Networking

The Networking forum covers all aspects of Networking in Azure, including endpoints, load-balancing, network security, DNS, Traffic Manager, virtual networks, and external connectivity.

Virtual Network:

  • Service overview

  • Technical documentation

  • Pricing details

  • Traffic Manager:

  • Service overview

  • Technical documentation

  • Pricing details

  • Network Watcher:

  • Service overview

  • Technical documentation

  • Pricing details

  • If you have any feedback on any aspect of Azure relating to Networking, we’d love to hear it.

    • Hot ideas
    • Top ideas
    • New ideas
    • My feedback
    1. Service tags based on country/ region assigned IP to implement Geoblocking At NSG LEVEL

      Service Tags for specific country/region wise(ex: middle east, India, south east asia) that would contain the whole IP range for the selected country/region. This will help in geoblocking and reduce the rate of ddos attacks.

      The Azure/Microsoft can keep updating the list periodically.

      This will help in implementing geo-blocking at VM/Server level as currently NSG source address prefix has limitation of 4000 ip address/cidr (country like India/Uae have more than 10000 cidr)

      75 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    2. Add ability to use source type "IP group" in NSG rules

      A nice new Azure feature is the option to create an "IP group", and it would be nice. if we are able to use these "IP group(s)" in our NSG rules.

      https://docs.microsoft.com/en-us/azure/firewall/ip-groups

      21 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    3. Service Tags for Windows Updates (WU) and RedHat Update Infrastructure (RHUI) suggestion

      I have been using Azure Automation's Update Management for VMs that are internet facing without issue until I am required to use it on VMs that are non-internet facing (intranet) environment where I'm stumble into a lot of NSG configuration complexity.

      Any chance of having these Service Tags?


      • AzurePlatformWU

      For an example having this Service Tag created for NSG in order for consumer to configure Windows VM resources to utilise Azure Automation's Update Management feature, and allow Windows VMs to receive Windows Updates securely.

      The current problem is that Windows Updates can be distributed through multiple Windows Update URL endpoints…

      17 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    4. Add Service Tag for PowerBI

      Add service Tag for PowerBI to avoid having to whitelist all Azure IP addresses for connectivity.

      6 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    5. Redesign default NSG rules to allow only VNET filtering

      When using a hub-spoke model with an Azure Firewall in the hub vnet, we are facing the issue that too much traffic will be allowed by default NSG rules on the hub and spoke vnets.
      (https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke)

      The reason for this is the fact that the virtual network service tag "VirtualNetwork" will contain 0.0.0.0 as soon as we create a UDR 0.0.0.0 that points to the Azure Firewall.
      (https://docs.microsoft.com/en-us/azure/virtual-network/service-tags-overview)

      The default NSG rule 65000 "AllowVnetInBound" will by now accept source 0.0.0.0 to destination 0.0.0.0.
      The next rule (that we do need), 65001 "AllowAzureLoadBalancerInBound" will never be triggered,…

      15 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    6. storage account firewall - Add inbound service tags for storage account.

      At the moment, storage account firewall can only be configured to "Allow Trusted MS Services" and the whitelisting of IPs/IP ranges.

      Our Power BI service needs to be able to access our storage account with storage account firewall enabled.

      Currently we have to manually whitelist data center IP ranges in order for this to work.

      Please add the ability to add inbound service tags for storage account firewall like you can with NSGs and add Power BI and other MS services to the "Allow Trusted MS Services".

      Thank you.

      151 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      4 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    7. Add ICMP NSG Security Rules support on Az/AzureRM Powershell Modules

      Right now ICMP Security rules can be defined either via the AzCli or the Portal but can't be handled via the Az/AzureRM Powershell Modules due to the lack of ICMP Protocol Support on them.

      Please add support for this.

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    8. Massive facepalm Microsoft - How about enabling NSG ALLOW for new service tags AzurePlatformDNS AzurePlatformLKM AzurePlatformIMDS

      I want to DENY outbound Internet access (override the default)
      I want to ALLOW AzurePlatform services. Like KMS, DNS.
      Microsoft listens, and gives me new Service Tags - great - and then prevents me from using them??? WTH
      See error below (by the way, what do YOU think of the SPELLING ERROR in the message provided in the portal - it seems to underline the facepalm quite succinctly in my opinion)

      Failed to create security rule 'AllowAzurePlatformDNSOutbound'. Error: Security rule has invalid Accees type. Value provided: Allow Allowed values: Deny.

