Networking

The Networking forum covers all aspects of Networking in Azure, including endpoints, load-balancing, network security, DNS, Traffic Manager, virtual networks, and external connectivity.

Virtual Network:

  • Service overview

  • Technical documentation

  • Pricing details

  • Traffic Manager:

  • Service overview

  • Technical documentation

  • Pricing details

  • Network Watcher:

  • Service overview

  • Technical documentation

  • Pricing details

  • If you have any feedback on any aspect of Azure relating to Networking, we’d love to hear it.

    • Hot ideas
    • Top ideas
    • New ideas
    • My feedback
    1. Network Monitor Dashboard

      Provide a dashboard to help understand the Azure network topology and to visualise the NSG rules

      26 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Watcher  ·  Flag idea as inappropriate…  ·  Admin →
    2. Setting NSG immediately

      When NSG is set from PowerShell or the portal, the operation successfully completes soon but it takes a few minutes before the NSG setting will take effect.
      Please set NSG setting immediately.

      73 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      planned  ·  2 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    3. provide troubleshooting features to VPN gateways

      Until Microsoft improves the Azure VPN technology, it would be good and sometimes necessary to provide some VPN troubleshooting tools on the Azure side. The local side logs sometimes are not enough and it gets very difficult to understand the reason of tunnel outages. This feature will also be definitely useful once the Azure VPN technology will be completely stable and reliable, in order to analyse traffic and build monitoring based on it.

      11 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    4. Ability to create source/destination objects containing multiple IP addresses/ranges

      When creating NSGs it would be nice to be able to define network object groups that contain a list of IP addresses or ranges which can then be applied to the source or destination addresses of the NSG. If I only want to allow services to a specific set of IPs I have to create a rule for each distinct IP address. Even having the ability to add multiple IPs or IP ranges would work for source/destination but objects would be better so they can be used across multiple rules.

      174 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      3 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    5. Drain/admin endpoint control for Load Balancer

      Many on-prem systems rely on an ability to gracefully drain traffic from a node before removing it from load balancing for updates or maintenance. While there are workarounds today for the Azure Load Balancing infrastructure (http://serverfault.com/questions/686095/gracefully-take-a-server-out-of-azure-load-balancer-drain-stop) it's not as flexible as existing on-prem services. Please add this feature.

      628 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      24 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    6. Allow both ExpressRoute and VPN Virtual Network Gateways on a single VNet

      We have several clients who require both a ExpressRoute Gateway to connect from their on-premises network, AND a VPN connection between the same VNet and another VNet (Either in the same subscription, or in a different subscription.

      An example is a client who wishes to use their subscription to host database servers that can then replicate certain data sets across to an other companies subscription via a VPN connection.

      9 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      planned  ·  0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    7. Multiple Network Security Groups per subnet

      Provide ability to associate multiple Network Security Groups with a single subnet. Right now there is limitation to associate only one NSG per subnet.

      This limits reusability of NSGs which are created at subscription level. We have come across use-cases where multiple subnets have common rules and few subnet-specific rules.

      It will be help a lot in terms of rules management and reusability if it is possible to segregate common rules across subnets in an NSG which can them be applied on a subnet with additional NSGs for subnet specific rules.

      107 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Virtual Network  ·  Flag idea as inappropriate…  ·  Admin →
    8. Maintain "DNS Zone" name server across muliple Zones

      Currently Azure DNS Zone will randomly create Zone records in different DNS Servers.

      I have a public DNS server which I would like to migrate to Azure DNS Zone, to do this I need maintain my name servers but redirect to Azure's. because every time I create a new zone it is generated in a different DNS Server I can't create the CNAMEs to easily migrate my clients domains.

      Could this feature be added.

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  DNS  ·  Flag idea as inappropriate…  ·  Admin →
    9. Provide Feedback as to if CDN can reach origin url.

      Right now you need to wait 90 minutes or so (potentially) if you are getting 404 errors on content. It would be nice to have some kind of visual feedback on the endpoint configuration page if the origin url was reachable from Azure.

      9 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Content Delivery Network  ·  Flag idea as inappropriate…  ·  Admin →
      planned  ·  Anton Kucer [MSFT] responded

      With Azure CDN from Verizon it takes up to 90 minutes for configuration for a new CDN endpoint to propagate to all worldwide CDN POPs. For a new endpoint you will get back 404 errors until the configuration has propagated to the CDN POP that you are making requests to. We are working with Verizon to reduce this propagation time and also working with them so that we can deterministically provide feedback via API and UI when this propagation has completed.
      With Azure CDN from Akamai CDN endpoints are typically created in under a minute and the status of via API and UI accurately reflects when endpoint configuration has completed.

    10. Improve VPN gateways performances and limits

      Using VPN to connect sites to Azure is great. But we are rapidly hitting the gateways limits:
      - One gateway per VNet
      - A max of 30 Tunnels per gateway (10 and 20 for standard)
      - A max of 200 Mb/s per gateway (shared by all VPNs)

      Today, not all regions and customers can afford 'ExpressRoute' to get more bandwidth and scalability. So why this 'very limited' options.

