Networking

The Networking forum covers all aspects of Networking in Azure, including endpoints, load-balancing, network security, DNS, Traffic Manager, virtual networks, and external connectivity.

Virtual Network:

  • Service overview

  • Technical documentation

  • Pricing details
  • Traffic Manager:

  • Service overview

  • Technical documentation

  • Pricing details
  • Network Watcher:

  • Service overview

  • Technical documentation

  • Pricing details
  • If you have any feedback on any aspect of Azure relating to Networking, we’d love to hear it.

    • Hot ideas
    • Top ideas
    • New ideas
    • My feedback
    1. multiple network security groups per NIC

      Allow multiple Network Security Groups per NIC. Amazon Web Services allows multiple NSGs to be associated to a NIC. This allows us to define one NSG for "Remote Access", a second for VLAN (it allows itself) and a third for "server role (DC, SQL, etc.)

      99 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      planned  ·  6 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    2. vpn gateway slow to create

      Why does it take upwards of 30 minutes to create a vnet gateway?
      If I am doing a PowerShell script or a CI/CD deployment, the whole world stops while the VPN takes 30-odd minutes to be initialised and start. Can this please be addressed?

      97 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      planned  ·  15 comments  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    3. CDN: Support Vary: Origin header.

      The CDN ignores the Vary: Origin header, and thus the associated Access-Control-Allow-Origin is not emitted either. Even though the underlying blob store does return the correct Vary header, the CDN ignores this (basically breaking HTTP logic) and returns the same response to all users regardless of the origin (X-Cache: HIT) is then returned instead.

      This is basically a flaw, a bug, and an oversight- but I'm not going to pay for Azure support to tell you this.

      Without this functioning properly, the CDN cannot be used to host website resources (such as fonts) since these must all have Access-Control-Allow-Origin headers…

      97 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      9 comments  ·  Content Delivery Network  ·  Flag idea as inappropriate…  ·  Admin →
      planned  ·  Anton Kucer [MSFT] responded

      Azure CDN by default ignores Vary header except when it is used with Vary: accept-encoding. This is done as the Vary header can easily cause serious cache bloat issues. Long term we are targeting feature to allow users to easily adjust this default behavior.

    4. Multiple Network Security Groups per subnet

      Provide ability to associate multiple Network Security Groups with a single subnet. Right now there is limitation to associate only one NSG per subnet.

      This limits reusability of NSGs which are created at subscription level. We have come across use-cases where multiple subnets have common rules and few subnet-specific rules.

      It will be help a lot in terms of rules management and reusability if it is possible to segregate common rules across subnets in an NSG which can them be applied on a subnet with additional NSGs for subnet specific rules.

      96 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Virtual Network  ·  Flag idea as inappropriate…  ·  Admin →
    5. Reorder the Listeners on the Application Gateway

      Recently I was in the need to register additional listeners to an App Gateway. The issue is that the rules and Listeners should be created (at least using the portal) on correct order and the portal don't have any options to change this order.
      As the process of update changes on the Gateway takes a few minutes, this type of change requires a few hours to create a new record, remove, add it again, create rules, etc.
      Using a pattern similar to the NSG where we define a value for the order would save a lot of time.

      90 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      2 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    6. Improve VPN gateways performances and limits

      Using VPN to connect sites to Azure is great. But we are rapidly hitting the gateways limits:
      - One gateway per VNet
      - A max of 30 Tunnels per gateway (10 and 20 for standard)
      - A max of 200 Mb/s per gateway (shared by all VPNs)

      Today, not all regions and customers can afford 'ExpressRoute' to get more bandwidth and scalability. So why this 'very limited' options.

      77 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      2 comments  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    7. Network Watcher Topology should get information for resources in different resource group than VNET

      The preview of Network Watcher has a Topology feature which draws objects connected to a specific VNET, which is great. But, I noted that for a full topology, ALL resources need to be on the same Resource Group than the VNET chosen. That doesn't make sense, because is pretty common to have VMs and NICs on different RGs. Would be great if you choose a RG and a VNET as a starting point, and Topology feature gather all other resources interconnected independently of their RGs.

      71 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      9 comments  ·  Network Watcher  ·  Flag idea as inappropriate…  ·  Admin →
    8. Allow a VM's NIC to use a VNET\Subnet from another Subscription

      Given that the syntax of json deployment templates allows referencing resources by a unique resourceid which includes the guid of the subscription, I would like to create a VM in subscription 'A', whose NIC references a subnet that is part of a VNET in subscription 'B'.

      The reason for this is two-fold:
      1) This would allow a corporate networking function to securely manage all the networking infrastructure in a corporate IT-owned and managed subscription, but allow it to be consumed by line-of-business units, whose subscriptions are restricted (via ARM policies) to not allow the creation of VNETs.
      2) This would…

      70 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      planned  ·  2 comments  ·  Virtual Network  ·  Flag idea as inappropriate…  ·  Admin →
    9. Setting NSG immediately

      When NSG is set from PowerShell or the portal, the operation successfully completes soon but it takes a few minutes before the NSG setting will take effect.
      Please set NSG setting immediately.

