resources using a that rule)
So that I don't have to manage multiple NSG rules.Background:
We would like to ring-fence our subscriptions, so that one (e.g. Production) cannot "talk" to another one (e.g. Non-production).We can currently achieve it with multiple NSG rules, where we allow/block IP ranges or vnets.
It would be much easier to manage this for our purpose if we could add a "subscription" tag in the NSG rules and effectively only allow traffic…
4 votesThank you for your suggestion. We are reviewing it and will get back to you.
-
Network Security Groups - Windows Server Roles and Features Rules
Can a feature be added to allow easy addition of inbound and outbound rules to an NSG for Windows Server Roles e.g. Active Directory Domain Services to add rules for SMB/LDAP/Kerberos to match the rules created/enable by adding a Feature in Server Manager in Windows Server OSs.
11 votesThanks for the feedback, this is something we are evaluating, having a simplified version for common use cases, looking forward to improve our feature with your feedback.
-
Ability to group Network Security Groups
Consider adding some kind of grouping functionality within Network Security Groups. This would make things a lot more simple
Somekind like this: https://blogs.technet.microsoft.com/isablog/2009/11/25/forefront-tmg-rule-grouping/
11 votesHi Peter
Thanks for the feedback we are looking into NSG improvements like grouping for rules and VM/NICs
-
Copy NSG
I want to copy new NSG from the existing NSG's similar policy.
I don't want to keep making the same or similar to the NSG policy.
The NSG copy function is required.110 votesHi Kimsejum
Thank you for sharing your idea, we’ll take this into consideration for future improvements
- Don't see your idea?