Networking

The Networking forum covers all aspects of Networking in Azure, including endpoints, load-balancing, network security, DNS, Traffic Manager, virtual networks, and external connectivity.

Virtual Network:

  • Service overview

  • Technical documentation

  • Pricing details
  • Traffic Manager:

  • Service overview

  • Technical documentation

  • Pricing details
  • Network Watcher:

  • Service overview

  • Technical documentation

  • Pricing details
  • If you have any feedback on any aspect of Azure relating to Networking, we’d love to hear it.

    How can we improve Azure Networking?

    You've used all your votes and won't be able to post a new idea, but you can still search and comment on existing ideas.

    There are two ways to get more votes:

    • When an admin closes an idea you've voted on, you'll get your votes back from that idea.
    • You can remove your votes from an open idea you support.
    • To see ideas you have already voted on, select the "My feedback" filter and select "My open ideas".
    (thinking…)

    Enter your idea and we'll search to see if someone has already suggested it.

    If a similar idea already exists, you can support and comment on it.

    If it doesn't exist, you can post your idea so others can support it.

    Enter your idea and we'll search to see if someone has already suggested it.

    • Hot ideas
    • Top ideas
    • New ideas
    • My feedback
    1. Allow an HTTP to HTTPS redirect on Azure Front Door

      Allow an HTTP to HTTPS redirect on Azure Front Door.

      169 votes
      Vote
      Sign in
      (thinking…)
      Password icon
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      started  ·  7 comments  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →
    2. Add Custom Apex (Naked) Domains as front end hosts for Azure Front Door Service

      Azure Front Door Service is currently missing the ability to onboard Apex (Naked) Domains e.g. https://contoso.com https://example.com

      It runs on Anycast IP addresses that seem globally consistent for the Frontend host (something.azurefd,net)

      So why not allow me to onboard an Apex domain to the service by creating DNS A and / or AAAA records at the custom zone apex that point to the allocated Anycast IPs? (CNAMEs are not supported at the Zone Apex)

      If the answer is that the Anycast IPs aren't allocated in perpetuity please fix that first then add this feature!

      153 votes
      Vote
      Sign in
      (thinking…)
      Password icon
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      started  ·  11 comments  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →
    3. Allow front door service URL Rewrite to file instead of path

      Allow URL Rewrite to rewrite a path to a file. This would enable users to host single page applications using front door.

      38 votes
      Vote
      Sign in
      (thinking…)
      Password icon
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      started  ·  7 comments  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →
    4. Allow configurable timeout period for Front Door

      Currently Front Door forces a 30 second timeout for backend requests. This can severely restrict the usefulness of the service in production systems. It would be great to have the timeout period configurable to allow for a longer period of time. My understanding is that the Azure Load Balancer, which sits in a similar space as Front Door, defaults to a 4 minute timeout period.

      43 votes
      Vote
      Sign in
      (thinking…)
      Password icon
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      started  ·  4 comments  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →
    5. Create private dns zone in virtual network which already has VMs

      Create private dns zone in virtual network which already has VMs. Currently, it's giving below error:

      `Virtual networks that are non-empty (have Virtual Machines or other resources) are not allowed during association with a private zone.`

      60 votes
      Vote
      Sign in
      (thinking…)
      Password icon
      Signed in as (Sign out)
      You have left! (?) (thinking…)
    6. Support communicating to the frontend IP address of a globally peered internal load balancer

      The VNet peering documentation contains the following constraint:

      Resources in one virtual network cannot communicate with the frontend IP address of an Azure internal load balancer in the globally peered virtual network. The load balancer and the resources that communicate with it must be in the same region.

      In scenarios that require a resource to access a load balanced application in another region, a 3rd party load balancer is required.

