Networking

The Networking forum covers all aspects of Networking in Azure, including endpoints, load-balancing, network security, DNS, Traffic Manager, virtual networks, and external connectivity.

Virtual Network:

  • Service overview

  • Technical documentation

  • Pricing details
  • Traffic Manager:

  • Service overview

  • Technical documentation

  • Pricing details
  • Network Watcher:

  • Service overview

  • Technical documentation

  • Pricing details
  • If you have any feedback on any aspect of Azure relating to Networking, we’d love to hear it.

    • Hot ideas
    • Top ideas
    • New ideas
    • My feedback
    1. Application Gateway TLS-ALPN-01

      For use cases where we have a backend machine doing LetsEncrypt domain ownership proof, to use Letsencrypt TLS-ALPN-01 we need Application Gateway to be, as the page below states, a "TLS-terminating reverse proxy". Do we currently have such capabilities. Are we looking into poviding such capability in the future? Thank you.

      https://letsencrypt.org/docs/challenge-types/

      1 vote
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    2. Resource explorer using old API api-version=2018-07-01

      Anytime I try to use the Azure resource explorer to make changes to the V2 app gw I get the below error but when I use the portal or powershell, no errors. could this be caused by the old API version used ? api-version=2018-07-01

      {
      "error": {

      "code": "MissingIdentityIds",
      
      "message": "The identity ids must not be null or empty for 'UserAssigned' identity type."

      }
      }

      1 vote
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    3. ILB only mode for Application Gateway V2

      https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-autoscaling-zone-redundant#differences-with-v1-sku

      We are using Application Gateway regularly on internal services and we want to use V2 mainly because its faster, but we don't want to expose our services externally even by mistake - so because there is public frontend ip address, it is no-go far us until there ILB only is possible.

      10 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    4. Allow public and private ip to have its own listener on the same port

      single gateway would support both public and private ip but the not able to create the two listeners for public and private on the same port. it would be great to have this feature else we need to create 2 application gateway for this purpose which defeats the purpose of public and private front end configurations to some extent.

      19 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    5. How to check secret version of KeyVault for Listener

      I created KeyVault certificate and listener reading bellow document.

      https://docs.microsoft.com/en-us/azure/application-gateway/configure-keyvault-ps

      But I can not confirm which version the AppGw is using because there is no secret version in Get-AzApplicationGateway. SedretId is bellow but it is only certificate name not sercret version.

      "keyVaultSecretId": "https://testkeyvaultest.vault.azure.net:443/secrets/test/"

      I hope we can check which version the AppGW is using.

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    6. Application Gateway support of URL hash based routing

      I'd like the ability for user requests with the same URL (or same header) to be sent to the same back-end. This is useful if the back-ends cache content that users request, enabling them to serve users significantly quicker.

      In my specific use case, I want to connect multiple web-socket connections to the same host to share common resources.

      Other load balancers accomplish this by hashing the URL request and sending requests with the same hash to the same back-end.

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    7. Application Gateway WAF

      Application Gateway is always slow to update even few configuration changes, so better backend networking with high speed support has to be mapped so that every end user will get better outcomes.

      1 vote
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    8. Application Gateway does not support a long content-security-policy header

      I am attempting to set our content-security-policy (CSP) HTTP header using a Rewrite rule.

      When I exceeded 1000 characters (the maximum allowed in AG for a header value), I was stuck.

      I attempted to add a second HTTP header for "content-security-policy" but it seems the built-in behavior is to replace the first HTTP header with the second.

      The CSP standard allows for multiple duplicate headers. AG does not appear to support this.

      I am utterly stuck. I cannot set the CSP I need because of the 1000 character limit.

      6 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    9. Increase upload limit for Application Gateway or make it configurable

      Increase upload limit for Application Gateway or make it configurable.

      Currently the limit is 2GB maximum, but we need to be able to exchange larger files as well.

      1 vote
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    10. translation error

      https://docs.microsoft.com/zh-cn/azure/application-gateway/application-gateway-components#ports

      侦听器在某个端口上侦听客户端请求。 对于 v2 sku, 你可以配置范围从1到65502的端口, 为 v2 sku 配置端口1到65199。

      The first "v2" should be "v1"

      1 vote
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    11. Add Prometheus Monitors to Application Gateway

      It will be nice if you can add an Endpoint for Prometheus metrics to be scraped from Application Gateways.

