Networking

The Networking forum covers all aspects of Networking in Azure, including endpoints, load-balancing, network security, DNS, Traffic Manager, virtual networks, and external connectivity.

Virtual Network:

  • Service overview

  • Technical documentation

  • Pricing details

  • Traffic Manager:

  • Service overview

  • Technical documentation

  • Pricing details

  • Network Watcher:

  • Service overview

  • Technical documentation

  • Pricing details

  • If you have any feedback on any aspect of Azure relating to Networking, we’d love to hear it.

    • Hot ideas
    • Top ideas
    • New ideas
    • My feedback
    1. NPS Extension for Azure MFA (IP Whitelist)

      Can you also add in a feature whereby it allow us to add in a range of subnet instead of a single IP address in the IP Whitelist (NPS Extension for Azure MFA)?

      88 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      under review  ·  9 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    2. create predefined NSG for Azure Datacenters IP Range

      Let's say I have a VM that I want to restrict access from the outside. I want this VM to be accessible from my onprem IPs and from Azure IPs (since a part of my infrastructure is on azure). Since at the moment of discussion ARM VMs do not support static IP address, it will be very useful to create a NSG for allowing traffic only from azure IP ranges. Right now you cannot create such NSG because a NSG only allows a maximum of 100 rules. So, it will be a great idea to have predefined NSG to limit…

      88 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    3. Ability to provide custom error response for HTTP errors e.g. 404's

      Ability when 404 is returned by ones origin to have the CDN respond with a preconfigured URL i.e. custom response page.

      86 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      under review  ·  4 comments  ·  Content Delivery Network  ·  Flag idea as inappropriate…  ·  Admin →
    4. Event Hubs support in NSG Flow logs

      Currently NSG Flow Logs are do not have the ability to publish to Azure Event Hub as other logs do.

      It would be invaluable for this facility to be made available to allow onward transformation of log data (via Azure Functions) prior to ingest into products such as Splunk.

      85 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      4 comments  ·  Network Watcher  ·  Flag idea as inappropriate…  ·  Admin →

      Thank you for your feedback. Today publishing NSG Flow Logs to an Event Hub is not currently supported natively. We will continue to evaluate this suggestion and update the status accordingly.

      Today, if you are interested in transforming and streaming NSG Flow Logs to a 3rd party endpoint, we have published a sample here that leverages an Azure function: https://github.com/Microsoft/AzureNetworkWatcherNSGFlowLogsConnector

      Splunk has also published a blog with guidance on integrating NSG Flow Logging data here: https://www.splunk.com/blog/2017/02/20/splunking-microsoft-azure-network-watcher-data.html

    5. Add effective route for gateway subnet UDR

      Allow effective routes to be viewed for troubleshooting when a UDR is applied to a gateway subnet

      80 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      6 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    6. VM MAC address spoofing

      I wanted to run multiple LXC/LXD containers on a single Linux VM and make them exposed to VNET via a bridged interface to provide services in the private network. That's not possible without VM/VNIC ability of MAC address spoofing. Please support it.

      79 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      under review  ·  4 comments  ·  Virtual Network  ·  Flag idea as inappropriate…  ·  Admin →
    7. Network Security Rules by MAC address also.

      Network Security Rules by MAC address also. Right now the portal only allows filtering via IP address or CIDR block. I would like to allow remote laptops to access but their WAN IP keeps changing.

      78 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      3 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    8. Support enabling and disabling NSG rules

      Support enabling and disabling NSG rules

      It would be nice if we could disable rules instead of having to delete them like other firewall products support :)

      77 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      6 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    9. add a source tag for Office 365 IPs to NSG Rules

      Consider adding support for multiple address ranges in NSG rules or add a source tag for Office 365 IPs.

      Currently it is a nightmare to add all addresses for Exchange Online. We need a NSG policy for each address range :)

      https://feedback.azure.com/forums/217313-networking/suggestions/11716131-add-a-source-tag-for-azure-datacenter-ips-to-nsg-r

      77 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      4 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →

      We’re addressing this need with “Service Tags” which allow network security group rules to refer to Azure services such as “Storage” or “Sql” and the list of IP addresses is maintained transparently by the Azure platform. See here for more information: https://docs.microsoft.com/en-us/azure/virtual-network/security-overview#service-tags
      We’ll be adding tags for additional Azure services over time.

    10. 76 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      5 comments  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    11. 74 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      under review  ·  1 comment  ·  Content Delivery Network  ·  Flag idea as inappropriate…  ·  Admin →
    12. Network Watcher in Azure Stack?

