Networking

The Networking forum covers all aspects of Networking in Azure, including endpoints, load-balancing, network security, DNS, Traffic Manager, virtual networks, and external connectivity.

Virtual Network:

  • Service overview

  • Technical documentation

  • Pricing details

  • Traffic Manager:

  • Service overview

  • Technical documentation

  • Pricing details

  • Network Watcher:

  • Service overview

  • Technical documentation

  • Pricing details

  • If you have any feedback on any aspect of Azure relating to Networking, we’d love to hear it.

    • Hot ideas
    • Top ideas
    • New ideas
    • My feedback
    1. Native support for isolating traffic to a specific Front Door

      Most users are not aware that it is posible to bypass the specific Front Door instance by using another Front Door, see https://docs.microsoft.com/en-us/azure/frontdoor/front-door-faq#how-do-i-lock-down-the-access-to-my-backend-to-only-azure-front-door

      What I would like is native support for validating the X-Azure-FDID header in ex. an Application Gateway. With no native Azure service able to allow or deny traffic based on that specific header, it is left to the application developers to do.

      6 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →
    2. Configurable Timeout when route caching is enabled

      Front Door currently has a sendRecvTimeoutSeconds to configure the timeout for backend requests. However as spoken to a Microsoft technician (after raising an Azure ticket), this setting does not apparently apply to when the Front Door routing has caching enabled. If so it defaults to 30 seconds.

      This behaviour is very misleading and should be documented on this page https://docs.microsoft.com/en-us/azure/frontdoor/front-door-troubleshoot-routing#503-response-from-front-door-after-a-few-seconds .

      Furthermore, it is a huge downside to using Front Door if caching routes timeout within 30 seconds and this is not configurable.

      The Microsoft technician mentioned this issue is being addressed, however can we expect this to be available?

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →
    3. Fallback to secondary region of RA-GRS storage endpoints for AzureFD

      With a storage account configured with RA-GRS. It would be nice that if Azure FD is using a backend point to a storage account it would use primary endpoint as Priority 1 and for the secondary endpoint be used as Priority 2, currently this needs configured manually with 'Custom Host' type

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →
    4. Support Condition element in Front Door ARM Templates

      The condition element allows more general purpose templates to be authored, for example a single template that supports parameterising whether a custom front end is created. Currently when trying to use the Condition element on the Front End Endpoint as per the ARM snippet below the following error is received

      Template deployment returned the following errors:
      12:40:27 - 12:40:26 PM - Resource Microsoft.Network/frontdoors 'fd-uks-########-01' failed with message '{
      12:40:27 - "error": {
      12:40:27 - "code": "InvalidResource",
      12:40:27 - "message": "The property 'condition' does not exist on type 'Microsoft.Azure.FrontDoor.Models.DeepCreatedResource_1OfFrontdoorFrontendEndpoint'. Make sure to only use property names that are defined by the…

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →
    5. Private Endpoint support in Front Door

      Front Door is useful for private networking scenarios as well as public. For example we are beginning to use it as a routing for Blue/Green Deployments of our internal apps.

      To keep the apps secure, we want to have a private traffic route into the Front Door and also out to the backends.

      This could be by the new Private Endpoints. There is also a separate feature request on here for VNet support.

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →
    6. Azure Front Door needs to do name checking on custom Azure web app SSL certificates

      If you have an Azure web app with a custom domain certificate, that has been working fine for a long time, then you move that wep app behind an Azure Front Door front end, the SSL certificate presently bound to the web app breaks Front Door. Front Door "add a front end" should check that the name used by the HTTPS probe to determine back end health matches the name on the custom domain certificate at that moment.

      13 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →
    7. Allow front door service URL Rewrite to file instead of path

      Reopening https://feedback.azure.com/forums/217313-networking/suggestions/36442486-allow-front-door-service-url-rewrite-to-file-inste as it was marked as closed when it is not supported

      As original idea:
      "Allow URL Rewrite to rewrite a path to a file. This would enable users to host single page applications using front door."

      In a SPA application (Angular, Vue or React), we need requests paths to be rewritten to a single file (i.e. /index.html) as routing is managed by the application itself in JS code.

      The problem occurs when someone tries to access SPA URLs. Azure Front Door forwards to resources which don't exist and 404 response is returned which causes serious issues with many…

      24 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      3 comments  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →
    8. Add support for Let's Encrypt as a CA in Azure Front Door

      Add support for allowing Let's Encrypt as valid CA.

      Buying SSL Certificate is an expensive affair and having Let's Encrypt as valid CA would increase Front Door's adoption.

      One situation it will be really helpful is while using an Apex domain with Front Door.

      4 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →
    9. Add a URL Shortener / Short URL service to Front Door

      I have a map of rules that require redirects (301) and more flexible links for future maintenance -- similar to aka.ms or https://redirectiontool.trafficmanager.net tool that Microsoft uses internally.

      It'd be useful to have a service in Azure that provides these redirects backed by the CDN network (just how Azure Front Door works).

      I have thousands of these rules -- the costing per Routing rule would be too expensive to justify. Costing wise, perhaps redirects with no rewrites could be excluded from Routing Rules costs (or at least significantly cheaper)?