      86 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      2 comments  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    11. Enable the application of Network Security Group rules to groups of IPs

      Allow the creation of groups that contain multiple IP addresses. Then allow the application of Network Security Group rules to the group. As an example I could create a group, add the IP addresses of all my Domain Controllers to the group, then apply rules to the group, rather than duplicating rules for each Domain Controller where the only difference is the IP address.

      70 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      3 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    12. Is there any plan to implement how to operate Azure CDN by JAVA SDK?

      We are now using JAVA SDK to access Azure service but it seems no api to operate CDN service. We need to use the "query string" function of azure cdn with java, i would like how to define the file name pattern of resource like css or javascript.

             So, we would like to know is there any schedule of this request will be planned? Thanks.
      

      10 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Content Delivery Network  ·  Flag idea as inappropriate…  ·  Admin →
      planned  ·  Anton Kucer [MSFT] responded

      Yes support for Java SDK is planned. Initial API support for Azure CDN is targeted to be available in December. Java SDK support will follow after this is released.

    13. Allow multiple reserved IP addresses be assigned to a single VM

      Currently you can only have one reserved (static) public IP for a given Azure VM. This limits any case where you would want to run multiple SSL enabled sites/applications on the standard 443 port.

      I understand there is support for SNI SSL with host headers but not all applications and devices support this feature. Current competition in you market allow up to 5 IPs. A limit I believe is still arbitrarily low given the power of your larger VM instances available.

      122 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      8 comments  ·  IP addresses  ·  Flag idea as inappropriate…  ·  Admin →
    14. CDN: Support Vary: Origin header.

      The CDN ignores the Vary: Origin header, and thus the associated Access-Control-Allow-Origin is not emitted either. Even though the underlying blob store does return the correct Vary header, the CDN ignores this (basically breaking HTTP logic) and returns the same response to all users regardless of the origin (X-Cache: HIT) is then returned instead.

      This is basically a flaw, a bug, and an oversight- but I'm not going to pay for Azure support to tell you this.

      Without this functioning properly, the CDN cannot be used to host website resources (such as fonts) since these must all have Access-Control-Allow-Origin headers…

      112 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      9 comments  ·  Content Delivery Network  ·  Flag idea as inappropriate…  ·  Admin →
      planned  ·  Anton Kucer [MSFT] responded

      Azure CDN by default ignores Vary header except when it is used with Vary: accept-encoding. This is done as the Vary header can easily cause serious cache bloat issues. Long term we are targeting feature to allow users to easily adjust this default behavior.

    15. Formalize the Traffic Manager user agent string

      I would like to see the user agent that Traffic Manager uses in its HTTP requests as part of monitoring/probing become formalized so that applications can take a dependency on the user agent string name and not worry about it changing in the future affecting the application that has behavior that depends on the user agent.

      For an example where the user agent string is needed to comply with URL canonicalization needs along with Traffic Manager being involved, please refer to http://social.msdn.microsoft.com/Forums/azure/en-US/d9f8e779-644d-4263-990c-9de5a7cf403c/is-the-user-agent-for-traffic-manager-guaranteed.

      41 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      3 comments  ·  DNS  ·  Flag idea as inappropriate…  ·  Admin →
    16. 16 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    17. Bring Your Own Public IP Address space and Internet subnet routing in Azure Virtual Networks

      When you own a public address space IPv4 and/or IPv6, Windows Azure should provide a way to use it (via LISP and/or classic routing).
      When you don't own a public address space, you should be able to rent it for your virtual network on Windows Azure both via Microsoft or via Tunnel Broker providers

      491 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      20 comments  ·  IP addresses  ·  Flag idea as inappropriate…  ·  Admin →
    18. Application Gateway support for multiple IPs on backend DNS name

      We are using Docker on Azure. Therefore we have a single DNS name for all containers. It would be great to have support for this. Having a backend pool with a single DNS name like 'myservice.domain' having multiple A records (each one resulting in a separate backend server entry).

      6 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      planned  ·  0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    19. Traffic analysis on ExpressRoute connections on top dataflows

      If there are many VNET's connected to the ExpressRoute, traffic of one VNET can impact other VNET's traffic. We need a way to see which srcip and dstip traffic is responsible for filling up the ExpressRoute. Current NSG flow data does not include amount of data between endpoints, thus we need another way of analysing top consumers of the ExpressRoute.

      1 vote
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      planned  ·  1 comment  ·  ExpressRoute  ·  Flag idea as inappropriate…  ·  Admin →
    20. Site Categorization for the new Azure Firewall

      Adding the ability to restrict outbound traffic based on Site Categorization would be great. This would give the ability to restrict outbound access to adult, gambling and other questionable sites.

      4 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      planned  ·  1 comment  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    • Don't see your idea?

    Feedback and Knowledge Base