Provide option to change which TLS versions are supported - similar to the Azure App Service. This will allow for use of Front Door with PCI compliant apps.54 votes
API is needed to add new rules (e.g. Country Filtering, Token Auth, etc.) for newly added content.
Use case: User adds new video content in CMS where he is able to block this video in some regions.51 votes
Work has started on both moving capabilities that are only available in the CDN Supplemental Portal (e.g. rules engine) into the Azure Portal and also providing API’s to support all of these features. This work will be done in multiple phases over the next several months.
It would be nice if we could purchase elastic IPv6 blocks of IPs, then when setting up an endpoint for a VM we could select the specific IP from the block for the endpoint.50 votes
We have Public IP Prefix – you can reserve a block of IPv4 addresses.
- Anavi N [MSFT]
IPv4 addresses are running out and Azure has had a lot of problems with this, resolved by buying IPv4 address pools at a significant cost.
Some users and cloud deployments only require connectivity with on premises networks (either IPv4 or IPv6, not both).
Make IPv6 available for all services and allow the option of choosing what type of addresses are required (IPv4+IPv6 or IPv6 only).
● Giving each cloud service a /60 (or bigger) instead of a /64;
● Making IPv6 addresses static, since pool depletion is no longer an issue.49 votes
Sometimes we share differents hostnames with the same web site.
Currently, this means that we have to deploy differents listeners in order to provide access to the same backend pool.
With a 20 listeners limit this solution is a bit expensive...
Would it be possible to add multiple hostnames/sitenames to listener?
Thanks in advance48 votes
We have started working on this.
Please provide Azure Services with an Internal Endpoint (a least Azure Storage and Azure Backup) to build up machines without Internet Connection.47 votes
Storage service tags gives this capability and it was Completed. Private IP for storage is under review.
Add the ability to add additional IP Protocols (i.e. ICMP, EIGRP, so forth) to an NSG rule. The only option today is TCP, UDP, or "*". Currently to allow ICMP you have to allow any protocol "*" and any port "*" in the rule instead of simply adding a rule for ICMP specifically. This inhibits the ability to meet security controls for isolation required in NIST SP800-53.42 votes
We have started to work on ICMP support for NSGs.
- Anavi N [MSFT]
Please give feature SSL certificate setup in Azure Load balancer and/or static public IP in application Gateway instead dynamic IP.
Please give feature SSL certificate setup in Azure Load balancer and/or static public IP in application Gateway instead dynamic IP.41 votes
The new V2 (Autoscaling) SKU for AppGW supports Static VIP. Please see details here: https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-autoscaling-zone-redundant
Application Gateways need more troubleshooting tools. The healthy/unhealthy logging is almost useless. We need to be able to initiate a ping/netcat from the AppGw to a host to verify connectivity. We also need to be able to see the DNS cache or see a log correlating incoming requests with outgoing requests by hostnames and IP addresses,29 votes
Thank you for all the votes and feedback. We have started work on this and the capability will be supported soon. If you would like to get in touch with us to discuss your scenarios, please fill this form: https://aka.ms/ApplicationGatewayCohort
For running Production workloads in Azure we find that having a HA solution is important, and therefore using an Active-Active VPN GW is a must for us. Though we would also like to still use App Services linked to our custom vNet. At the moment this seems to not be possible as P2S VPN is not supported with a Active-Active GW.
Therefore please make it compatible so we can connect App Services to our custom vNet and be able to communicate with onprem resources.21 votes
I noticed that you need to download the VPN client again if the peering changes on the VNETs associated with the gateway. Once the client has the routes you can tear down and recreate VNET peerings as often as you like. It would be nice to have an easy way to refresh the routes for your installed VPN client because I see customers wasting a lot of time trying to figure out why they can’t connect to vms. At least to have some warning to customers would be good when they configure vnet peering that they might have to reinstall their VPN clients.
