Networking
The Networking forum covers all aspects of Networking in Azure, including endpoints, load-balancing, network security, DNS, Traffic Manager, virtual networks, and external connectivity.
Virtual Network:
Traffic Manager:
Network Watcher:
If you have any feedback on any aspect of Azure relating to Networking, we’d love to hear it.
-
24 votes
THank you for posting this request. WE unfortunately do not support 3rd party VPNs. Please contact your VPN vendor t have the device validated against Azure. They shoul dbe able to support you.
-
Allow Subnet and VNETs to reside in different resource groups
In our design, we are attempting to share a single vnet to be used by each department/tenant. In this model, each tenant gets a small subnet provisioned from the overall vnet address space. Unfortunately, we must create the subnet separately since it is owned by the vnet which belongs to another resource group.
Alternatively, you could allow subnets to have their own resource group similar to nics.
24 votes -
To know what IP Addresses are used by NAT on Public Peering
Currently we know that the Microsoft Edge Routers are doing NAT translation for the packets coming from Public Peering.
Sometimes we need to know what IP addresses are used for that, but there is no way to know that without contacting Microsoft Support.
We want to know which addresses are used on Portal or PowerShell.24 votesThank you for the feedback on this functionality. At this time, we are not implementing new functionality for the public peering feature of ExpressRoute.
We recommend customers utilize Microsoft peering, which provides the same capabilities as public peering and allows additional controls, bidirectionality, and where our development will continue moving forward. The NAT IP addresses with Microsoft peering are supplied by the customer or by the service provider.
https://docs.microsoft.com/en-us/azure/expressroute/how-to-move-peering
Please contact support if you require the NAT IP addresses of the current circuits that have public peering. The IPs do not change for the life cycle of the public peering.
-
provide subdomains to group resources
Currently for many of the resources that we allocate on Azure (websites, cloud services, vms, storage, buses, etc ...) require unique names across Azure. We've taken to prefixing many of these with our company name, but this doesn't leave many characters for service differentiation. Often we want to have some combination of dev, test and prod instances of various resources. Much of the time we likely don't care to setup a full DNS environment for the non-prod instances. It would interesting to start to look at either subscriptions or resource groups as a potential place to add the notion of…
22 votesWe don’t think sub-domains is the right way to offer resource grouping. In Azure Resource Manager, resource groups should be used.
-
Load Balancing on Linux servers - net.ipv4.tcp_tw_recycle & reuse settings
Currently you don't allow net.ipv4.tcptwrecycle, net.ipv4.tcptwreuse and net.ipv4.tcptwtimestamps to be set to 1. You require them to be set to default 0. For our MapR performance improvements, we are required to set them to 1 - which prevents the wait time for the socket to become available and reuses existing.
It will be nice if you could allow us to use the Load Balancer even when we set the reuse and recycle flag to 1.
20 votesPlease follow current support guidance for now to set these kernel variables as follows:
net.ipv4.tcp_tw_recycle = 0
net.ipv4.tcp_tw_reuse = 0
net.ipv4.tcp_timestamps = 0— Christian
-
Route table associated to a Virtual Network
It would be great if a route table can be assigned to Virtual Network level and added to the priority sequence like System Routes -> BGP Routes -> UDR at Virtual Network -> UDR at subnet level
This will allow to move all common routes to be placed at virtual network level and then subnet specific to subnet level.
Or allow nesting of UDR where two route tables can be assigned to one subnet which may be a cummulative routes of combined both.
20 votesHello,
We are not planning on supporting UDR at the VNet level as this introduces additional security concerns. You can currently assign a route table to multiple subnets on a VNet to achieve this affect.
-Allegra [MSFT]
-
Decouple vNIC count from VM Size
For people wanting to use Virtual Firewall Appliances, the amount of vNICs a Virtual Server type offers is the key consideration for how many backend subnets one can place behind the firewall.
The existing Azure practice of scaling of a VM type/size to get additional vNICs is therefore problematic for the following reasons.We have to oversize our VM to get the amount of vNICs required. We pay for more CPU and RAM resources than we actually require.
Firewall vendors often license the appliances based on CPU Count. Because we had to oversize our VM, we now have to purchase…
19 votes -
Name based forwarding
We have microservices running in Container Services.
It would be nice to give them meaningful names such as:
foo.stg.myservices.net
foo.tst.myservices.netIn order to achieve it I think Azure Load Balancer should be capable of doing some kind of name based forwarding in the balancing rules.
Does that make sense?
18 votesSNI is supported on Azure Application Gateway. Azure Load Balancer currently has no plans for interacting with the application layer.
-
Please raise the VPN Gateway Limitation
We can connect 10 locations using VPN Gateway in Basic / Standard SKUs.
Please raise the Default Limit from 10 locations to 30 locations (same as High Performance SKU). We often need to connect over 10 locations.- Japanese
VPN Gateway で Basic / Standard SKU でも 30 拠点まで VPN 接続できるようにしてほしい
16 votesThank you for your feedback. We understand the need to connect to more than 10 locations. Unfortunately, Basic and Standard SKUs have a hard limit of 10 locations because of implementation constraints. If you need 30 tunnels, please use the High Performance SKU.
Thanks,
Bridget [MSFT] - Japanese
-
Dynamic single use endpoints
Some protocols (most notably FTP in PASV mode) require creation of temporary single-use inbound endpoints. Allowing a role to request a temporary endpoint on a random port > 1023 would allow this.
16 votesThanks for your feedback.