      Can you provide any guidance on when we could expect to see this awesome tool in Azure Stack? it would be hugely beneficial

      71 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      5 comments  ·  Network Watcher  ·  Flag idea as inappropriate…  ·  Admin →
    13. configurable MTU

      I've seen several conflicting recommendations for IPSec tunnel MTU/MSS.

      First and foremost, publishing this (preferably inside the tunnel slice/pane) is a good first step, since it'd allow us to know definitively what we can do.

      Second, and more significantly, I'd like to be able to CHANGE it... preferably by increasing the size... it seems that every time I turn around, the MTU needs to shrink - I'd rather leverage jumbo frames to allow higher throughput.

      71 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      2 comments  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →

      Hi Scott,

      Thanks for the feedback – totally understand the pain points and confusion. There are a couple of constraints on the Azure side and also specifically with VPN. The key issue is this is for packets coming over the Internet which we can only assume total packet size of 1500 bytes max. Azure SDN platform performs additional encapsulation on the packets within our datacenter networks, so it will be subtracted from there.

      1. On the Azure VPN gateways, the recommendation is to set TCP MSS clamping to 1350; or if not possible for your device, then set MTU to 1400 bytes on the IPsec tunnel interface. We had updated/clarified the Azure documentation to call that out.

      2. Changing MTU currently is not possible from the Azure VPN gateways. We will take it into configuration, but it will not be possible in the short term due to the scale…

    14. Rename NSG policy

      Allow us to rename previously created NSG policy to another name. It would make naming much easier. Now we have to re-create all policy again

      68 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      3 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    15. Support WebApp deployment slots for Endpoints

      In the Azure Portal, when configuring an Endpoint for a CDN resource, you can select WebApp. It gives you a nice list of WebApps you have access too. The problem is, if those WebApps are using Deployment Slots for staging (Dev, Test, Prod); you can't add an Endpoint for anything other than the production slot.

      We would like to have a mirrored setup where our WebApp Dev slot is accessible through the CDN.

      The work around is to add a custom origin, which works--but seems like the WebApp feature could be more robust.

      Thanks!

      67 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      under review  ·  2 comments  ·  Content Delivery Network  ·  Flag idea as inappropriate…  ·  Admin →
    16. When Azure-application-gateway will update with support of TLS 1.3

      Akamai-CDN recommended with TLS 1.3 but Azure-application-gateway is not available with the same.
      Due to this issue, we have see url-access issue over Akamai.
      So we have moved to Azure-traffic-manager\Azure-Load balancer.

      66 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      4 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    17. Allow ESP traffic through Azure Loadbalancer

      Azure Load Balancer, for external connections, can support only TCP (Protocol ID “6”) or UDP (Protocol ID “17”).

      It cannot support protocols like ICMP (Protocol ID “1”). As an example, also IPSec (and VPN using it) is not supported since you should open UDP port 500 (that is fine) and permit IP protocol numbers 50 and 51. UDP Port 500 should be opened to allow Internet Security Association and Key Management Protocol (ISAKMP) traffic to be forwarded through Azure Load Balancer. IP protocol ID 50 should be set to allow IPSec Encapsulating Security Protocol (ESP) traffic to be forwarded. Finally,…

      65 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      6 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    18. Migration of VPN Gateway from old to new SKUs

      Please provide risk mitigation ways to migrate from legacy VPN gateway SKUs to the new gateway SKUs. Currently, the only way is to delete everything and recreate it again.

      61 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →

      Thanks for the suggestion. This is something we are looking into. But no downtime migration will be very challenging due to current platform constraints. We will likely need to take a phased approach with some downtime involved (maintenance windows required) while trying to preserve VPN gateway public IP addresses. Please stay tuned.

      Thanks,
      Yushun [MSFT]

    19. Custom rules for WAF

      Allow user created rules for WAF.

      61 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      under review  ·  6 comments  ·  Content Delivery Network  ·  Flag idea as inappropriate…  ·  Admin →
    20. Add location Specific BGP community for O365 routes

      O365 subnets over microsoft peering has the application specific community, but it is difficult to understand which location the subnet belongs to, so please add the location BGP community also with the Application BGP community

      60 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      under review  ·  0 comments  ·  ExpressRoute  ·  Flag idea as inappropriate…  ·  Admin →
    • Don't see your idea?

    Feedback and Knowledge Base