I noticed that you need to download the VPN client again if the peering changes on the VNETs associated with the gateway. Once the client has the routes you can tear down and recreate VNET peerings as often as you like. It would be nice to have an easy way to refresh the routes for your installed VPN client because I see customers wasting a lot of time trying to figure out why they can’t connect to vms. At least to have some warning to customers would be good when they configure vnet peering that they might have to reinstall…20 votes
Thanks for the feedback. The status of this ask is a bit complicated – it’s partially working, but partially in progress:
1. For existing SSTP P2S VPN, there is no solution but to download the VPN client package again.
2. For IKEv2 P2S VPN, it works by P2S client reconnecting to the Azure VPN gateway. Once they connect again, they will get the new routes. This will apply to changes in VNet address spaces (including VNet peering), newly added S2S/VNet-to-VNet connections, or new routes learned via BGP.
3. The caveat for (2) is that it currently works on Mac and Linux, but Windows require a KB/Update that will be released shortly.
We will provide an update to this item once the Windows update is available.
VNet Service Endpoint achieves secure access to storage from virtual network, but there is still a risk that someone might leak our sensitive data to his/her own storage account.
To make sure our data is stored in our storage account, we really need the ability to limit access to the specific approved storage account.19 votes
Traditional loadbalancers support the following states, to facilitate performing maintenance on a system of multiple nodes gracefully:
Enabled (All traffic allowed)
Disabled (Only persistant or active connections allowed)
Force Offline (only active connections allowed)
When a application gateway node is "unhealthy" it only allows active connections. We are looking for a way to force a node into an "unhealthy" state.
The currently supported method is to use a custom probe that checks a file/path. I would like a solution that doesn't involve making changes on the server going into maintenance mode.18 votes
This is being worked on currently.
Create a Secure DNS service that can be used by Enterprise DNS servers and report and block suspect activity from clients. The solution should be based in Microsoft Azure, but should also be integrated with either Microsoft OMS og Windows ATP service.
All log files collected from Enterprise DNS servers should be forwarded to the Azure Secure DNS service (https://blogs.technet.microsoft.com/teamdhcp/2015/11/23/network-forensics-with-windows-dns-analytical-logging/)16 votes
We’re working with a number of leading DNS firewall providers to provide this functionality. We have two in the marketplace now, ThreatSTOP and InfoBLOX.
Analysis via Log Analytics is useful, but it'd be nice to have some predefined reports or "blades" in Azure Portal to analyse events, throughput, capacity/utilization.15 votes
Open CDN map- and you will find that for MOST geographical regions- CDN is irrelevant. For exUSSR region closest CDN is in Poland but latency just on a few millisecond less than directly from WE region. For MEA region- the same...13 votes
Work is ongoing to provide POPs in additional Geographical regions. In November POP’s were added in India and South America. Additional POP’s in South America and in Oman will be added in the next few months. We also announced last year a partnership with Akamai which will allow us later this year to provide access to the entire Akamai network. Akamai has POP’s in over 110 countries. The following link from Akamai will help us see the level of coverage that they have today: http://wwwnui.akamai.com/gnet/globe/index.html
Thanks for recently adding the ability to specify custom DNS servers for virtual networks.
I assume this is implemented with DHCP.
We are unfortunately not able to rely on this feature yet because we also set a custom DNS domain search.
This can be done with DHCP option 119, and this is how we have our non-Azure LAN configured.13 votes
Azure DNS support for private zones is now in limited preview and custom DNS suffix will be part of that. See http://aka.ms/azureprivatedns for details of the feature.
I pretty much want to keep storage, SQL database, web app, VMs, and any other service I use within a private network to keep granular control of which services can connect to other services. The "open to all" connection strings to all services is a hard sell to any organization used to securing their IT behind firewalls and networks of networks. Where are you on this today? It must be considered a less secure since these connection strings always tend to leak..10 votes
Service endpoints for Storage and SQL are available in preview and we have more work in progress for webapps integration.
Application Gateway is a combination of backend pool, backend HTTP settings, listeners, custom probes and rules. Most of the time, to make changes, it is necessary to update more than one of the above mentioned settings (pool, HTTP setting, listeners, rules). Each settings are placed on different UI blades and takes nearly 3 - 10 mins to make single setting change getting reflected.
Feedback: Make a Wizard kind of interaction that will enable to specify all desired setting changes at once, then let apply these changes in a single shot behind the scenes.9 votes
Thank you for your suggestion. We are currently working to improve this experience.
Allow Azure virtual network TAP to send collected data to a VM running Suricata, Snort, riverbed etc, not only the current list of vendors.9 votes
- Don't see your idea?