      50 votes
      Vote
      Sign in
      (thinking…)
      Password icon
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      started  ·  6 comments  ·  Load Balancing  ·  Flag idea as inappropriate…  ·  Admin →
    7. Support SSL certificates stored in Key Vault secrets for listeners and backend HTTP settings on Application Gateway

      Azure Web Apps support the ability to store an SSL certificate in a Key Vault secret. A certificate resource can be created that references the Key Vault secret. The App service will periodically check for an updated SSL certificate in the Key Vault. The Application Gateway needs to have the same support for storing the SSL certificates in the Key Vault. It should be able to reference a Key Vault secret that contains the SSL certificate in the listener and backend HTTP settings configuration. This capability will allow the management of SSL certificates for Application Gateway and the Web Apps…

      461 votes
      Vote
      Sign in
      (thinking…)
      Password icon
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      26 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    8. Azure Front Door service is incompatible with blob storage if using Azure storage's shared key authentication method

      We found Azure Front Door service is incompatible with Azure blob storage if using Azure storage's shared key authentication method. The root cause is AFD will add some x-ms-* headers into the request to storage backend, storage backend will use all headers begin with “x-ms-“ to calculate the MAC signature. So the request will be rejected by storage service if forwarded by AFD.

      4 votes
      Vote
      Sign in
      (thinking…)
      Password icon
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      started  ·  0 comments  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →
    9. Application Gateway: Support wildcard hosts in listeners

      Our product creates dynamic DNS zones for our customers, e.g. foo.z1.contoso.com, bar.z2.contoso.com, etc. We use Azure DNS for this. (Notice that we stripe our customer's domains across multiple zones (z1, z2), because Azure DNS has a max record count of 5000.)

      So, to support this, we have a wildcard SSL certificate for each zone e.g. *.z1.contoso.com, *.z2.contoso.com.

      In order to have Application Gateway provide SSL termintation for us, we obviously need to create Multi-site listeners for port 443. Unfortuantely, the 'Host' field on the Multi-site listener does not accept wildcard entries. Furthermore, specifying the host name 'z1.contoso.com' does not appear…

      630 votes
      Vote
      Sign in
      (thinking…)
      Password icon
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      28 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    10. Need a function to URL path rewriting in Application Gateway

      Currently, I know Azure Application Gateway has a function for redirection of URL path based.

      Now, I need a function for rewriting URL path during redirecting a request to backend server.

      For example, When Application Gateway received a HTTP request to http://www.contoso.com/test/*, it redirects the request as /images/* to backend server.

      In other words, I want to set a URL path for backend server in PathRuleConfig in Application Gateway.

      73 votes
      Vote
      Sign in
      (thinking…)
      Password icon
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    11. Allow paths in Application Gateway rules to be defined as regular expression

      Currently, Application Gateway rules support only path matches with a wildcard at the end of the string.

      For us it means to rework our routing strategy as the first part of our route is dynamic /<domain>/<controller> (eg. /sales/process). The controllers are shared among domains. Domains can be dynamically created, what disallow us to directly use the current feature to separate only 'process' controller to standalone backend pool.

      We would prefer to be able to define something like '/[a-z]]+/process.*' as a matching criterion.

      37 votes
      Vote
      Sign in
      (thinking…)
      Password icon
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      2 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    12. Allow Static Public IP Address

      Hi,
      We currently have VMSS running inside a public Load Balancer, that ensures all the apps have the same Public IP address. This is important for us, as we need to be able to publish our IP Addresses for all clients to whitelist.

      We really want to move to using the Application Gateway, but can't because it doesn't support static Public IP addresses.

      I don't believe there is a work around either?

      199 votes
      Vote
      Sign in
      (thinking…)
      Password icon
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      6 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    13. Traffic Manager Probe Success and Failure Logs

      Currently in the metrics for Traffic Manager, you cannot see a history of when probes passed or failed. You can only see an average of the probes over a period of time.

      Seeing the logs of when probes succeeded and failed for each endpoint could be helpful for troubleshooting. Particularly when you think a failover should have occurred, but it did not.

