Networking

The Networking forum covers all aspects of Networking in Azure, including endpoints, load-balancing, network security, DNS, Traffic Manager, virtual networks, and external connectivity.

Virtual Network:

  • Service overview

  • Technical documentation

  • Pricing details

  • Traffic Manager:

  • Service overview

  • Technical documentation

  • Pricing details

  • Network Watcher:

  • Service overview

  • Technical documentation

  • Pricing details

  • If you have any feedback on any aspect of Azure relating to Networking, we’d love to hear it.

    • Hot ideas
    • Top ideas
    • New ideas
    • My feedback
    1. Add ability to use source type "IP group" in NSG rules

      A nice new Azure feature is the option to create an "IP group", and it would be nice. if we are able to use these "IP group(s)" in our NSG rules.

      https://docs.microsoft.com/en-us/azure/firewall/ip-groups

      9 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    2. Service Tags for Windows Updates (WU) and RedHat Update Infrastructure (RHUI) suggestion

      I have been using Azure Automation's Update Management for VMs that are internet facing without issue until I am required to use it on VMs that are non-internet facing (intranet) environment where I'm stumble into a lot of NSG configuration complexity.

      Any chance of having these Service Tags?


      • AzurePlatformWU

      For an example having this Service Tag created for NSG in order for consumer to configure Windows VM resources to utilise Azure Automation's Update Management feature, and allow Windows VMs to receive Windows Updates securely.

      The current problem is that Windows Updates can be distributed through multiple Windows Update URL endpoints…

      6 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    3. Redesign default NSG rules to allow only VNET filtering

      When using a hub-spoke model with an Azure Firewall in the hub vnet, we are facing the issue that too much traffic will be allowed by default NSG rules on the hub and spoke vnets.
      (https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke)

      The reason for this is the fact that the virtual network service tag "VirtualNetwork" will contain 0.0.0.0 as soon as we create a UDR 0.0.0.0 that points to the Azure Firewall.
      (https://docs.microsoft.com/en-us/azure/virtual-network/service-tags-overview)

      The default NSG rule 65000 "AllowVnetInBound" will by now accept source 0.0.0.0 to destination 0.0.0.0.
      The next rule (that we do need), 65001 "AllowAzureLoadBalancerInBound" will never be triggered,…

      15 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    4. Ability to select multiple protocols for NSGs

      Simplify creating NSG rules by allowing selecting one or multiple protocols for a single rule.

      For instance, 3389 requires both UDP and TCP. Instead of creating two seperate rules, one could simply select both TCP and UDP in a single rule.

      2 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    5. 1 vote
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    6. I need to see a SIMPLE ASCII LOG listing what traffic is being passed and what is being filtered.

      I need to troubleshoot why traffic is not passing a certain point.

      I NEED to see a SIMPLE ASCII LOG listing what traffic is being passed and what is being filtered. SIMPLE.

      I don't need to load THREE APPLICATIONS, WRITE CODE, Delve into a mess of complications and take FOUR DAYS OF MY TIME to navigate how to look at what should be an ASCII LOG.

      IT IS SIMPLE. Network Security gear has been doing this for DECADES!!! MAKE IT SIMPLE.

      I want to see Flow Logs from an NSG. SEE?!? SIMPLE.

      Let me click ONE THING to see the…

      1 vote
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    7. Massive facepalm Microsoft - How about enabling NSG ALLOW for new service tags AzurePlatformDNS AzurePlatformLKM AzurePlatformIMDS

      I want to DENY outbound Internet access (override the default)
      I want to ALLOW AzurePlatform services. Like KMS, DNS.
      Microsoft listens, and gives me new Service Tags - great - and then prevents me from using them??? WTH
      See error below (by the way, what do YOU think of the SPELLING ERROR in the message provided in the portal - it seems to underline the facepalm quite succinctly in my opinion)

      Failed to create security rule 'AllowAzurePlatformDNSOutbound'. Error: Security rule has invalid Accees type. Value provided: Allow Allowed values: Deny.

      25 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    8. Can we add GEO service tag in NSG?

      Some customer need this feature since they wanted to quickly whitelist/blacklist request from given geographic region. Please consider to add this feature in future.

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    9. 4 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  1 comment  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    10. Could we add service tag about specific country like Singapore for Network Security Group?

      Could we add service tag about specific country like Singapore for Network Security Group?

