Networking

The Networking forum covers all aspects of Networking in Azure, including endpoints, load-balancing, network security, DNS, Traffic Manager, virtual networks, and external connectivity.

Virtual Network:

  • Service overview

  • Technical documentation

  • Pricing details

  • Traffic Manager:

  • Service overview

  • Technical documentation

  • Pricing details

  • Network Watcher:

  • Service overview

  • Technical documentation

  • Pricing details

  • If you have any feedback on any aspect of Azure relating to Networking, we’d love to hear it.

    • Hot ideas
    • Top ideas
    • New ideas
    • My feedback
    1. Add ICMP NSG Security Rules support on Az/AzureRM Powershell Modules

      Right now ICMP Security rules can be defined either via the AzCli or the Portal but can't be handled via the Az/AzureRM Powershell Modules due to the lack of ICMP Protocol Support on them.

      Please add support for this.

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    2. Support IPsec (IP protocol 50/21) rules in Network Security Groups

      Support IPsec (IP protocol 50/51) rules in Network Security Groups. Right now the only support for IPsec through NSGs is to create a rule where port & protocol = *. This is too broad a rule. Please allow specifying IP protocols 50/51 within the rule definition, to support a rule that is specific to IPsec tunnels (which form after ISAKMP negotiates on UDP 500/4500, which is supported in NSG rulesets)

      1 vote
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    3. Service Tag for MDATP / Defender

      A Service TAG for MDATP and Microsoft Defender, I have tried adding the Azure Monitor and the Storage tags but that didn't work

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    4. Add Service Tag for PowerBI

      Add service Tag for PowerBI to avoid having to whitelist all Azure IP addresses for connectivity.

      6 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    5. Make it possible to include Standard Load Balancer in Application Security Group (ASG)

      ASG's are really good and allows me to set granular NSG rules without hardcoding any IP addresses. I use ASG's for all my applications running on VMSS. Naturally I use Standard Load Balancer (SLB) in front of my VMSS.

      However, the SLB is not possible to include in my ASG (even though it's tightly coupled with the VMSS), which forces me to always create one NSG rule with ASG's (for the VMSS) and in addition another NSG rule specifically for VIP of the SLB.

      I want the ability to include a Standard Load Balancer in an ASG, so that I…

      1 vote
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    6. Service tags based on country/ region assigned IP to implement Geoblocking At NSG LEVEL

      Service Tags for specific country/region wise(ex: middle east, India, south east asia) that would contain the whole IP range for the selected country/region. This will help in geoblocking and reduce the rate of ddos attacks.

      The Azure/Microsoft can keep updating the list periodically.

      This will help in implementing geo-blocking at VM/Server level as currently NSG source address prefix has limitation of 4000 ip address/cidr (country like India/Uae have more than 10000 cidr)

      75 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    7. Add ability to use source type "IP group" in NSG rules

      A nice new Azure feature is the option to create an "IP group", and it would be nice. if we are able to use these "IP group(s)" in our NSG rules.

      https://docs.microsoft.com/en-us/azure/firewall/ip-groups

      21 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    8. Service Tags for Windows Updates (WU) and RedHat Update Infrastructure (RHUI) suggestion

      I have been using Azure Automation's Update Management for VMs that are internet facing without issue until I am required to use it on VMs that are non-internet facing (intranet) environment where I'm stumble into a lot of NSG configuration complexity.

      Any chance of having these Service Tags?


      • AzurePlatformWU

      For an example having this Service Tag created for NSG in order for consumer to configure Windows VM resources to utilise Azure Automation's Update Management feature, and allow Windows VMs to receive Windows Updates securely.

      The current problem is that Windows Updates can be distributed through multiple Windows Update URL endpoints…

      17 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    9. Redesign default NSG rules to allow only VNET filtering

      When using a hub-spoke model with an Azure Firewall in the hub vnet, we are facing the issue that too much traffic will be allowed by default NSG rules on the hub and spoke vnets.
      (https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke)

      The reason for this is the fact that the virtual network service tag "VirtualNetwork" will contain 0.0.0.0 as soon as we create a UDR 0.0.0.0 that points to the Azure Firewall.
      (https://docs.microsoft.com/en-us/azure/virtual-network/service-tags-overview)

      The default NSG rule 65000 "AllowVnetInBound" will by now accept source 0.0.0.0 to destination 0.0.0.0.
      The next rule (that we do need), 65001 "AllowAzureLoadBalancerInBound" will never be triggered,…

      15 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    10. Ability to select multiple protocols for NSGs

      Simplify creating NSG rules by allowing selecting one or multiple protocols for a single rule.

