Currently, Application Gateway rules support only path matches with a wildcard at the end of the string.
For us it means to rework our routing strategy as the first part of our route is dynamic /<domain>/<controller> (eg. /sales/process). The controllers are shared among domains. Domains can be dynamically created, what disallow us to directly use the current feature to separate only 'process' controller to standalone backend pool.
We would prefer to be able to define something like '/[a-z]]+/process.*' as a matching criterion.70 votes
We have started working on this. ETA is Q3 this CY.
I want to be alerted, when my metered ExpressRoute is reaching a certain limit (that it is cheaper for me to go with unlimited model).
Overall no monitoring supported to verify if peering is up, how much inbound and outbound traffic is going through the ExpressRoute/Virtual Network Gateway.
The ExpressRoute is critical and therefore its state needs to be monitored.58 votes
API is needed to add new rules (e.g. Country Filtering, Token Auth, etc.) for newly added content.
Use case: User adds new video content in CMS where he is able to block this video in some regions.54 votes
Work has started on both moving capabilities that are only available in the CDN Supplemental Portal (e.g. rules engine) into the Azure Portal and also providing API’s to support all of these features. This work will be done in multiple phases over the next several months.
Sometimes we share differents hostnames with the same web site.
Currently, this means that we have to deploy differents listeners in order to provide access to the same backend pool.
With a 20 listeners limit this solution is a bit expensive...
Would it be possible to add multiple hostnames/sitenames to listener?
Thanks in advance52 votes
We have started working on this.
It would be nice if we could purchase elastic IPv6 blocks of IPs, then when setting up an endpoint for a VM we could select the specific IP from the block for the endpoint.50 votes
We have Public IP Prefix – you can reserve a block of IPv4 addresses.
- Anavi N [MSFT]
IPv4 addresses are running out and Azure has had a lot of problems with this, resolved by buying IPv4 address pools at a significant cost.
Some users and cloud deployments only require connectivity with on premises networks (either IPv4 or IPv6, not both).
Make IPv6 available for all services and allow the option of choosing what type of addresses are required (IPv4+IPv6 or IPv6 only).
● Giving each cloud service a /60 (or bigger) instead of a /64;
● Making IPv6 addresses static, since pool depletion is no longer an issue.49 votes
Please provide Azure Services with an Internal Endpoint (a least Azure Storage and Azure Backup) to build up machines without Internet Connection.47 votes
Storage service tags gives this capability and it was Completed. Private IP for storage is under review.
Add the ability to add additional IP Protocols (i.e. ICMP, EIGRP, so forth) to an NSG rule. The only option today is TCP, UDP, or "*". Currently to allow ICMP you have to allow any protocol "*" and any port "*" in the rule instead of simply adding a rule for ICMP specifically. This inhibits the ability to meet security controls for isolation required in NIST SP800-53.43 votes
We have started to work on ICMP support for NSGs.
- Anavi N [MSFT]
Please provide an api that will us to gather the full list of azure ip addresses, the ones added in the last week, and the ones deleted in the last week. This would be used to automate the weekly changes we need to make to accommodate these changes.41 votes
Hi Brian, we have this functionality through the Discovery API, you can find more information here: https://azure.microsoft.com/en-us/updates/service-tag-discovery-api-in-preview/
— Anavi N [MSFT]
Please give feature SSL certificate setup in Azure Load balancer and/or static public IP in application Gateway instead dynamic IP.
Please give feature SSL certificate setup in Azure Load balancer and/or static public IP in application Gateway instead dynamic IP.41 votes
The new V2 (Autoscaling) SKU for AppGW supports Static VIP. Please see details here: https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-autoscaling-zone-redundant
Traditional loadbalancers support the following states, to facilitate performing maintenance on a system of multiple nodes gracefully:
Enabled (All traffic allowed)
Disabled (Only persistant or active connections allowed)
Force Offline (only active connections allowed)
When a application gateway node is "unhealthy" it only allows active connections. We are looking for a way to force a node into an "unhealthy" state.
The currently supported method is to use a custom probe that checks a file/path. I would like a solution that doesn't involve making changes on the server going into maintenance mode.30 votes
This is being worked on currently.
