Networking

The Networking forum covers all aspects of Networking in Azure, including endpoints, load-balancing, network security, DNS, Traffic Manager, virtual networks, and external connectivity.

Virtual Network:

  • Service overview

  • Technical documentation

  • Pricing details

  • Traffic Manager:

  • Service overview

  • Technical documentation

  • Pricing details

  • Network Watcher:

  • Service overview

  • Technical documentation

  • Pricing details

  • If you have any feedback on any aspect of Azure relating to Networking, we’d love to hear it.

    • Hot ideas
    • Top ideas
    • New ideas
    • My feedback
    1. Support IP address in Backend Pool (Azure Load Balancer)

      Currently you can only include VMs or VMSS within an Azure Load Balancer Backend Pool.

      If we could choose an IP Address we would be able to load balance other resources hosted in Azure as well.

      Our use case:
      Load balance DNS queries (over udp-53) to Azure Container Groups (private IP).

      25 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      under review  ·  2 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    2. Private NAT for VM outbound to on prem

      If an Azure VM sits in a vnet (call it app-vnet) peered with a vnet that's VPN connected (call it vpn-vnet) to on-prem, and the VM needs to establish connectivity with an on-prem VM, a NAT gateway cannot snat the traffic from app-vnet using an IP from vpn-vnet, since the only kind of outbound IP a NAT gateway can use is a public IP.
      I actually don't know what azure solution could snat from a vnet using a private outbound IP of another vnet... Azure Firewall maybe?

      13 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  NAT  ·  Flag idea as inappropriate…  ·  Admin →
    3. Azure DNS query log

      Hi,

      I would like to request Azure DNS Query Log. This will help us identify traffic hitting record name in the dns zone.

      Possible Log Sample

      Time-Stamp,SourceIP,RecondType,RecordName

      298 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      under review  ·  2 comments  ·  DNS  ·  Flag idea as inappropriate…  ·  Admin →
    4. Zone-redundant NAT Gateway

      Since subnets are regional, not zonal, and can only be associated with a maximum of one NAT gateway, it seems that deployments would be much simpler if NAT gateways were supported in a zone-redundant mode.

      This is something you offer with Standard Load Balancer, so why can't it be provided by NAT gateways?

      Currently, I either must: (1) forego any failure isolation promises and go with a regional NAT, or (2) double or triple the number of subnets I manage just so a zone-isolated NAT can be assigned to each. That makes a complicated, messy deployment that wasn't required for…

      7 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  NAT  ·  Flag idea as inappropriate…  ·  Admin →
    5. Allow ESP traffic through Azure Loadbalancer

      Azure Load Balancer, for external connections, can support only TCP (Protocol ID “6”) or UDP (Protocol ID “17”).

      It cannot support protocols like ICMP (Protocol ID “1”). As an example, also IPSec (and VPN using it) is not supported since you should open UDP port 500 (that is fine) and permit IP protocol numbers 50 and 51. UDP Port 500 should be opened to allow Internet Security Association and Key Management Protocol (ISAKMP) traffic to be forwarded through Azure Load Balancer. IP protocol ID 50 should be set to allow IPSec Encapsulating Security Protocol (ESP) traffic to be forwarded. Finally,…

      71 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      6 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    6. Ability to select multiple protocols for NSGs

      Simplify creating NSG rules by allowing selecting one or multiple protocols for a single rule.

      For instance, 3389 requires both UDP and TCP. Instead of creating two seperate rules, one could simply select both TCP and UDP in a single rule.

      2 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    7. NSG Master Rule list

      NSG Master Rule list

      It should be possible to define the list of rules as a master list independent of NSG.
      Once defined, one should be able to use the rules with any NSG from the defined list.
      In most cases, we need to define the same rule again and again for different NSG.
      It becomes very difficult to maintain rules.

      There should also be an option to logically group the rules in the master rule list so that they are easy to search and apply.
      Maybe while creating NSG, all rules in the group of master rule list should…

      26 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      2 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    8. Allow us to view the effective route for an Subnet without requiring an Interface inside of the subnet.

      Currently in order to view the effective routes for a subnet you need to have some kind of network interface inside of the subnet. I find that sometimes I need to view the routing table for a subnet, but it doesn't contain any VMs. Could you add functionality to allow us to view the effective routes without having to provision anything inside of it?
      My use case is that I host ILB ASEs in dedicated subnets, but I can't view the routing table because there are no VMs inside of it.

      196 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      11 comments  ·  Virtual Network  ·  Flag idea as inappropriate…  ·  Admin →
    9. It would be great if you could use Azure Load Balancer to load balance on-premises VMs. This would make migration to Azure easier.