      9 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →
    10. Make backend host header field behave consistently with portal

      Currently the behavior of a backend's "Backend Host Header" field behaves differently when you use the azure portal compared to when you use automation like ARM or Terraform.

      The documentation here states: https://docs.microsoft.com/en-us/azure/frontdoor/front-door-backend-pool#feedback

      > For example, a request made for www.contoso.com will have the host header www.contoso.com. If you use Azure portal to configure your backend, the default value for this field is the host name of the backend. If your backend is contoso-westus.azurewebsites.net, in the Azure portal, the autopopulated value for the backend host header will be contoso-westus.azurewebsites.net. However, if you use Azure Resource Manager templates or another…

      9 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →
    11. Add X-Azure-Client-IP-Country header to headers set by Front Door

      It would be really nice to have the country of the originating IP adress of the request available in the request headers, similar to Cloudflare's X-CF-IPCountry header.

      While Azure Front Door does provide routing rules depending on country, in my case the route is accessible globally but validation depends on the country of the originating IP address. Having it available in the header saves me an additional call to an IP Geolocation service.

      14 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →
    12. Expand Azure Front Door Compression Support

      Currently AFD only performs compression when CDN caching is enabled and when the cached files are 8MB or less in size.

      These two limitations create problems in some scenarios - especially when large 3rd party JavaScript libraries are being leveraged and an external CDN can't be used for those libraries.

      Please allow for compression to be enabled independently of caching, and allow for files larger than 8MB to be compressed.

      25 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →
    13. Front Door: Geo-based traffic routing

      Our application suite currently relies on Azure Traffic Manager to direct traffic from clients to App Services in different Azure Regions based on the clients' geographical origin (IP location).

      Traffic Manager works on the DNS name resolution level, not on the HTTP level, and therefore Traffic Manager has no way to identify the CLIENT IP address, rather the DNS SERVER that the client is configured to use through its IP-configuration (that was typically assigned to the CLIENT in the DHCP IP Lease).

      Since Traffic Manager can't detect clients' IP adresses and thereby geolocations, this is not precise enough or us;…

      74 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →
    14. Enable FrontDoor managed certificates for wildcard domains

      Right now FrontDoor accepts wildcard domains but we have to bring our own certificates.

      https://docs.microsoft.com/en-us/azure/frontdoor/front-door-wildcard-domain
      > Currently, only using your own custom SSL certificate option is available for enabling HTTPS for wildcard domains. Front Door managed certificates cannot be used for wildcard domains.

      Having FD manages all SSL matters is a time saver for us!

      40 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →
    15. Provide Example to connect Front Door with Azure Load Balancer

      Currently no example is provided to showcase connectivity between Azure Front Door and Azure Load Balancer - although your FaQ states it should work there is no proof anywhere and any combinations tried in a live subscription to make this work lead nowhere.

      1 vote
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →
    16. Azure Front Door WAF should scan POST requests with content-type multipart

      At the moment the Azure Front Door WAF does not scan for XSS threats when the request going through FD is of content-type multipart. This was advised this is the case by the Microsoft Support team. For example, if I send the following request through Azure Front Door with OWASP DefaultRuleSet enabled on its WAF:
      POST:

      content-type: multipart/form-data; boundary=----WebKitFormBoundaryriZKfNGOPKHI8rWO

      Form Data:
      958127ef-8053-4054-811e-49d54be8a09f: <script>alert('hello');</script>

      The WAF does not detect the XSS threat simply because of the content-type.

      This is fundamental to have in a service dedicated to protect backend systems. I am conscious this is currently being worked, however what is…

      25 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →
    17. API ability to determine when Azure Front Door replication has succeeded to the POP servers

      When making backend changes to Front Door, there is no way to determine when this change has succeeded, nor is there any SLA provided for how long this could take. There needs to be a way via API that we can know for sure replication to the POP servers has succeeded (or failed).

      36 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →
    18. Log the violating field for Azure Frontdoor WAF logs

      Azure Front Door WAF logs currently indicate the violated rule name (ruleName_s) but it does not include the field (cookie name, query parameter name, etc) that was responsible for the action being invoked.

      This makes investigating false positives difficult.

      From what I can see in the Application Gateway documentation, its WAF looks like it does give you information about the details of the violation:
      https://docs.microsoft.com/en-us/azure/web-application-firewall/ag/web-application-firewall-troubleshoot

      1 vote
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →
    19. Support User-agent http header for Azure FrontDoor

      Support for User-Agent http Header.
      It could be very usefull to be able to redirect to specific backend using the User-Agent header (ios ...).

      Actually the only way i found to achieve this is to put another Ngnix in front of Front Door to redirect to specific Host.

      6 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →
    20. Why does front door remove Authorization Headers when we do a Redirect?

      I have a set of APIs built using web service (legacy) and I have created a new set of APIs using Azure functions. Now I want all my legacy API to route to Azure Function.

      I tried the Azure Front Door service redirect to achieve the functionality. I was able to redirect but the request headers are missing in the redirected requests. Not sure why Azure Front Door is removing them?

      4 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →
    ← Previous 1 3
    • Don't see your idea?

    Feedback and Knowledge Base