Networking

The Networking forum covers all aspects of Networking in Azure, including endpoints, load-balancing, network security, DNS, Traffic Manager, virtual networks, and external connectivity.

Virtual Network:

  • Service overview

  • Technical documentation

  • Pricing details
  • Traffic Manager:

  • Service overview

  • Technical documentation

  • Pricing details
  • Network Watcher:

  • Service overview

  • Technical documentation

  • Pricing details
  • If you have any feedback on any aspect of Azure relating to Networking, we’d love to hear it.

    • Hot ideas
    • Top ideas
    • New ideas
    • My feedback
    1. 24 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      4 comments  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    2. Allow Subnet and VNETs to reside in different resource groups

      In our design, we are attempting to share a single vnet to be used by each department/tenant. In this model, each tenant gets a small subnet provisioned from the overall vnet address space. Unfortunately, we must create the subnet separately since it is owned by the vnet which belongs to another resource group.

      Alternatively, you could allow subnets to have their own resource group similar to nics.

      24 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      declined  ·  4 comments  ·  Virtual Network  ·  Flag idea as inappropriate…  ·  Admin →
    3. To know what IP Addresses are used by NAT on Public Peering

      Currently we know that the Microsoft Edge Routers are doing NAT translation for the packets coming from Public Peering.
      Sometimes we need to know what IP addresses are used for that, but there is no way to know that without contacting Microsoft Support.
      We want to know which addresses are used on Portal or PowerShell.

      24 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  ExpressRoute  ·  Flag idea as inappropriate…  ·  Admin →

      Thank you for the feedback on this functionality. At this time, we are not implementing new functionality for the public peering feature of ExpressRoute.

      We recommend customers utilize Microsoft peering, which provides the same capabilities as public peering and allows additional controls, bidirectionality, and where our development will continue moving forward. The NAT IP addresses with Microsoft peering are supplied by the customer or by the service provider.

      https://docs.microsoft.com/en-us/azure/expressroute/how-to-move-peering

      Please contact support if you require the NAT IP addresses of the current circuits that have public peering. The IPs do not change for the life cycle of the public peering.

    4. provide subdomains to group resources

      Currently for many of the resources that we allocate on Azure (websites, cloud services, vms, storage, buses, etc ...) require unique names across Azure. We've taken to prefixing many of these with our company name, but this doesn't leave many characters for service differentiation. Often we want to have some combination of dev, test and prod instances of various resources. Much of the time we likely don't care to setup a full DNS environment for the non-prod instances. It would interesting to start to look at either subscriptions or resource groups as a potential place to add the notion of…

      22 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  DNS  ·  Flag idea as inappropriate…  ·  Admin →
    5. Load Balancing on Linux servers - net.ipv4.tcp_tw_recycle & reuse settings

      Currently you don't allow net.ipv4.tcp_tw_recycle, net.ipv4.tcp_tw_reuse and net.ipv4.tcp_tw_timestamps to be set to 1. You require them to be set to default 0. For our MapR performance improvements, we are required to set them to 1 - which prevents the wait time for the socket to become available and reuses existing.

      It will be nice if you could allow us to use the Load Balancer even when we set the reuse and recycle flag to 1.

      20 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    6. Route table associated to a Virtual Network

      It would be great if a route table can be assigned to Virtual Network level and added to the priority sequence like System Routes -> BGP Routes -> UDR at Virtual Network -> UDR at subnet level

      This will allow to move all common routes to be placed at virtual network level and then subnet specific to subnet level.

      Or allow nesting of UDR where two route tables can be assigned to one subnet which may be a cummulative routes of combined both.

      20 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Virtual Network  ·  Flag idea as inappropriate…  ·  Admin →
    7. Decouple vNIC count from VM Size

      For people wanting to use Virtual Firewall Appliances, the amount of vNICs a Virtual Server type offers is the key consideration for how many backend subnets one can place behind the firewall.
      The existing Azure practice of scaling of a VM type/size to get additional vNICs is therefore problematic for the following reasons.

      1. We have to oversize our VM to get the amount of vNICs required. We pay for more CPU and RAM resources than we actually require.

      2. Firewall vendors often license the appliances based on CPU Count. Because we had to oversize our VM, we now have…

      19 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      declined  ·  2 comments  ·  Virtual Network  ·  Flag idea as inappropriate…  ·  Admin →
    8. Name based forwarding

      We have microservices running in Container Services.
      It would be nice to give them meaningful names such as:
      foo.stg.myservices.net
      foo.tst.myservices.net

      In order to achieve it I think Azure Load Balancer should be capable of doing some kind of name based forwarding in the balancing rules.

      Does that make sense?

      18 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    9. Please raise the VPN Gateway Limitation

      We can connect 10 locations using VPN Gateway in Basic / Standard SKUs.
      Please raise the Default Limit from 10 locations to 30 locations (same as High Performance SKU). We often need to connect over 10 locations.

      - Japanese
      VPN Gateway で Basic / Standard SKU でも 30 拠点まで VPN 接続できるようにしてほしい

      16 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →

      Thank you for your feedback. We understand the need to connect to more than 10 locations. Unfortunately, Basic and Standard SKUs have a hard limit of 10 locations because of implementation constraints. If you need 30 tunnels, please use the High Performance SKU.

      Thanks,
      Bridget [MSFT]

    10. Dynamic single use endpoints

      Some protocols (most notably FTP in PASV mode) require creation of temporary single-use inbound endpoints. Allowing a role to request a temporary endpoint on a random port > 1023 would allow this.

      16 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
      declined  ·  Narayan Annamalai responded

      Thanks for your feedback.

