Networking

The Networking forum covers all aspects of Networking in Azure, including endpoints, load-balancing, network security, DNS, Traffic Manager, virtual networks, and external connectivity.

Virtual Network:

  • Service overview

  • Technical documentation

  • Pricing details

  • Traffic Manager:

  • Service overview

  • Technical documentation

  • Pricing details

  • Network Watcher:

  • Service overview

  • Technical documentation

  • Pricing details

  • If you have any feedback on any aspect of Azure relating to Networking, we’d love to hear it.

    • Hot ideas
    • Top ideas
    • New ideas
    • My feedback
    1. Send FIN after probe confirms healthy

      The current behaviour of the four way handshake of the health probe is to not send the FIN until the next probe is due.

      The FIN should be sent as soon as the health has been confirmed.

      For example:
      We've got an Azure Load Balancer running over a RabbitMQ cluster with a health probe set to check port 5672 every 60 seconds.

      A packet capture shows the following:


      1. Load balancer SYN

      2. RabbitMQ ACK

      3. Load Balancer ACK

      4. 10 seconds later RabbitMQ RST

      5. Another 50 seconds later Load Balancer FIN

      Azure load balancer documentation declares that it does a four way handshake…

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →

      Thank you for the feedback. We don’t have any near term plans to change probe behavior.

      A possible workaround may be to use an HTTP endpoint and configure an HTTP probe or increase the RabbitMQ timeout.

      Or you can instead substitute Azure Service Bus which also support AMQP.
      — Christian

    2. standard internal loadbalancer

      Access to public address does not work for standard internal loadbalancer (according to MS by design). In order to be able to access public resources a public IP need to be assigned.
      However there are cases where public IP should not be assigned to allow only private traffic. There are two services which however require (via UDR) access to public.
      Reaching the KMS license server (Windows) and Redhat repositories (for both the recommendation is to use UDR).
      So access to those services is not possible once you do a standard internal loadbalancer and your policy prohibits use of public IP. …

      1 vote
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    3. Azure SLB: suggestion for display of frontend ip addresses

      On the portal, we can see public IP address which is assigned to each VM in "overview" of VM resource.
      If VM is bound to loadbalancing rule or inbound NAT rule of SLB, SLB's frontend IP address is displayed in "Public IP address" field.

      However, even if SLB has multiple frontend addresses, not all public addresses are not displayed, but only a single public address is displayed in this field. Sometimes it confuses operators. Please consider to modify this like below:


      • not to display any frontend IP address of SLB in "Public IP address" field
        or

      • display all frontend IP…
      0 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      declined  ·  0 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    4. Azure standard loadbalancer - force all UDP traffic bidirectionally back over the LB

      Currently a single specific session with the same source and destination port on UDP will be routed correctly. But when the system behind the loadbalancer stars creating multiple sessions with the same destination port but different source ports (Random) it will be routed directly back bypassing the loadbalancer fully. This breaks functionality for certain UDP based designs....

      Please make it possible to route the traffic always via the loadbalancer

      6 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    5. Allow Internal Load Balancer Internet Access

      In an Internal Azure Load Balancer {Standard SKU}, VMs within the Load Balancer do not have internet access except:
      1) If they have a public IP address
      2) If they are part of a public Load Balancer
      3) If they have load balancer rules statically configured.

      There are instances that VMs may need access to the internet as 'internal' servers may need internet access.

      I think there should be an option for "Allow VMs in this Internal LB to access the internet" on the internal load balancer. This would allow security checks for public certificate validation or other tests that…

      12 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      2 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    6. Provide rapid failover away from unhealth and/or removed VMs from the Load Balancer backend pool

      Presently, the Standard SKU Load Balancer takes up to several minutes to stop sending traffic to backend VMs which have been identified as unhealthy by Health probes and/or have been manually removed from a backend pool through a configuration change.

      This delay prevents using the Load Balancer as an SLA/availability solution and is counter-intuitive. A preferable design would be to immediately cease sending any additional traffic to an unhealthy VM once it has been marked as unhealthy (unless it is the only VM in the backend pool.)

      6 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    7. Allow Basic Port Forwarding With Network Load Balancer for all Services

      Azure Network Load Balancer should support basic port forwarding, many customers have firewall rules that block PaaS Services. Today you can create a port forwarder with NLB, but only to its supported endpoints. Ideally you could forward to any Azure hostname or IP address.