      For instance, 3389 requires both UDP and TCP. Instead of creating two seperate rules, one could simply select both TCP and UDP in a single rule.

      2 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    11. 1 vote
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    12. I need to see a SIMPLE ASCII LOG listing what traffic is being passed and what is being filtered.

      I need to troubleshoot why traffic is not passing a certain point.

      I NEED to see a SIMPLE ASCII LOG listing what traffic is being passed and what is being filtered. SIMPLE.

      I don't need to load THREE APPLICATIONS, WRITE CODE, Delve into a mess of complications and take FOUR DAYS OF MY TIME to navigate how to look at what should be an ASCII LOG.

      IT IS SIMPLE. Network Security gear has been doing this for DECADES!!! MAKE IT SIMPLE.

      I want to see Flow Logs from an NSG. SEE?!? SIMPLE.

      Let me click ONE THING to see the…

      1 vote
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    13. Massive facepalm Microsoft - How about enabling NSG ALLOW for new service tags AzurePlatformDNS AzurePlatformLKM AzurePlatformIMDS

      I want to DENY outbound Internet access (override the default)
      I want to ALLOW AzurePlatform services. Like KMS, DNS.
      Microsoft listens, and gives me new Service Tags - great - and then prevents me from using them??? WTH
      See error below (by the way, what do YOU think of the SPELLING ERROR in the message provided in the portal - it seems to underline the facepalm quite succinctly in my opinion)

      Failed to create security rule 'AllowAzurePlatformDNSOutbound'. Error: Security rule has invalid Accees type. Value provided: Allow Allowed values: Deny.

      26 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    14. Can we add GEO service tag in NSG?

      Some customer need this feature since they wanted to quickly whitelist/blacklist request from given geographic region. Please consider to add this feature in future.

      4 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    15. 4 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  1 comment  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    16. Could we add service tag about specific country like Singapore for Network Security Group?

      Could we add service tag about specific country like Singapore for Network Security Group?

      We have some service tag for NSG like internet/ Virtual network.
      Since we have some feedback that customer need allow/block traffic from specific country for security reason.

      Please advise.

      7 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    17. 1 vote
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    18. Allow Custom Network Security Group rules based on custom tags

      One of the biggest issue I have with Azure’s interpretation of Security Groups is the inability to apply custom tags to the ruleset. I should be able to filter traffic based on tags I generated for my resources. A good example would be creating a tag on an Azure IaaS VM called “app-x-webserver” and then tagging my Azure SQL Db with “app-x-sqldb”.

      While I know that you can use an Application Security Group for the IaaS part, it’s not supported on PaaS. It also is limited to a specific vNET inside of a single Region. This severely limits the usefulness…

      2 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    19. Harmonize the offer types

      It would be nice to have a way to describe the reason for a given NSG rule.
      https://www.ckitchen.com/
      This would greatly simplify, for instance, bookkeeping for PCI DSS 3.1 item 1.1.6 which demands a business notification for each NSG rule.

      Name field allows 80 chars but type description there is just not the right thing. Specially when you need to refer to a given rule while using CLI tools. Huge plus if it appears as a column while listing rules.

      1 vote
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    20. Add support for Azure Network Security Group Inbound rules to the Azure Application Gateway

      • In Azure, we CANNOT apply inbound NSG rule with destination public IP of APPGW to allow/block traffic to this APPGW. We known This is by design:
      Network security groups are processed after Azure translates a public IP address to a private IP address for inbound traffic, and before Azure translates a private IP address to a public IP address for outbound traffic.
      • Even for VM level public IP, we cannot allow/block traffic via inbound subnet level NSG with that destination public IP
      • The workaround I can think of is to deploy each gateway to dedicated subnet then…

      27 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    ← Previous 1 3 4 5 6
    • Don't see your idea?

    Feedback and Knowledge Base