      We will not be supporting dynamic endpoints since it could cumbersome to define and maintain if they are really going to be short lived, but we are working on a feature that would allow a VM (instance) to have a public IP that accepts inbound connections on all ports, (more like a port less NAT) which would solve the FTP scenarios

      Thanks for taking the time to provide feedback.

    11. Please raise the Endpoint ACL Limitation

      Please raise the maximum number of Endpoint ACL limitation so we can set over 50 rules.
      As you know, we can set 400 rules in NSG.

      - Japanese
      エンドポイント ACL の最大数を 50 個以上設定できるようにしてほしい

      16 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    12. Custom errors when web role is failing (or not running)

      When i update the web role (incresing web roles, starting, suspending, ...) there is a short moment (or pretty long) when the web role is not responding. Customers than may see just browser error page "the page is not accessible" or "the server is not responding". In my opinion there should by allways some nice, user-friendly, response like "We are currently upgrading your application, please wait a few minutes. Thanks" with company logo or something.

      15 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →

      thank you for your suggestion. Azure Load Balancer doesn’t interact with the application layer today. I’m going to return the votes because I don’t have an obvious path to deliver this feature today. Please check if Application Gateway can perform this function and if not request it on UserVoice there.

      This may work for HTTP but I’m not sure how we would do that for HTTPS unless we had the certificate and could create a response that doesn’t alarm the client with a certificate error. Any thoughts on how your see this working? Please reply and we can discuss further.

    13. Support Multiple Web Roles with Host Header Redirection at the Load Balancer

      Currently you can only have multiple web roles using different ports numbers. If host headers could be configured at the load balancer then different web roles in the same cloud service could be accessed over standard ports 80/443 using different DNS aliases. One reason for wanting this is multiple web roles that share dedicated cache roles.

      13 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
      declined  ·  Narayan Annamalai responded

      Thanks for the suggestion.

      Currently Azure’s Load balancer operates at Layer 4. it does not inspect the Http headers to make any decision. This will have to be done in the future through a Layer7 load balancer appliance.

    14. IPv6 over IPv4 - Protocol 41

      Our remote workers use Direct Access to connect to applications and services hosted in Azure.

      Outbound management from Azure to the clients is currently not support.
      Microsoft have confirmed Azure does not support IPv6 over IPv4 - Protocol 41.

      It would be a huge help if we could get support for this.

      13 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  IPv6  ·  Flag idea as inappropriate…  ·  Admin →
    15. Add basic SKU public ip support to public ip prefix

      We are using AKS for most of our workloads, and we have to whitelist single egress ips in databases and third-party tools, each time we add another cluster. We thought it would be clever to use prefixes, but as you can only create standard SKU ips off the prefix, and AKS uses basic loadbalancer and basic ips, this is not an option. Please make our lives so much easier!

      12 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      declined  ·  1 comment  ·  IP addresses  ·  Flag idea as inappropriate…  ·  Admin →
    16. Allow Internal Load Balancer Internet Access

      In an Internal Azure Load Balancer {Standard SKU}, VMs within the Load Balancer do not have internet access except:
      1) If they have a public IP address
      2) If they are part of a public Load Balancer
      3) If they have load balancer rules statically configured.

      There are instances that VMs may need access to the internet as 'internal' servers may need internet access.

      I think there should be an option for "Allow VMs in this Internal LB to access the internet" on the internal load balancer. This would allow security checks for public certificate validation or other tests that…

      12 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    17. stop letting non-Azure Microsoft networks use BGP routes that Azure learns through ExpressRoute. This easily leads to asymmetric routing.

      stop letting non-Azure Microsoft networks use the BGP routes that Azure learns through ExpressRoute. This leads to asymmetry in many cases.
      Also, the current behavior lets bandwidth hungry Microsoft services like Windows Update consume the bandwidth and metered data of ExpressRoute.
      As of today, companies using ExpressRoute need to set up their network in an unnecessary complicated way to avoid this problem.
      One way to do it is to only announce a small prefix, and use that prefix for NAT'ing all the traffic destined for Azure services over ExpressRoute.
      Then one has to make sure that all traffic destined for…

      12 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      3 comments  ·  ExpressRoute  ·  Flag idea as inappropriate…  ·  Admin →

      Hi!
      Can you please refer to our NAT guidance (docs.microsoft.com/en-us/azure/expressroute..)

      It clearly calls out the following:

      The NAT IP pool advertised to Microsoft must not be advertised to the Internet. This will break connectivity to other Microsoft services.

    18. reserved custom public IP range - bring my own public IPs to azure datacenter

      I want to move parts of my onpremise data Center to azure. it's used to host a service for my customers. therefore i have a public IP-Range. So my customers already have implemented a security setting to allow traffic to my public IP-Range and my public Services.

      When i will migrate to azure data center,then i have no option to take the public ip range with me. This means, i have to inform all my Customers about my move to azure and have to wait until all customers have implemented the new IP Setting.

      In azure a can use reserved…

      12 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      7 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    19. 10 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →

      Thank you for the suggestion.

      Traffic Manager uses a DNS-based system for distributing load. Whilst I understand how a BGP anycast system would provide an alternative, we don’t have any current plans to switch to a BGP Anycast based approach.

      Thank you again for taking the time to contribute your feedback.

    20. Allow to assign custom routes on the VNET level (instead of only subnets)

      We configured a custom gateway on Azure. Unfortunately it's not possible to add routes on a VNET level so these routes get applied to all existing and future subnets automatically.

      Basically it would be sufficient to be able to assign UDRs to VNETs.

      9 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Virtual Network  ·  Flag idea as inappropriate…  ·  Admin →
    • Don't see your idea?

    Feedback and Knowledge Base