Application Gateways need more troubleshooting tools. The healthy/unhealthy logging is almost useless. We need to be able to initiate a ping/netcat from the AppGw to a host to verify connectivity. We also need to be able to see the DNS cache or see a log correlating incoming requests with outgoing requests by hostnames and IP addresses,29 votes
Thank you for all the votes and feedback. We have started work on this and the capability will be supported soon. If you would like to get in touch with us to discuss your scenarios, please fill this form: https://aka.ms/ApplicationGatewayCohort
For running Production workloads in Azure we find that having a HA solution is important, and therefore using an Active-Active VPN GW is a must for us. Though we would also like to still use App Services linked to our custom vNet. At the moment this seems to not be possible as P2S VPN is not supported with a Active-Active GW.
Therefore please make it compatible so we can connect App Services to our custom vNet and be able to communicate with onprem resources.21 votes
I noticed that you need to download the VPN client again if the peering changes on the VNETs associated with the gateway. Once the client has the routes you can tear down and recreate VNET peerings as often as you like. It would be nice to have an easy way to refresh the routes for your installed VPN client because I see customers wasting a lot of time trying to figure out why they can’t connect to vms. At least to have some warning to customers would be good when they configure vnet peering that they might have to reinstall their VPN clients.
I noticed that you need to download the VPN client again if the peering changes on the VNETs associated with the gateway. Once the client has the routes you can tear down and recreate VNET peerings as often as you like. It would be nice to have an easy way to refresh the routes for your installed VPN client because I see customers wasting a lot of time trying to figure out why they can’t connect to vms. At least to have some warning to customers would be good when they configure vnet peering that they might have to reinstall…20 votes
Thanks for the feedback. The status of this ask is a bit complicated – it’s partially working, but partially in progress:
1. For existing SSTP P2S VPN, there is no solution but to download the VPN client package again.
2. For IKEv2 P2S VPN, it works by P2S client reconnecting to the Azure VPN gateway. Once they connect again, they will get the new routes. This will apply to changes in VNet address spaces (including VNet peering), newly added S2S/VNet-to-VNet connections, or new routes learned via BGP.
3. The caveat for (2) is that it currently works on Mac and Linux, but Windows require a KB/Update that will be released shortly.
We will provide an update to this item once the Windows update is available.
VNet Service Endpoint achieves secure access to storage from virtual network, but there is still a risk that someone might leak our sensitive data to his/her own storage account.
To make sure our data is stored in our storage account, we really need the ability to limit access to the specific approved storage account.19 votes
Create a Secure DNS service that can be used by Enterprise DNS servers and report and block suspect activity from clients. The solution should be based in Microsoft Azure, but should also be integrated with either Microsoft OMS og Windows ATP service.
All log files collected from Enterprise DNS servers should be forwarded to the Azure Secure DNS service (https://blogs.technet.microsoft.com/teamdhcp/2015/11/23/network-forensics-with-windows-dns-analytical-logging/)16 votes
We’re working with a number of leading DNS firewall providers to provide this functionality. We have two in the marketplace now, ThreatSTOP and InfoBLOX.
Analysis via Log Analytics is useful, but it'd be nice to have some predefined reports or "blades" in Azure Portal to analyse events, throughput, capacity/utilization.15 votes
It's 2019. Globally routable IPv6 should be on by default, not some sort of advanced command-line only kludge requiring twiddling with load balancers and NAT the way it is now on Azure. See linode for simple and effective.13 votes
- Anavi N [MSFT]
Open CDN map- and you will find that for MOST geographical regions- CDN is irrelevant. For exUSSR region closest CDN is in Poland but latency just on a few millisecond less than directly from WE region. For MEA region- the same...13 votes
Work is ongoing to provide POPs in additional Geographical regions. In November POP’s were added in India and South America. Additional POP’s in South America and in Oman will be added in the next few months. We also announced last year a partnership with Akamai which will allow us later this year to provide access to the entire Akamai network. Akamai has POP’s in over 110 countries. The following link from Akamai will help us see the level of coverage that they have today: http://wwwnui.akamai.com/gnet/globe/index.html
Thanks for recently adding the ability to specify custom DNS servers for virtual networks.
I assume this is implemented with DHCP.
We are unfortunately not able to rely on this feature yet because we also set a custom DNS domain search.
This can be done with DHCP option 119, and this is how we have our non-Azure LAN configured.13 votes
Azure DNS support for private zones is now in limited preview and custom DNS suffix will be part of that. See http://aka.ms/azureprivatedns for details of the feature.
- Don't see your idea?