Networking

The Networking forum covers all aspects of Networking in Azure, including endpoints, load-balancing, network security, DNS, Traffic Manager, virtual networks, and external connectivity.

Virtual Network:

  • Service overview

  • Technical documentation

  • Pricing details

  • Traffic Manager:

  • Service overview

  • Technical documentation

  • Pricing details

  • Network Watcher:

  • Service overview

  • Technical documentation

  • Pricing details

  • If you have any feedback on any aspect of Azure relating to Networking, we’d love to hear it.

    • Hot ideas
    • Top ideas
    • New ideas
    • My feedback
    1. Private NAT for VM outbound to on prem

      If an Azure VM sits in a vnet (call it app-vnet) peered with a vnet that's VPN connected (call it vpn-vnet) to on-prem, and the VM needs to establish connectivity with an on-prem VM, a NAT gateway cannot snat the traffic from app-vnet using an IP from vpn-vnet, since the only kind of outbound IP a NAT gateway can use is a public IP.
      I actually don't know what azure solution could snat from a vnet using a private outbound IP of another vnet... Azure Firewall maybe?

      4 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  NAT  ·  Flag idea as inappropriate…  ·  Admin →
    2. Support IP address in Backend Pool (Azure Load Balancer)

      Currently you can only include VMs or VMSS within an Azure Load Balancer Backend Pool.

      If we could choose an IP Address we would be able to load balance other resources hosted in Azure as well.

      Our use case:
      Load balance DNS queries (over udp-53) to Azure Container Groups (private IP).

      22 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      under review  ·  0 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    3. Zone-redundant NAT Gateway

      Since subnets are regional, not zonal, and can only be associated with a maximum of one NAT gateway, it seems that deployments would be much simpler if NAT gateways were supported in a zone-redundant mode.

      This is something you offer with Standard Load Balancer, so why can't it be provided by NAT gateways?

      Currently, I either must: (1) forego any failure isolation promises and go with a regional NAT, or (2) double or triple the number of subnets I manage just so a zone-isolated NAT can be assigned to each. That makes a complicated, messy deployment that wasn't required for…

      7 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  NAT  ·  Flag idea as inappropriate…  ·  Admin →
    4. Ability to select multiple protocols for NSGs

      Simplify creating NSG rules by allowing selecting one or multiple protocols for a single rule.

      For instance, 3389 requires both UDP and TCP. Instead of creating two seperate rules, one could simply select both TCP and UDP in a single rule.

      2 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    5. It would be great if you could use Azure Load Balancer to load balance on-premises VMs. This would make migration to Azure easier.

      It would be great if you could use Azure Load Balancer to load balance on-premises VMs. This would be useful for hybrid environments. This would also make migration to Azure quicker and easier. Third party load balancers (e.g. F5) are incredibly expensive. A low-cost cloud alternative would be a big win.

      4 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    6. Load balancer Probe Latest Status in Portal

      Is it too much to ask for a simple red/green light in the portal that has the latest status for the last probe attempt for each load balancer rule?

      This would save countless hours of debugging and it is a basic tool available from all firewall vendors.

      1 vote
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    7. Allow to add multiple Service Tags to NSG rule

      Allow to add multiple Service Tags to NSG rule. Right now we can add multiple subnets, ranges, IPs and ports, Great idea would be to add also multiple service tags to source/destination as now we create multiple rules for one host to multiple service tags.

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Virtual Network  ·  Flag idea as inappropriate…  ·  Admin →
    8. Could we add VMs in Load balancer backend pool even they are in the different peered Vnets in the future?

      Could we add VMs in Load balancer backend pool even they are in the different peered VNets in the future?

      6 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    9. NSG service tag for AzureBastionSubnet

      When implementing complicated access controls inside a virtual network, we always need to allow connections from AzureBastionSubnet of the virtual network.

      It would be nice we have AzureBastionSubnet service tag which automatically describes a specific Azure Bastion subnet for each virtual network where resources NSG attached reside in.

      7 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Virtual Network  ·  Flag idea as inappropriate…  ·  Admin →
    10. NSG Master Rule list

      NSG Master Rule list

      It should be possible to define the list of rules as a master list independent of NSG.
      Once defined, one should be able to use the rules with any NSG from the defined list.
      In most cases, we need to define the same rule again and again for different NSG.
      It becomes very difficult to maintain rules.

      There should also be an option to logically group the rules in the master rule list so that they are easy to search and apply.
      Maybe while creating NSG, all rules in the group of master rule list should…

      26 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    11. Allow ESP traffic through Azure Loadbalancer

      Azure Load Balancer, for external connections, can support only TCP (Protocol ID “6”) or UDP (Protocol ID “17”).