      5 votes
      Vote
      Sign in
      (thinking…)
      Password icon
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      started  ·  0 comments  ·  Domain Name Service (DNS, Traffic Manager)  ·  Flag idea as inappropriate…  ·  Admin →
    14. Increase listener limit for Application Gateway

      Application gateway has a very low listener limit (20 listeners / certificates). This severely limits it's usefulness for multi-tenant/domain applications where a web farm / service hosts many endpoints. IIS itself has no such small limit, but due to constraints on certificate deployment in cloud services, Application Gateway is the only clear path to wide scale SNI based SSL hosting. With it's low limit, it does not come close to meeting our use case. I would suggest the limit be removed or set to a very high limit like 10k+ so many certificates could be bound to host many different…

      341 votes
      Vote
      Sign in
      (thinking…)
      Password icon
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      19 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →

      We have raised the limit to 100 recently. We are regularly reviewing the limits and will continue to look for opportunities to raise the limits even further. If you have scenarios requiring limits higher than what is supported, please add your scenario details here (if you are comfortable with that) or raise an issue with Azure support and we will get back to you.

    15. Make TrafficManager more robust when there's a major outage

      We configured the TrafficManager to either point to deployement1 or deployment2, which live in different locations, depending on which is in the "prod" role (machines are allocated) or the "backup" role (machines are deallocated). Using the TrafficManager is attractive because the customer doesn't need to make any changes on their end; if we need to revise the TrafficManager to point to the other deployment, it's simple and straightforward to allocate the machines and run a few lines of PS code. However, during the recent extended outage in the South Central US, after allocating the backup machines, when we tried to…

      2 votes
      Vote
      Sign in
      (thinking…)
      Password icon
      Signed in as (Sign out)
      You have left! (?) (thinking…)
    16. Fix Virtual Network Gateway IKEv2 Security Logging

      Ok, so logging access to enterprise networks is a basic security control which we shouldn't be asking for in year 2018.

      If we deploy P2S/Virtual Network Gateway w/IKEv2/certificate authentication in its current state, we open our networks to the internet and have no idea who logs into it and from where. There are basically NO events logged for an authenticated user. In addition, the "Connection Count" doesn't increment. So If I have 100 users connect via IKEv2, Connection Count still shows 0.

      THIS IS A SIGNIFICANT SECURITY HOLE.

      Microsoft - this product shouldn't have been released, not in its current…

      4 votes
      Vote
      Sign in
      (thinking…)
      Password icon
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      2 comments  ·  Flag idea as inappropriate…  ·  Admin →
    17. improve application gateway rule description documentation

      When you will improve the documentation to include better descriptions at the rules? Having a rule with a description Rule 981312 doesn't help to know what it does! Enabling all rules have a huge impact on WAF performance and we need to know what exactly each rule does in order to fine tune it.

      3 votes
      Vote
      Sign in
      (thinking…)
      Password icon
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    18. VPN Gateway monitoring

      It would be great to have monitoring options in the azure portal which would show the bandwidth usage and throughput charts. It would help in figuring out if the 100mbps limit of the standard gateway sku is being hit at peak loads. If the details can be further provided for each individual site-to-site or point-to-site connection then that would be great thing to have. It would help immensely in finding out which connection is hogging the bandwidth the most.

      419 votes
      Vote
      Sign in
      (thinking…)
      Password icon
      Signed in as (Sign out)
      You have left! (?) (thinking…)
    19. 15 votes
      Vote
      Sign in
      (thinking…)
      Password icon
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Load Balancing  ·  Flag idea as inappropriate…  ·  Admin →
    20. Please give feature SSL certificate setup in Azure Load balancer and/or static public IP in application Gateway instead dynamic IP.

      Please give feature SSL certificate setup in Azure Load balancer and/or static public IP in application Gateway instead dynamic IP.

      41 votes
      Vote
      Sign in
      (thinking…)
      Password icon
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      4 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    ← Previous 1 3
    • Don't see your idea?

    Feedback and Knowledge Base