      It would be great if you could use Azure Load Balancer to load balance on-premises VMs. This would be useful for hybrid environments. This would also make migration to Azure quicker and easier. Third party load balancers (e.g. F5) are incredibly expensive. A low-cost cloud alternative would be a big win.

      4 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    10. KMS / RHUI service endpoint

      Could you kindly add service endpoint for KMS and RHUI.
      It will really helpful for managing VMs without SNAT Public IP.

      59 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Virtual Network  ·  Flag idea as inappropriate…  ·  Admin →
    11. Add Service Tags to Route Tables/UDR

      Include the ability to add Service Tags to UDRs. We have experienced that while many times services require NSGs to be open for a Service, many users have a default route in the Route Tables to push traffic through network virtual appliances. To circumvent having to put an entire datacenter range IP on UDRs to get services to work, there should be Service Tags in the UDR destination field in order to be able to add specific services the ability to talk to VNET-joined services. A good example of this is API Management. While the team does not support a…

      43 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Virtual Network  ·  Flag idea as inappropriate…  ·  Admin →
    12. Load balancer Probe Latest Status in Portal

      Is it too much to ask for a simple red/green light in the portal that has the latest status for the last probe attempt for each load balancer rule?

      This would save countless hours of debugging and it is a basic tool available from all firewall vendors.

      1 vote
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    13. NSG service tag for AzureBastionSubnet

      When implementing complicated access controls inside a virtual network, we always need to allow connections from AzureBastionSubnet of the virtual network.

      It would be nice we have AzureBastionSubnet service tag which automatically describes a specific Azure Bastion subnet for each virtual network where resources NSG attached reside in.

      7 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Virtual Network  ·  Flag idea as inappropriate…  ·  Admin →
    14. Could we add VMs in Load balancer backend pool even they are in the different peered Vnets in the future?

      Could we add VMs in Load balancer backend pool even they are in the different peered VNets in the future?

      6 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    15. Allow to add multiple Service Tags to NSG rule

      Allow to add multiple Service Tags to NSG rule. Right now we can add multiple subnets, ranges, IPs and ports, Great idea would be to add also multiple service tags to source/destination as now we create multiple rules for one host to multiple service tags.

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Virtual Network  ·  Flag idea as inappropriate…  ·  Admin →
    16. BGP Filters on Private Peering

      Can we expand BGP filtering into Private peering? That will enable us filtering unnecessary traffic and also filter incoming onPrem networks into Azure VNET. Furthermore , that will provide summarisation of on Prem routes into VNETs thus less UDRs if you wanted to route all traffic via NVA

      194 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      under review  ·  10 comments  ·  ExpressRoute  ·  Flag idea as inappropriate…  ·  Admin →
    17. Event Hubs support in NSG Flow logs

      Currently NSG Flow Logs are do not have the ability to publish to Azure Event Hub as other logs do.

      It would be invaluable for this facility to be made available to allow onward transformation of log data (via Azure Functions) prior to ingest into products such as Splunk.

      108 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      5 comments  ·  Network Watcher  ·  Flag idea as inappropriate…  ·  Admin →

      Thank you for your feedback. Today publishing NSG Flow Logs to an Event Hub is not currently supported natively. We will continue to evaluate this suggestion and update the status accordingly.

      Today, if you are interested in transforming and streaming NSG Flow Logs to a 3rd party endpoint, we have published a sample here that leverages an Azure function: https://github.com/Microsoft/AzureNetworkWatcherNSGFlowLogsConnector

      Splunk has also published a blog with guidance on integrating NSG Flow Logging data here: https://www.splunk.com/blog/2017/02/20/splunking-microsoft-azure-network-watcher-data.html

    18. Support server-sent events

      Azure Application Gateway apparently does not support server-sent events. This surprised me, since SSE really is just http. However after quite a bit of testing, and asking on the forum, I can confirm it does not.

      SSE is an arguably better way of doing server push than websockets, which is a lot more complex. We rely heavily on it, so hope it will be prioritized.

      Best regards,
      Alf

      179 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      under review  ·  9 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    19. VPN Connection Status Alert

      It would be nice to have built in alerting for when VPN connections are dropped/connecting. We've had to setup an hourly runbook to call a PowerShell command that pushes data to OMS and then create an alert. All of the data is available in resource health so it shouldn't be a difficult enhancement, we just have no native way to pull/alert the data.

      115 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      8 comments  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    20. Support for VNET peering when deploying failover groups

      There is no support for VNET peering when deploying failover groups (one have to create new IPSec VPN tunnels to test failover across regions)

      11 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Virtual Network  ·  Flag idea as inappropriate…  ·  Admin →
    ← Previous 1 3 4 5 11 12
    • Don't see your idea?

    Feedback and Knowledge Base