      We have some service tag for NSG like internet/ Virtual network.
      Since we have some feedback that customer need allow/block traffic from specific country for security reason.

      Please advise.

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    11. 1 vote
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    12. Allow Custom Network Security Group rules based on custom tags

      One of the biggest issue I have with Azure’s interpretation of Security Groups is the inability to apply custom tags to the ruleset. I should be able to filter traffic based on tags I generated for my resources. A good example would be creating a tag on an Azure IaaS VM called “app-x-webserver” and then tagging my Azure SQL Db with “app-x-sqldb”.

      While I know that you can use an Application Security Group for the IaaS part, it’s not supported on PaaS. It also is limited to a specific vNET inside of a single Region. This severely limits the usefulness…

      2 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    13. Harmonize the offer types

      It would be nice to have a way to describe the reason for a given NSG rule.
      https://www.ckitchen.com/
      This would greatly simplify, for instance, bookkeeping for PCI DSS 3.1 item 1.1.6 which demands a business notification for each NSG rule.

      Name field allows 80 chars but type description there is just not the right thing. Specially when you need to refer to a given rule while using CLI tools. Huge plus if it appears as a column while listing rules.

      1 vote
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    14. Add support for Azure Network Security Group Inbound rules to the Azure Application Gateway

      • In Azure, we CANNOT apply inbound NSG rule with destination public IP of APPGW to allow/block traffic to this APPGW. We known This is by design:
      Network security groups are processed after Azure translates a public IP address to a private IP address for inbound traffic, and before Azure translates a private IP address to a public IP address for outbound traffic.
      • Even for VM level public IP, we cannot allow/block traffic via inbound subnet level NSG with that destination public IP
      • The workaround I can think of is to deploy each gateway to dedicated subnet then…

      27 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    15. Allow Application Security Groups to Include load balanced IP

      Very often Application Servers are Load Balanced and there is currently no way to put the virtual IP address into the application security group.

      4 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    16. Add FQDN/URL in Azure NSG

      <Add FQDN/URL in Azure NSG (Network Security Group)>

      Could we add the feature for Add FQDN/URL in Azure NSG (Network Security Group).

      We have some scenario cx want to whitelist the FQDN and URL like . msftauth.net & .msauth.net. These FQDN doesn't have fixed IP range and we cannot add IP in NSG.

      38 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      2 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →

      Thanks for the valid suggestion. Your feedback is now open for the user community to upvote which allows us to effectively prioritize your request against our existing feature list and also gives us insight into the potential impact of implementing the suggested feature

    17. NSG Master Rule list

      NSG Master Rule list

      It should be possible to define the list of rules as a master list independent of NSG.
      Once defined, one should be able to use the rules with any NSG from the defined list.
      In most cases, we need to define the same rule again and again for different NSG.
      It becomes very difficult to maintain rules.

      There should also be an option to logically group the rules in the master rule list so that they are easy to search and apply.
      Maybe while creating NSG, all rules in the group of master rule list should…

      26 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    18. Allow the Front Door WAF to block/allow by the Socket IP, and not just the Client IP

      Currently, the option to block by IP on the Azure Front Door WAF only allows you to block by the RemoteAddr IP, which is the Client IP. We use a reverse proxy so need the ability to block by what is called the SocketIP in the Azure WAF Logs.

      15 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →

      Thanks for the valid suggestion. Your feedback is now open for the user community to upvote which allows us to effectively prioritize your request against our existing feature list and also gives us insight into the potential impact of implementing the suggested feature

    19. ASG across vNets

      ASG are absolutely wonderful stuff.Would be good to have added features of ASG across subscriptions/Vnets and any possibility of specifying Hostnames

      17 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →

      Thanks for the valid suggestion. Your feedback is now open for the user community to upvote which allows us to effectively prioritize your request against our existing feature list and also gives us insight into the potential impact of implementing the suggested feature

    20. storage account firewall - Add inbound service tags for storage account.

      At the moment, storage account firewall can only be configured to "Allow Trusted MS Services" and the whitelisting of IPs/IP ranges.

      Our Power BI service needs to be able to access our storage account with storage account firewall enabled.

      Currently we have to manually whitelist data center IP ranges in order for this to work.

      Please add the ability to add inbound service tags for storage account firewall like you can with NSGs and add Power BI and other MS services to the "Allow Trusted MS Services".

      Thank you.

      93 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    ← Previous 1 3 4 5 6
    • Don't see your idea?

    Feedback and Knowledge Base