Networking

The Networking forum covers all aspects of Networking in Azure, including endpoints, load-balancing, network security, DNS, Traffic Manager, virtual networks, and external connectivity.

Virtual Network:

  • Service overview

  • Technical documentation

  • Pricing details
  • Traffic Manager:

  • Service overview

  • Technical documentation

  • Pricing details
  • Network Watcher:

  • Service overview

  • Technical documentation

  • Pricing details
  • If you have any feedback on any aspect of Azure relating to Networking, we’d love to hear it.

    • Hot ideas
    • Top ideas
    • New ideas
    • My feedback
    1. Route table associated to a Virtual Network

      It would be great if a route table can be assigned to Virtual Network level and added to the priority sequence like System Routes -> BGP Routes -> UDR at Virtual Network -> UDR at subnet level

      This will allow to move all common routes to be placed at virtual network level and then subnet specific to subnet level.

      Or allow nesting of UDR where two route tables can be assigned to one subnet which may be a cummulative routes of combined both.

      20 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Virtual Network  ·  Flag idea as inappropriate…  ·  Admin →
    2. Allow to assign custom routes on the VNET level (instead of only subnets)

      We configured a custom gateway on Azure. Unfortunately it's not possible to add routes on a VNET level so these routes get applied to all existing and future subnets automatically.

      Basically it would be sufficient to be able to assign UDRs to VNETs.

      9 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Virtual Network  ·  Flag idea as inappropriate…  ·  Admin →
    3. Allow Internal Load Balancer Internet Access

      In an Internal Azure Load Balancer {Standard SKU}, VMs within the Load Balancer do not have internet access except:
      1) If they have a public IP address
      2) If they are part of a public Load Balancer
      3) If they have load balancer rules statically configured.

      There are instances that VMs may need access to the internet as 'internal' servers may need internet access.

      I think there should be an option for "Allow VMs in this Internal LB to access the internet" on the internal load balancer. This would allow security checks for public certificate validation or other tests that…

      12 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    4. Send FIN after probe confirms healthy

      The current behaviour of the four way handshake of the health probe is to not send the FIN until the next probe is due.

      The FIN should be sent as soon as the health has been confirmed.

      For example:
      We've got an Azure Load Balancer running over a RabbitMQ cluster with a health probe set to check port 5672 every 60 seconds.

      A packet capture shows the following:

      1. Load balancer SYN
      2. RabbitMQ ACK
      3. Load Balancer ACK
      4. 10 seconds later RabbitMQ RST
      5. Another 50 seconds later Load Balancer FIN

      Azure load balancer documentation declares that it…

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →

      Thank you for the feedback. We don’t have any near term plans to change probe behavior.

      A possible workaround may be to use an HTTP endpoint and configure an HTTP probe or increase the RabbitMQ timeout.

      Or you can instead substitute Azure Service Bus which also support AMQP.
      — Christian

    5. Azure standard loadbalancer - force all UDP traffic bidirectionally back over the LB

      Currently a single specific session with the same source and destination port on UDP will be routed correctly. But when the system behind the loadbalancer stars creating multiple sessions with the same destination port but different source ports (Random) it will be routed directly back bypassing the loadbalancer fully. This breaks functionality for certain UDP based designs....

      Please make it possible to route the traffic always via the loadbalancer

      6 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    6. standard internal loadbalancer

      Access to public address does not work for standard internal loadbalancer (according to MS by design). In order to be able to access public resources a public IP need to be assigned.
      However there are cases where public IP should not be assigned to allow only private traffic. There are two services which however require (via UDR) access to public.
      Reaching the KMS license server (Windows) and Redhat repositories (for both the recommendation is to use UDR).
      So access to those services is not possible once you do a standard internal loadbalancer and your policy prohibits use of public IP. …

      1 vote
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    7. Provide rapid failover away from unhealth and/or removed VMs from the Load Balancer backend pool

      Presently, the Standard SKU Load Balancer takes up to several minutes to stop sending traffic to backend VMs which have been identified as unhealthy by Health probes and/or have been manually removed from a backend pool through a configuration change.

      This delay prevents using the Load Balancer as an SLA/availability solution and is counter-intuitive. A preferable design would be to immediately cease sending any additional traffic to an unhealthy VM once it has been marked as unhealthy (unless it is the only VM in the backend pool.)

      6 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    8. Azure SLB: suggestion for display of frontend ip addresses

      On the portal, we can see public IP address which is assigned to each VM in "overview" of VM resource.
      If VM is bound to loadbalancing rule or inbound NAT rule of SLB, SLB's frontend IP address is displayed in "Public IP address" field.

      However, even if SLB has multiple frontend addresses, not all public addresses are not displayed, but only a single public address is displayed in this field. Sometimes it confuses operators. Please consider to modify this like below:

      - not to display any frontend IP address of SLB in "Public IP address" field
      or
      - display all…

      0 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      declined  ·  0 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    9. After I configured a Point-to-Site connection to a VNet using native Azure certificate authentication. I can't ping from Client to Azure VM.

      After I configured a Point-to-Site connection to a VNet using native Azure certificate authentication. I can't ping from Client to Azure VM.
      Help me!