      26 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    9. Support IPsec (IP protocol 50/21) rules in Network Security Groups

      Support IPsec (IP protocol 50/51) rules in Network Security Groups. Right now the only support for IPsec through NSGs is to create a rule where port & protocol = *. This is too broad a rule. Please allow specifying IP protocols 50/51 within the rule definition, to support a rule that is specific to IPsec tunnels (which form after ISAKMP negotiates on UDP 500/4500, which is supported in NSG rulesets)

      1 vote
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    10. Service Tag for MDATP / Defender

      A Service TAG for MDATP and Microsoft Defender, I have tried adding the Azure Monitor and the Storage tags but that didn't work

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    11. Make it possible to include Standard Load Balancer in Application Security Group (ASG)

      ASG's are really good and allows me to set granular NSG rules without hardcoding any IP addresses. I use ASG's for all my applications running on VMSS. Naturally I use Standard Load Balancer (SLB) in front of my VMSS.

      However, the SLB is not possible to include in my ASG (even though it's tightly coupled with the VMSS), which forces me to always create one NSG rule with ASG's (for the VMSS) and in addition another NSG rule specifically for VIP of the SLB.

      I want the ability to include a Standard Load Balancer in an ASG, so that I…

      1 vote
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    12. Add FQDN/URL in Azure NSG

      <Add FQDN/URL in Azure NSG (Network Security Group)>

      Could we add the feature for Add FQDN/URL in Azure NSG (Network Security Group).

      We have some scenario cx want to whitelist the FQDN and URL like . msftauth.net & .msauth.net. These FQDN doesn't have fixed IP range and we cannot add IP in NSG.

      46 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      2 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →

      Thanks for the valid suggestion. Your feedback is now open for the user community to upvote which allows us to effectively prioritize your request against our existing feature list and also gives us insight into the potential impact of implementing the suggested feature

    13. Ability to select multiple protocols for NSGs

      Simplify creating NSG rules by allowing selecting one or multiple protocols for a single rule.

      For instance, 3389 requires both UDP and TCP. Instead of creating two seperate rules, one could simply select both TCP and UDP in a single rule.

      2 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    14. Allow Network Security Groups (NSGs) to Reference Application Security Groups (ASGs) From Different Location

      Remove the limitation of restricting Network Security Groups (NSGs) ability to leverage/associate Application Security Groups (ASGs) that are not within the same location of the target Virtual Network (VNET).

      This is especially important, to provide granularity and segregation/isolation in a hub-and-spoke networking model (i.e. VNetA-ASG1-to-VNetB-ASG1), in association with VNet Peering.

      419 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      21 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    15. Add support for Azure Network Security Group Inbound rules to the Azure Application Gateway

      • In Azure, we CANNOT apply inbound NSG rule with destination public IP of APPGW to allow/block traffic to this APPGW. We known This is by design:
      Network security groups are processed after Azure translates a public IP address to a private IP address for inbound traffic, and before Azure translates a private IP address to a public IP address for outbound traffic.
      • Even for VM level public IP, we cannot allow/block traffic via inbound subnet level NSG with that destination public IP
      • The workaround I can think of is to deploy each gateway to dedicated subnet then…

      27 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    16. Add NSG Service Tag for "Office365"

      It would be convenient for O365 users who need to set NSG rules that deny all internet access due to their compliance. Without the Service Tag for Office365, we have to deploy Azure Firewall to control the traffic of Office365.

      106 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    17. NSG Master Rule list

      NSG Master Rule list

      It should be possible to define the list of rules as a master list independent of NSG.
      Once defined, one should be able to use the rules with any NSG from the defined list.
      In most cases, we need to define the same rule again and again for different NSG.
      It becomes very difficult to maintain rules.

      There should also be an option to logically group the rules in the master rule list so that they are easy to search and apply.
      Maybe while creating NSG, all rules in the group of master rule list should…

      26 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      2 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    18. 1 vote
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    19. 4 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  1 comment  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    20. Azure Service Bus Standard support for Firewall rules and VNET service endpoints

      Provide support for Firewall rules and VNET service endpoints in Azure service bus standard.
      Below both things are supported only in premium tier service bus
      https://docs.microsoft.com/en-us/azure/service-bus-messaging/service-bus-ip-filtering

      https://docs.microsoft.com/en-us/azure/service-bus-messaging/service-bus-service-endpoints?toc=%2fazure%2fvirtual-network%2ftoc.json

      The both features should also be available in Azure Service Bus Standard as well.

      38 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    ← Previous 1 3 4 5 6
    • Don't see your idea?

    Feedback and Knowledge Base