      It cannot support protocols like ICMP (Protocol ID “1”). As an example, also IPSec (and VPN using it) is not supported since you should open UDP port 500 (that is fine) and permit IP protocol numbers 50 and 51. UDP Port 500 should be opened to allow Internet Security Association and Key Management Protocol (ISAKMP) traffic to be forwarded through Azure Load Balancer. IP protocol ID 50 should be set to allow IPSec Encapsulating Security Protocol (ESP) traffic to be forwarded. Finally,…

      65 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      6 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    12. VNet peering circular dependency reference due to cross 'dependsOn' between the two VNets

      When a peering is set up between two vNets, VNET1 and VNET2, there would be two 'dependsOn' properties in the template generated from the Automation script blade of the resource group. VNET1 would depend on VNET2, and VNET2 would depend on VNET1. This causes a circular dependency error and the deployment of the template would fail. If you manually remove the two 'dependsON' properties, the deployment would succeed with the same result. I think that this should be fixed, I found this suggestion in this post : https://techcommunity.microsoft.com/t5/Azure/Does-vNet-peering-cause-a-circular-dependency-error-in/m-p/369823#M3963

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      under review  ·  0 comments  ·  Virtual Network  ·  Flag idea as inappropriate…  ·  Admin →
    13. Support for VNET peering when deploying failover groups

      There is no support for VNET peering when deploying failover groups (one have to create new IPSec VPN tunnels to test failover across regions)

      11 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Virtual Network  ·  Flag idea as inappropriate…  ·  Admin →
    14. KMS / RHUI service endpoint

      Could you kindly add service endpoint for KMS and RHUI.
      It will really helpful for managing VMs without SNAT Public IP.

      58 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Virtual Network  ·  Flag idea as inappropriate…  ·  Admin →
    15. Add Service Tags to Route Tables/UDR

      Include the ability to add Service Tags to UDRs. We have experienced that while many times services require NSGs to be open for a Service, many users have a default route in the Route Tables to push traffic through network virtual appliances. To circumvent having to put an entire datacenter range IP on UDRs to get services to work, there should be Service Tags in the UDR destination field in order to be able to add specific services the ability to talk to VNET-joined services. A good example of this is API Management. While the team does not support a…

      34 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Virtual Network  ·  Flag idea as inappropriate…  ·  Admin →
    16. Add a column to list CIDR ranges currently in use.

      Add a column to list CIDR blocks assigned to each VNET in the Virtual Network Blade. This would provide a quick reference to not overlap CIDR ranges when using multiple VNETS.

      1 vote
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Virtual Network  ·  Flag idea as inappropriate…  ·  Admin →
    17. Need a 1 to 1 mapping between data centers and the IP range list

      Trying to use Azure Backup to German Northeast and North Central US.

      Would be nice if there was a one to one mapping between the regions displayed here: https://azure.microsoft.com/en-ca/global-infrastructure/regions/

      and what is listed here: https://www.microsoft.com/en-us/download/details.aspx?id=41653

      Having problems guessing which region to use for the for following locations:

      German Northeast - options:

                  <Region Name="europeeast">

      <Region Name="europenorth2">

      <Region Name="europenorth">

      North Central US: options:

                  <Region Name="uscentraleuap">

      <Region Name="uscentral">

      <Region Name="usnorth">

      <Region Name="uswestcentral">

      1 vote
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  IP addresses  ·  Flag idea as inappropriate…  ·  Admin →
    18. Azure DNS query log

      Hi,

      I would like to request Azure DNS Query Log. This will help us identify traffic hitting record name in the dns zone.

      Possible Log Sample

      Time-Stamp,SourceIP,RecondType,RecordName

      295 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      under review  ·  2 comments  ·  DNS  ·  Flag idea as inappropriate…  ·  Admin →
    19. Change idle timeout shorter than 4 minutes.

      We can use TCP idle timeout 4 minutes which is minimum value. My App must configure shorter than 4 minutes. E,g 5sec, 10sec. I strong hope we can change its value configure shorter than 4 minutes.

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  IP addresses  ·  Flag idea as inappropriate…  ·  Admin →
    20. have the ability to use more than one asg in an nsg rule (separated with , for example)

      let's say that i have 2 apps that i want to be able to access any endpoint.

      APP A containing these servers:10.0.0.1,10.0.0.2
      and APP B: 10.0.0.4,10.0.05

      my nsg rule will use :10.0.0.1,10.0.0.2,10.0.0.4,10.0.05
      if i`m moving to work with asg i want the ability to add both app a and app b together in the same nsg rule.

      will it be supported?

      13 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    ← Previous 1 3 4 5 11 12
    • Don't see your idea?

    Feedback and Knowledge Base