Networking
The Networking forum covers all aspects of Networking in Azure, including endpoints, load-balancing, network security, DNS, Traffic Manager, virtual networks, and external connectivity.
Virtual Network:
Traffic Manager:
Network Watcher:
If you have any feedback on any aspect of Azure relating to Networking, we’d love to hear it.
-
Load Balancer and Public IP SKU.
There must be an option of Upgrading Public IP SKU from Basic to Standard without losing Static PIP as it is a creating a big road block when we do any planning like moving existing PIP behind any NVA Standard Load balancer.
If any existing Production Server are already running on Basic PIP then it is very tough to make any decisions to upgrade SKU or move it behind any Standard ELB.Need suggestion here how and till what time we can overcome here.
899 votesThank you for the feedback. We are working on prereqs to make this possible. Not in scope for CY2019.
— Christian -
Drain/admin endpoint control for Load Balancer
Many on-prem systems rely on an ability to gracefully drain traffic from a node before removing it from load balancing for updates or maintenance. While there are workarounds today for the Azure Load Balancing infrastructure (http://serverfault.com/questions/686095/gracefully-take-a-server-out-of-azure-load-balancer-drain-stop) it's not as flexible as existing on-prem services. Please add this feature.
572 votesWe’re working on planning this feature.
— Christian -
Support SNAT on internal Azure load Balancer
Currently it seems Azure Internal Load Balancer does not support Source NAT.
this mean that if 2 different services hosted on 2 different VM and the VM are on the same vnet the traffic is not load balanced if the ILB route the traffic to the same VM that start the request.
example:
Service A (exposed on port x) and B (exposed on port y) are hosted on VM 1 and VM2 on the same vnet.
Service A has VIP z and Service B has VIP m.
if service A is recalled via VIP z from VM 1 and ILB…246 votesWe don’t have plans to provide this in the near term. there’s a potential workaround by using VM’s with multiple interfaces. I’ve added documenting this scenario to our doc backlog.
— Christian -
HA Ports for Standard load balancers with Public IP
Current review of HA ports only supports Internal LB without any public IP attached. The majority of NVA deployments are with Public IP attached to the LB.
190 votesNot currently in plan. We are exploring other solutions for this scenario.
— Christian -
Active / passive load balancing without the dependency of the cluster service.
Active / passive load balancing without the dependency of the cluster service.
149 votesWe are looking at ways to support this scenario where one active instance/one or more passive instances can be supported and flows are not impacted.
— Christian -
Increase Idle Timeout on Internal Load Balancers to 120 Mins
We use Azure Internal Load Balancers to front services which make use of direct port mappings for backend connections that are longer than the 30 min upper limit on the ILB. That is, our ILBs accept port connections on a nominated set of ports and pass those connections to the backend services running on the same ports.
We are experiencing dropped TCP connections from clients connecting to the backend services via the ILB. After investigating the issue in collaboration with the Azure Networking Team it was verified that altering the default OS TCP keep alive duration to below 30mins would…129 votesWith Standard internal LB’s, you can also enable TCP Reset on Idle timeout. We will send TCP RST at the time of idle timeout to both client and server side. This is documented at https://aka.ms/tcpreset and may resolve some of these issues by notifying the client to reestablish the connection.
We are exploring additional options for this scenario as well. More soon.
— Christian -
Azure Loadbalancer must delete unhealthy VM of Azure VMSS
I have create Azure VMSS behind Public Azure Std LB with HTTP based Health Probe. Azure Loadbalancer is working as per expectation. But If VM is unhealthy then it must be deleted or re-provisioned. So that machine can attain healthy state again.
101 votesI’d like to ask you for more feedback on this request please. Load Balancer doesn’t control the VMSS. I think what you’re looking for is a way for VMSS to replace any instances with a LB health probe status of 0. I’ve reached out to VMSS team to get their input. LB is likely not the right place to do this.
— Christian -
Azure load balancer currently doesn't report the status of backend pool VMs based on health probes.
Azure load balancer should report the status of backend pool VMs based on the health probes we have created and not just report if the VM is running or not. Recently one of my backend pool VM went into high load and it took me minutes to identify the problematic one. LB was not sending any traffic to this VM however the portal was still showing it 'Running' instead of "Unhealthy" or "Failed". This would save a lot of time and will be easy to see health of backend pool vms.
79 votes -
Allow ICMP ping to VIP (Allow Ping inbound)
Vote for allowing UDP through the firewall. Such as ping inbound, because the ping are the minimal required for so much app.
62 votesPlease use TCP ping as a workaround. No near term plans to process ICMP on Load Balancer as it is a UDP/TCP product.
— Christian -
Allow ESP traffic through Azure Loadbalancer
Azure Load Balancer, for external connections, can support only TCP (Protocol ID “6”) or UDP (Protocol ID “17”).