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    8. Load Balancer should drop all packets for ports not configured

      Load Balancer should drop all packets for ports not configured before they get to my NSGs. See REG: 119012221000062 for additional information. Basically, the Azure LB installed as part of the Azure AD service is configured for port 443. But my NSG flow logs show packets arriving on a port other than 443 and incidentally for the destination as the public IP associated with the LB. My initial complaint was why do I see such a public IP address and I was told this is unavoidable because SNAT is enabled on this LB. I have no control over this LB…

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →

      Thank you for the feedback. As per the information provided (accurately) in the support case, the packet does not reach your VM but does show up in NSG flow logs as dropped. This is by design and a result of Load Balancer being a pass through network load balancer, particular when SNAT ports are open. What you are observing is not packets reaching the virtual machine.
      — Christian

    9. Load Balancer should drop all packets for ports not configured

      Load Balancer should drop all packets for ports not configured before they get to my NSGs. See REG: 119012221000062 for additional information. Basically, the Azure LB installed as part of the Azure AD service is configured for port 443. But my NSG flow logs show packets arriving on a port other than 443 and incidentally for the destination as the public IP associated with the LB. My initial complaint was why do I see such a public IP address and I was told this is unavoidable because SNAT is enabled on this LB. I have no control over this LB…

      0 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    10. Tcpdump and TCP session stats on Azure Standard LB

      Currently, there are bare minimum stats available for TCP sessions on Azure Standard LB. Can you add more traffic flow stats showing the client IP address hitting Azur LB?
      Secondly, tcpdump is the basic tool for operational troubleshooting.

      6 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →

      Thank you for the feedback. Load Balancer is a pass through network load balancer and does not terminate connections. The handshake is directly between the client and the application on a VM.

      You can use Network Watcher to initate packet captures.
      — Christian

    11. Standard load balancer - last rule warning

      I just caused an outage, because I deleted the last rule of the standard frontend load balancer in front of the firewalls.
      The root cause is clear based on the documentation:
      "The Load Balancer resource must be configured with a load balancer rule to create a link between the public IP frontend with the backend pool."
      That means, I am forced to have a rule, regardless whether it is nonsense like some random high port, in order to enable the backend VMs to connect to internet. So even I do not want to have a connection from internet, I still…

      1 vote
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    12. Test alert for LoadBalancerAlertEvent.

      I can't confirm whether ALB can put diagnostic logs to a storage account. I hope we will be able to put test alert in future.

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    13. How to configure SSL on Azure LoadBalancer

      Hi,

      We have configured 2 Windows resources and it has Apache server. now we have enabled Load balancer for these 2 instances and its working fine.

      I need to configure SSL for the load balancer . pls share the steps/guide to configure SSL on Azure load balancer.

      1 vote
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    14. Test alert for diag log.

      I want to confirm whether LB can send diagnostic log to the storage account but I couldn't happen to put any logs intentionally. So I hope we can use test alert for diagnostic log.

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    15. 1 vote
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    16. Support Proxy Protocol

      The current Azure Load Balancer implementation does not support the Proxy Protocol as AWS does (https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-proxy-protocol.html).

      This makes implementing Openshift on Azure troublesome as the real client IP is not available to backends (https://docs.openshift.com/container-platform/3.9/installconfig/router/proxyprotocol.html).

      The proxy protocol allows pass through of real client IP's to the backend application for TCP load balancer setups. This may be particular important for Openshift deployments or alike, where the certificate management should be done in the PaaS platform (on the router) and not on the ELB.

      Right now the Openshift template from MS (https://github.com/Microsoft/openshift-origin) uses TCP…

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      4 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →

      Thank you for your feedback.

      Azure Load Balancer does not terminate connections, it is not a proxy, and does always preserve the source IP address of the inbound flow.

      We don’t provide logging from the Load Balancer resource itself, but you can use NSG flow logs to retrieve flow information as needed.

    17. Powershell Command for Associating Backend Pools to InboundNAT rules on a Load Balancer

      Need a PowerShell command to allow association of an existing Backend Pool to an InboundNAT rule as currently this can only be achieved manually after rule creation and is extremely tedious and time consuming.

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    18. Add Load Balancer backend IP

      Load balancers should have a backend IP so traffic can be sent to it to initiate a flow from the other side.

      The reason this feature is very helpful is when you're using a Virtual Network Appliance ( VNA ) in HA. HA requires we use load balancers on each side of the VNA ( firewall in this case ). The problem with not having a backend IP the flow from inbound and outbound originated traffic doesn't follow the same path in and out bound.

      This leads to some creative solutions that aren't ideal. Really, Azure should be working more…

      6 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    19. loadbalancer inbound NAT rule to arbitrary IP

      Having an IPSec to on-prem, I would like to leverage an Azure Load Balancer to provide inbound NAT to services hosted on a private network (across the IPSec tunnel).

      Currently LB's can only direct to VM or Availability Set, not user specified IPs.

      It might make sense to create a "Private IP Address" resource type that would identify the 1..N addresses that the LB is NAT'ing to... or just let me plug in 1..N addresses.

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    20. SLBv2 HAPort Preview

      For the HAPort Feature just announce preview on Ignite 2017, after register the preview feature from cli, try to create ha rule but failed with error
      Failed to save load balancer rule 'harule'. Error: Subscription 4507938f-a0ac-4571-978e-7cc741a60af8 is not registered for feature Microsoft.Network/AllowILBAllPortsRule required to carry out the requested operation

      1 vote
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    ← Previous 1 3
    • Don't see your idea?

    Feedback and Knowledge Base