Networking

The Networking forum covers all aspects of Networking in Azure, including endpoints, load-balancing, network security, DNS, Traffic Manager, virtual networks, and external connectivity.

Virtual Network:

  • Service overview

  • Technical documentation

  • Pricing details

  • Traffic Manager:

  • Service overview

  • Technical documentation

  • Pricing details

  • Network Watcher:

  • Service overview

  • Technical documentation

  • Pricing details

  • If you have any feedback on any aspect of Azure relating to Networking, we’d love to hear it.

    • Hot ideas
    • Top ideas
    • New ideas
    • My feedback
    1. Allow ability with Azure Firewall to select the Public IP for outbound connections

      The Azure Firewall randomly selects the source public IP address to use for a connection on outbound connections.
      When you have multiple Public IPs associated to the Azure Firewall this means that when you connect to external sources, they may have to whitelist the full set of the Public IPs. So you have to use IP Prefix or load balancer to try workaround this.

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    2. service chaining

      redirect traffic based on customizeable criteria to other network functions that could be represented also as custom NVA to build network service chains.

      1 vote
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    3. Azure Firewall Service Tags in DNAT Source addresses

      Add service tags for the DNAT Source addresses

      12 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    4. Azure Firewall - Wildcards into FQDN into the Network Rules

      The Azure Firewall does not support wildcards into the FQDN of the Network Rules.
      This is working in Application Rules.
      Please make work into the Network Rules too.

      26 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    5. Azure firewall Threat Intel logs: option to always add fqdn to "Deny" log entries

      When TI blocks by IP instead of fqdn (which it seems to do most of the time, given the amount of blocks we notice), it would be very useful for troubleshooting if AzFW would also log the fqdn the client is accessing (from TLS Client Hello packet) in addition to only the blocked IP from SYN packets.

      We are experiencing quite a lot of false positives for Google and GitHub shared IP's on fresh Win 10 VMs with basic dev tools like Chrome/VScode, and this would help pinpoint what ligitimate fqdn the clients are trying to access.

      It's also quite…

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    6. Azure Firewall: more granular threat intel rules and actions

      Currenly the only choices for TI are: Alert or Deny. It would be nice to have a choice actions based on threat category/severities/confidence.

      For example: block high confidence matches while only alerting on medium risks.

      Sites like abuseipdb.com often provide a "Confidence of abuse" level to indicate how likely it is that a given ip is abused. I assume TI internally uses a similar rating that could be used?

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    7. Cheaper sku for Azure Firewall

      For small deployments, the currect AzFW pricing is quite high. It would be very useful if we could also get a cheaper tier with lower specs for these smaller and dev environments.

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    8. Make WAF accept application/octet-stream

      We do POST requests with content type application/octet-stream with binary content in it (user uploads archived binary data to server), it triggers 920420 rule with critical score (it blocks request immediately).
      - According to OWASP mod-security 3.0 source code it checks for tx.allowedrequestcontenttype variable that contains list of allowed content types - https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.0/master/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf#L991
      - By default tx.allowed
      requestcontenttype contains application/octet-stream so OWASP accepts POST requests with this content type - https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.0/master/rules/REQUEST-901-INITIALIZATION.conf#L163
      - Looks like mod-security in Azure WAF has custom tx.allowedrequestcontent_type configuration without this content type

      It would be nice to synchronize mod-security…

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    9. Azure Firewall - Utilize Existing Subnet

      Azure Firewall should allow for deployment into an existing subnet, pending the requirements met for available IP address space.

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    10. FQDN tags for Office365 on Azure Firewall

      Office365 has plenty of domains. In case we need Office365 traffic via Azure Firewall, we have to retrieve all URLs and then add application rule accordingly. This will lead waste a lot of times.

      Please consider to add FQDN tag for Office365 accordingly. Thank you!

      29 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    11. FQDN tag in Azure Firewall for AzureMonitor

      FQDN tag in Azure Firewall for AzureMonitor

      1 vote
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    12. Diagnostic log for Azure Firewall includes rule collection name and priority for each entry

      The current log format for Azure Firewall as following, Rule Name and Priority Number is not supported by Azure Firewall diagnostic log yet.

      We would like to suggest to add this two columns on Azure Firewall Diagnostic log, I believe it will help to troubleshoot any network connectivity in an effective way for end users. Thank you!

      Application Rule.