We will not be supporting dynamic endpoints since it could cumbersome to define and maintain if they are really going to be short lived, but we are working on a feature that would allow a VM (instance) to have a public IP that accepts inbound connections on all ports, (more like a port less NAT) which would solve the FTP scenarios
Thanks for taking the time to provide feedback.
-
Please raise the Endpoint ACL Limitation
Please raise the maximum number of Endpoint ACL limitation so we can set over 50 rules.
As you know, we can set 400 rules in NSG.- Japanese
エンドポイント ACL の最大数を 50 個以上設定できるようにしてほしい
16 votesUnfortunately, we will not be able to support a higher number of rules on endpoint ACLs. NSGs could be used in place of endpoint ACLs for easier management of ACLs as well as higher scalability. Would NSGs work for your scenario?
- Japanese
-
Custom errors when web role is failing (or not running)
When i update the web role (incresing web roles, starting, suspending, ...) there is a short moment (or pretty long) when the web role is not responding. Customers than may see just browser error page "the page is not accessible" or "the server is not responding". In my opinion there should by allways some nice, user-friendly, response like "We are currently upgrading your application, please wait a few minutes. Thanks" with company logo or something.
15 votesthank you for your suggestion. Azure Load Balancer doesn’t interact with the application layer today. I’m going to return the votes because I don’t have an obvious path to deliver this feature today. Please check if Application Gateway can perform this function and if not request it on UserVoice there.
This may work for HTTP but I’m not sure how we would do that for HTTPS unless we had the certificate and could create a response that doesn’t alarm the client with a certificate error. Any thoughts on how your see this working? Please reply and we can discuss further.
-
Support Multiple Web Roles with Host Header Redirection at the Load Balancer
Currently you can only have multiple web roles using different ports numbers. If host headers could be configured at the load balancer then different web roles in the same cloud service could be accessed over standard ports 80/443 using different DNS aliases. One reason for wanting this is multiple web roles that share dedicated cache roles.
13 votesThanks for the suggestion.
Currently Azure’s Load balancer operates at Layer 4. it does not inspect the Http headers to make any decision. This will have to be done in the future through a Layer7 load balancer appliance.
-
IPv6 over IPv4 - Protocol 41
Our remote workers use Direct Access to connect to applications and services hosted in Azure.
Outbound management from Azure to the clients is currently not support.
Microsoft have confirmed Azure does not support IPv6 over IPv4 - Protocol 41.It would be a huge help if we could get support for this.
13 votesThank you for your suggestion. We have native IPv6 support today, we’re adding more in the near future. But we don’t expect to add v6 in v4.
-
Add basic SKU public ip support to public ip prefix
We are using AKS for most of our workloads, and we have to whitelist single egress ips in databases and third-party tools, each time we add another cluster. We thought it would be clever to use prefixes, but as you can only create standard SKU ips off the prefix, and AKS uses basic loadbalancer and basic ips, this is not an option. Please make our lives so much easier!
12 votes -
Allow Internal Load Balancer Internet Access
In an Internal Azure Load Balancer {Standard SKU}, VMs within the Load Balancer do not have internet access except:
1) If they have a public IP address
2) If they are part of a public Load Balancer
3) If they have load balancer rules statically configured.There are instances that VMs may need access to the internet as 'internal' servers may need internet access.
I think there should be an option for "Allow VMs in this Internal LB to access the internet" on the internal load balancer. This would allow security checks for public certificate validation or other tests that…
12 votesPlease use a Standard public Load Balancer to define outbound translations using outbound rules https://aka.ms/lboutboundrules
— Christian
-
stop letting non-Azure Microsoft networks use BGP routes that Azure learns through ExpressRoute. This easily leads to asymmetric routing.
stop letting non-Azure Microsoft networks use the BGP routes that Azure learns through ExpressRoute. This leads to asymmetry in many cases.
Also, the current behavior lets bandwidth hungry Microsoft services like Windows Update consume the bandwidth and metered data of ExpressRoute.
As of today, companies using ExpressRoute need to set up their network in an unnecessary complicated way to avoid this problem.
One way to do it is to only announce a small prefix, and use that prefix for NAT'ing all the traffic destined for Azure services over ExpressRoute.
Then one has to make sure that all traffic destined for…12 votesHi!
Can you please refer to our NAT guidance (docs.microsoft.com/en-us/azure/expressroute..)It clearly calls out the following:
The NAT IP pool advertised to Microsoft must not be advertised to the Internet. This will break connectivity to other Microsoft services.
-
reserved custom public IP range - bring my own public IPs to azure datacenter
I want to move parts of my onpremise data Center to azure. it's used to host a service for my customers. therefore i have a public IP-Range. So my customers already have implemented a security setting to allow traffic to my public IP-Range and my public Services.
When i will migrate to azure data center,then i have no option to take the public ip range with me. This means, i have to inform all my Customers about my move to azure and have to wait until all customers have implemented the new IP Setting.
In azure a can use reserved…
12 votesThank you for suggesting this. We’ve noted it in backlog. Currently this is not on near term roadmap.
-
10 votes
Thank you for the suggestion.
Traffic Manager uses a DNS-based system for distributing load. Whilst I understand how a BGP anycast system would provide an alternative, we don’t have any current plans to switch to a BGP Anycast based approach.
Thank you again for taking the time to contribute your feedback.
-
Allow to assign custom routes on the VNET level (instead of only subnets)
We configured a custom gateway on Azure. Unfortunately it's not possible to add routes on a VNET level so these routes get applied to all existing and future subnets automatically.
Basically it would be sufficient to be able to assign UDRs to VNETs.
9 votesHi Thomas,
This is not something we’re currently planning due to security concerns it raises.
- Allegra [MSFT]
- Don't see your idea?