      69 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      planned  ·  2 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    10. Enable the application of Network Security Group rules to groups of IPs

      Allow the creation of groups that contain multiple IP addresses. Then allow the application of Network Security Group rules to the group. As an example I could create a group, add the IP addresses of all my Domain Controllers to the group, then apply rules to the group, rather than duplicating rules for each Domain Controller where the only difference is the IP address.

      67 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      3 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    11. Authentication to VPN Gateway using Azure AD

      Add option to authenticate to VPN Gateway using existing Azure AD accounts. For security reason there should be option to add a group of users allowed to use VPN.

      This should help to use Azure VPN Gateway by customers which not use local AD DS servers

      66 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      planned  ·  5 comments  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    12. Azure Private DNS Zone resolution from OnPremise

      Make it possible to enable the Name Resolution from onpremise if i have an azure private dns Zone.

      It should be possible to make an Forward from onpremise dns to an azure private dns Zone.

      63 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      planned  ·  5 comments  ·  DNS  ·  Flag idea as inappropriate…  ·  Admin →
    13. Reduce update times for Application Gateways

      It would be great if the Application Gateway could update faster. Working with AGWs forces me to wait for 15-30 minutes after each update - which wastes a lot of time.

      Working with gateways at AWS feels nearly instant and does not require such long waiting times.
      I'd highly appreciate if Azure AWG updates could become so fast, too.

      55 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      2 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    14. Ability to move a NIC from one VNET to another.

      Could we get the ability to detach a NIC from it's current VNET and reattach it to a different VNET? In my case, I accidentally created a new VNET instead of attaching it to a pre-existing one, and it would be more convenient to move it over instead of recreating the NIC.

      54 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      2 comments  ·  Virtual Network  ·  Flag idea as inappropriate…  ·  Admin →
    15. Confirguration of caching rules in Front Door

      Allow configuration of content caching rules similar to how Azure CDN (Akamai) and Azure CDN (Verizon). This will allow better support of leveraging Front Door with Azure Storage Static Websites where it is impractical to set cache-control on a per-item basis.

      52 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      planned  ·  1 comment  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →
    16. Test Azure CDN Rule Engine before sending for approval

      At this moment, you cann't test Azure CDN Rule Engine before sending for approval, approval of new Rules takes up to 4 hours. Which make things very difficult.

      46 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      5 comments  ·  Content Delivery Network  ·  Flag idea as inappropriate…  ·  Admin →
      planned  ·  Anton Kucer [MSFT] responded

      Rule approval is currently automatic with no delay. We will follow up on having the 4 hour approval message you see in the CDN supplemental portal updated to remove this confusion. While approval is automatic it can currently take 90 minutes for updates to propagate to all CDN POPs. Work is under way to significantly reduce this to a much lower value in the next few months.

    17. Formalize the Traffic Manager user agent string

      I would like to see the user agent that Traffic Manager uses in its HTTP requests as part of monitoring/probing become formalized so that applications can take a dependency on the user agent string name and not worry about it changing in the future affecting the application that has behavior that depends on the user agent.

      For an example where the user agent string is needed to comply with URL canonicalization needs along with Traffic Manager being involved, please refer to http://social.msdn.microsoft.com/Forums/azure/en-US/d9f8e779-644d-4263-990c-9de5a7cf403c/is-the-user-agent-for-traffic-manager-guaranteed.

      41 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      3 comments  ·  DNS  ·  Flag idea as inappropriate…  ·  Admin →
    18. Allow Selection of VMs within Availability set/VMSS for standard LB backend pool

      It would be great if allowing Selection of VMs within availability set for standard SKU Load balancer backend pool

      the feature does exist in Basic only , yet in Standard not. even though it is mentioned in the documentation it supports it.

      for example I have a client that needs to add only 50 VMs within an av in a VNET that hosts over 500 VMs. Yet when going to the backend pool of the standard LB it shows all of the 500 VMs , if there is a filtering way to only shows a specific AV that would be…

      38 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    19. Azure Firewall

      Please add the ability to protect against inbound traffic from the public internet in addition to its present ability to protect outbound traffic. If this is going to be offered as a true SaaS 'Firewall' solution, I believe this should have that true firewall protection for incoming traffic (protection against common attacks, layer 7 packet inspection, etc.)

      36 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      planned  ·  8 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    20. Support CAA record in Azure DNS web portal

      Thank you for supporting CAA records via CLI/PowerShell/API - but for the majority of people, this isn't easy. Please add support for these records in the DNS zone management blade.

      31 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      2 comments  ·  DNS  ·  Flag idea as inappropriate…  ·  Admin →
    • Don't see your idea?

    Feedback and Knowledge Base