      1 vote
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Virtual Network  ·  Flag idea as inappropriate…  ·  Admin →
    10. Accelerated networking for all SKUs in a SKU family

      Accelerated networking, and more generically: all features of a SKU family, should be supported across all SKUs in a SKU family. With the current limitations based on the number of cores of a SKU in supported SKU families, we have to develop lgoic in a wrapper around Terraform to see when we can just resize a SKU and when we need to recreate it.

      1 vote
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Virtual Network  ·  Flag idea as inappropriate…  ·  Admin →
    11. Allow Basic Port Forwarding With Network Load Balancer for all Services

      Azure Network Load Balancer should support basic port forwarding, many customers have firewall rules that block PaaS Services. Today you can create a port forwarder with NLB, but only to its supported endpoints. Ideally you could forward to any Azure hostname or IP address.

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    12. Add basic SKU public ip support to public ip prefix

      We are using AKS for most of our workloads, and we have to whitelist single egress ips in databases and third-party tools, each time we add another cluster. We thought it would be clever to use prefixes, but as you can only create standard SKU ips off the prefix, and AKS uses basic loadbalancer and basic ips, this is not an option. Please make our lives so much easier!

      12 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      declined  ·  1 comment  ·  IP addresses  ·  Flag idea as inappropriate…  ·  Admin →
    13. Tcpdump and TCP session stats on Azure Standard LB

      Currently, there are bare minimum stats available for TCP sessions on Azure Standard LB. Can you add more traffic flow stats showing the client IP address hitting Azur LB?
      Secondly, tcpdump is the basic tool for operational troubleshooting.

      6 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →

      Thank you for the feedback. Load Balancer is a pass through network load balancer and does not terminate connections. The handshake is directly between the client and the application on a VM.

      You can use Network Watcher to initate packet captures.
      — Christian

    14. Test alert for diag log.

      I want to confirm whether LB can send diagnostic log to the storage account but I couldn't happen to put any logs intentionally. So I hope we can use test alert for diagnostic log.

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    15. Load Balancer should drop all packets for ports not configured

      Load Balancer should drop all packets for ports not configured before they get to my NSGs. See REG: 119012221000062 for additional information. Basically, the Azure LB installed as part of the Azure AD service is configured for port 443. But my NSG flow logs show packets arriving on a port other than 443 and incidentally for the destination as the public IP associated with the LB. My initial complaint was why do I see such a public IP address and I was told this is unavoidable because SNAT is enabled on this LB. I have no control over this LB…

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →

      Thank you for the feedback. As per the information provided (accurately) in the support case, the packet does not reach your VM but does show up in NSG flow logs as dropped. This is by design and a result of Load Balancer being a pass through network load balancer, particular when SNAT ports are open. What you are observing is not packets reaching the virtual machine.
      — Christian

    16. Vnet Integration Front Door

      VNET integration

      We are currently using application gateway for alot of our inbound traffic and considering to move to Front Door Service when GA but I have just noticed that there is no option to integrate into a VNET or am I wrong ?
      This would be a prerequisite option for us to move .

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →

      AFD can only route to public VIPs/FQDNs and cannot route to private IP spaces and thus also doesn’t support VNET integration. This is by design and we do not plan to add this support any time int he near future. One of the ways you can achieve this is by routing traffic from AFD to an Application Gateway/Standard Load Balancer tied to your VNET.

    17. Create peering to a VNET before the VNET exists

      An example:

      Terraform script that creates a complete test environment.
      As part of that creation, it needs to access to another vnet that acts as a gateway via peering otherwise the deployment will fail.
      The peering from the remote vnet can't be configured until the new vnet exists.

      That means either breaking the Terraform script into multiple parts, watching the deployment and adding the peering once the new vnet exists or giving the script the ability to create the remote peering which breaks the permissions model.

      The ability to create a peering to a VNET before it is created in…

      4 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Virtual Network  ·  Flag idea as inappropriate…  ·  Admin →
    18. Allow wildcard certificates for Custom Domain https in Azure Front Door Service

      It would be great for a Front Door Managed certificate if there was an option to request a wildcard for the domain you wish to onboard to the Azure Front Door Service.

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      2 comments  ·  Flag idea as inappropriate…  ·  Admin →

      Customers can anyway upload a wildcard certificate in the case of Bring Your Own Certificate scenario. Additionally, given that Front Door at the time of onboarding the custom domain has only validated the ownership of the specific domain, we cannot really generate a wildcard certificate. This ask would only be relevant if AFD already supported onboarding wildcard domain names (*.contoso.com) which isn’t the case today.

    19. Standard load balancer - last rule warning

      I just caused an outage, because I deleted the last rule of the standard frontend load balancer in front of the firewalls.
      The root cause is clear based on the documentation:
      "The Load Balancer resource must be configured with a load balancer rule to create a link between the public IP frontend with the backend pool."
      That means, I am forced to have a rule, regardless whether it is nonsense like some random high port, in order to enable the backend VMs to connect to internet. So even I do not want to have a connection from internet, I still…

      1 vote
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    20. Test alert for LoadBalancerAlertEvent.

      I can't confirm whether ALB can put diagnostic logs to a storage account. I hope we will be able to put test alert in future.

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    ← Previous 1 3 4 5 6 7
    • Don't see your idea?

    Feedback and Knowledge Base