      {
      "category": "AzureFirewallApplicationRule",
      "time": "2018-04-16T23:45:04.8295030Z",
      "resourceId": "/SUBSCRIPTIONS/{subscriptionId}/RESOURCEGROUPS/{resourceGroupName}/PROVIDERS/MICROSOFT.NETWORK/AZUREFIREWALLS/{resourceName}",
      "operationName": "AzureFirewallApplicationRuleLog",
      "properties": {

        "msg": "HTTPS request from 10.1.0.5:55640 to mydestination.com:443. Action: Allow. Rule Collection: collection1000. Rule: rule1002"
      

      }
      }

      Network Rule.

      {
      "category": "AzureFirewallNetworkRule",
      "time": "2018-06-14T23:44:11.0590400Z",
      "resourceId": "/SUBSCRIPTIONS/{subscriptionId}/RESOURCEGROUPS/{resourceGroupName}/PROVIDERS/MICROSOFT.NETWORK/AZUREFIREWALLS/{resourceName}",
      "operationName": "AzureFirewallNetworkRuleLog",
      "properties": {

        "msg":
      42 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    13. Windows KMS servicetag is missing in Azure Firewall

      I have several Azure Firewall deployments with Windows servers. I'm looking for KMS servicetag. I cannot use fqdn destination address because KMS is not using http/https. Please could you add this service tag ?

      9 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    14. Azure Firewall - FQDN Based NAT!

      I strongly hope AzureFirewall has "FQDN-based-Nat" function!!!

      23 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    15. Azure Firewall - DNAT rule for the target FQDN.

      We can use DNAT rule with source ip address or destination ip address. But I want to use the DNAT rule with the target FQDN. I know application rule can use the target FQDN so I hope we can also use the feature with DNAT rule.

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    16. Please add start / stop cmdlets (ex. Stop-AzFirewall / Start-AzFirewall)

      Could you please provide cmdlets like Stop-AzApplicationGateway / Start-AzApplicationGateway.

      Following steps are really complexed. (Why Firewall doesn't keep VNet and Public IP information?)
      We need more simple step for stopping and restarting Firewall because its too expensive for PoC.
      If you can add cmdlets and portal UI, it really helpful for us.

      https://docs.microsoft.com/en-us/azure/firewall/firewall-faq#how-can-i-stop-and-start-azure-firewall

      46 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    17. FQDN like this 'gr-Prod-*.cloudapp.net' can not be set

      Even though this rule is mentioned in the docs here - https://docs.microsoft.com/en-us/azure/app-service/environment/firewall-integration#fqdn-httphttps-dependencies, it's not possible to create because the portal says gr-Prod-*.cloudapp.net invalid FQDN.

      I know that ASE rules should be handled by Service Tags, but not in my case.

      6 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    18. Disable SNI TLS extension check on Azure Firewall

      We are getting a lot of "Action: Deny. Reason: SNI TLS extension was missing" on Azure Firewall Log, which causes application failure if client application doesn't support SNI at the time of client hello. Can we add a feature to support Disable SNI check on Firewall manually?

      23 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  2 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    19. Support to retrieve effective route of Azure Firewall

      I believe Azure Firewall doesn't support to retrieve effective route at this moment. While if we advertise a lot of routes from on-premise or if we have hub-spoke setup, it's hard for us to know how Azure Firewall forward the traffic. Can we add this feature? Thanks!

      21 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    20. Diagnostic log for Azure Firewall includes rule collection name for each entry

      Right now, if we follow https://docs.microsoft.com/en-us/azure/firewall/tutorial-diagnostics. The Diagnostic log entry for Azure Firewall likes below:
      { "category": "AzureFirewallNetworkRule", "time": "2019-09-03T10:08:17.4381790Z", "resourceId": "/SUBSCRIPTIONS/xxxx/RESOURCEGROUPS//PROVIDERS/MICROSOFT.NETWORK/AZUREFIREWALLS/", "operationName": "AzureFirewallNetworkRuleLog", "properties": {"msg":"TCP request from 10.0.1.100:22 to 112.85.42.195:45791. Action: Deny"}}

      Due to security policy and audit purpose on customer side, We want to have the rule collection name can be recorded as well, so that we know the traffic hits which rule.

      "category": "AzureFirewallNetworkRule", "time": "2019-09-03T10:08:17.4381790Z", "resourceId": "/SUBSCRIPTIONS/xxxx/RESOURCEGROUPS//PROVIDERS/MICROSOFT.NETWORK/AZUREFIREWALLS/", "operationName": "AzureFirewallNetworkRuleLog", "properties": {"msg":"TCP request from 10.0.1.100:22 to 112.85.42.195:45791. Action: Deny"}, "RuleCollectionName": "***"}

      9 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  2 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    ← Previous 1 3
    • Don't see your idea?

    Feedback and Knowledge Base