It cannot support protocols like ICMP (Protocol ID “1”). As an example, also IPSec (and VPN using it) is not supported since you should open UDP port 500 (that is fine) and permit IP protocol numbers 50 and 51. UDP Port 500 should be opened to allow Internet Security Association and Key Management Protocol (ISAKMP) traffic to be forwarded through Azure Load Balancer. IP protocol ID 50 should be set to allow IPSec Encapsulating Security Protocol (ESP) traffic to be forwarded. Finally,…
49 votesNeed to investigate when this can be allowed on Standard LB.
— Christian -
Standard Load Balancer should support using an "internal" IP address for probing the ports.
The Standard Load Balancer and HA ports are are recommended for load balancing firewall appliances. However, the Load Balancer probe uses a common IP address for internal and external load balancers. This means that only the internal or external ports can be load balanced, which means that a messy Zookeeper alternative must be built to monitor the firewall availability.
43 votesTypically this is addressed by SNAT’ing the probe source on the interface within the VM. This is how virtual appliances (firewalls, etc) typically address this scenario. Changing the probe source is non trivial and not likely in the near term.
— Christian -
allow custom host header for azure load balancer health probes
HTTP health probes for Azure load balancer are hard-coded to use the IP of backend as their host headers. This forces the backend hosts have to be configured to allow its IP as one of its allowed domain. It's very surprising that Azure doesn't custom host header for HTTP(s) health probes. Please add custom headers for HTTP(s) heath probes; at least, host header support should be there.
41 votesThank you for the feedback. Need to investigate what is possible.
— Christian -
Allow Upgrade or Swap VIP also when number of endpoints has been changed
Or allow the external IP address to be fixed/allocated to the Hosted Service.
The scenario is that during the lifetime of the application you may need to modify the number of endpoints, and re-deploy the solution BUT KEEP PUBLIC IP.
The best would be if Swap VIP could handle this - to avoid downtime, but I am willing to have some downtime as long as Upgrade is supported. This is to avoid service unavailable during the time DNS CNAME records are updated.
41 votesUnderstand the ask. Need to see when we can fit this in for Standard LB.
— Christian -
Allow Selection of VMs within Availability set/VMSS for standard LB backend pool
It would be great if allowing Selection of VMs within availability set for standard SKU Load balancer backend pool
the feature does exist in Basic only , yet in Standard not. even though it is mentioned in the documentation it supports it.
for example I have a client that needs to add only 50 VMs within an av in a VNET that hosts over 500 VMs. Yet when going to the backend pool of the standard LB it shows all of the 500 VMs , if there is a filtering way to only shows a specific AV that would be…
38 votesThanks for the feedback. This is in backlog for portal.
— Christian -
TLS termination of TCP/TLS traffic
It would be useful for Azure Load Balancer to support TLS termination / offloading when using TCP/TLS traffic.
Application Gateway can do it for HTTPs traffic but there is no way to do it for other protocols based on TLS.
AWS can do it with the Network Load Balancer tier of AWS Elastic Load Balancing.31 votesThank you for the feedback. Not on near term roadmap.
— Christian -
Add Outbound internet traffic routing capability for Azure Internal Load balancer
The Azure Internal load balancer - standard Tier have limitation on Outbound connectivity for Azure VM that does not have Public IP associated with them.
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-outbound-connectionsWe have Azure Microsoft SQL Virtual Machine that should not have any Public IP associated with them for security reason . We had to use Azure ILB for MS SQL Always ON Configuration. We had to use some of the standard Tier features. We are having issues with Outbound connectivity for the configuration. It would be ideal if Microsoft can also add to Standard SKU the outbound connectivity feature available in Basic SKU
22 votes -
Global Anycast Load Balancer
Enable Load Balancer to serve multiple regions via a single global IP using anycast. GCP does this today. In Azure, you must use Traffic Manager and manually configure for the same effect. Also TM doesn't validate HTTPS while LB can.
19 votesPlease reach out with more details on your scenario.
— Christian -
Add the option of outbound rule on Azure portal
When we want to set the outbound rule for Azure load balancer, there are just two methods to configure that : One is Resource Explore; Another is Azure CLI. The configuration methods recorded in below document:
https://docs.microsoft.com/en-au/azure/load-balancer/load-balancer-outbound-rules-overview
But neither good enough for deployment . Please kindly add this function on portal.13 votesThis is in our near term backlog to expose in portal. You can use Azure CLI, PowerShell, SDK, or templates in the meantime.
— Christian -
Allow moving a Standard SKU Load balancer between Resource Groups like possible with the basic one
Allow moving a Standard SKU Load balancer between Resource Groups like possible with the basic one.
while in place upgrade from basic to standard is not an option, this might help with the manual upgrade or even general maintenance of the service.7 votes -
Azure load balancer probe service
Currently you need to provide a custom probe service or use applications (e g SQL Always-On Availability Group) which has built-in probe services or use other services' ports (e g RPC 135) for the probe service. Would it be possible to provide a probe service application that you can install as a service on the nodes instead of having to write your own probe service? I have seen some C# samples of such TCP port probe services, which you could install as a service, but it would be better to have official in case there are improvements, updates or changes…
6 votescan you please reply with details on the scenario and how you envision this to work?
- Don't see your idea?