      1 vote
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    12. Allow IP range whitelist for Application Gateway WAF IPS/IDS

      We have a range of web apps behind an Application Gateway (WAF in IPS mode) that need to be scanned on at least monthly basis for PCI compliance. We need to be able to whitelist the range of the scanners used by Qualys otherwise we get a FAIL for "Possible Scan Interference".

      Threat:
      Possible scan interference detected.

      A PCI scan must be allowed to perform scanning without interference from intrusion detection systems or intrusion prevention systems.
      The PCI ASV is required to post fail if scan interference is detected.

      19 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    13. The Portal UI for APPGW resources should display Stopped if stopped and not "Degraded State"

      when attempting to diagnose some connectivity issues through our APPGW I didn't look back through the Activity logs far enough to see that someone had actually stopped it explicitly.

      when checking health and backend probe status the only UI Clue I received that anything was amiss was a notice that the Gateway was in a Degraded State.

      this to me implies an issue/ something broken etc. It would have been much more useful if this simply said "Gateway is STOPPED since <date>"

      2 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    14. AppGW v2 setup : check the subnet size (min /28)

      Hello,

      Next to the Microsoft support request #119082022001909 (Impossible to create an AppGW v2 using Azure GUI Portal or AzureAppGWMigration.ps1 Application Gateway) : it appears it misses a check about the size of the subnet in which we want to deploy an Application Gateway v2.

      We've tried several times to create an appGW v2 using a /29 subnet without success, but without warnings too, although it is a prerequisite as described here > https://docs.microsoft.com/en-us/azure/application-gateway/configuration-overview#size-of-the-subnet

      We've tried it 'manually' using the Azure Portal GUI Wizard, or using a PS script (to migrate v1 to v2) and we've got the same error…

      2 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    15. Instance IPs of Application Gateway are not visible in Portal

      In our usecase, external facing App Gateway(AG) will forward the traffic to PaloAlto virtual firewalls and firewall will NAT traffic to internal AG. Every application will have it's own external & internal AG. The NAT policy in firewall cannot use external AG subnet as source, you will have to identify instance IPs of each external AG and create NAT policy based on that. At the moment only Azure support have visibility to instance IPs, these IPs need to be exposed to Portal.

      2 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    16. Application gateway V2 subnet to support UDR

      We need to support UDR association with Appgw V2 subnet, since as of now it's not yet support while Appgw V1 does support. Please add this feature.

      88 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    17. "Azure Managed" SSL certificates for Application gateway for SSL offloading

      Please add the ability to use a Azure managed certificate for the application gateway for the use of SSL offloading. This feature would be nice so that we would not have to manage the certificate and it would auto update instead of us having to keep the certificate up to date.

      9 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    18. downgrade attack prevention - TLS_FALLBACK_SCSV

      Downgrade attack prevention should be a necessary addition to the Azure Application Gateway.

      All security audits (SSL Labs among others) show this to be a necessary security measure and as such they all downgrade your security compliance if you dont have it.

      11 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  2 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    19. Add custom error pages like 405(with TRACE method) at global level of application gateway V2

      Please add custom error pages like 405(with TRACE method) and other status code returned by appgw(without forwarding request to backend) at global level of application gateway V2, where customer can block other scenarios and return a designated URL to original client.
      Sometime customer has a requirement of completely removing 'Microsoft-Azure-Application-Gateway/v2' in response header, so please consider to add this feature in future.

      6 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    20. Bug in Application Gateway Path Based Rules Redirection Configuration to External Site

      There is a bug in the "Rules" section of the "Application Gateway".
      Create a new path based rule for a multi-site Listener with HTTP HTTP settings.
      In this rule, add a new redirection configuration, to an EXTERNAL SITE.

      The "Include Path" checkbox is disabled. It is enabled only for the Listener case.
      Create the rule. The Include path value is null (verified through powershell az module and by the fact that the actual redirection does not work).
      I managed to enable this switch, via az powershell modules and all worked as expected.

      PLEASE FIX

      2 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    ← Previous 1 3 4 5 8 9
    • Don't see your idea?

    Feedback and Knowledge Base