Update: Microsoft will be moving away from UserVoice sites on a product-by-product basis throughout the 2021 calendar year. We will leverage 1st party solutions for customer feedback. Learn more here.

Networking

The Networking forum covers all aspects of Networking in Azure, including endpoints, load-balancing, network security, DNS, Traffic Manager, virtual networks, and external connectivity.

Virtual Network:

  • Service overview

  • Technical documentation

  • Pricing details

  • Traffic Manager:

  • Service overview

  • Technical documentation

  • Pricing details

  • Network Watcher:

  • Service overview

  • Technical documentation

  • Pricing details

  • If you have any feedback on any aspect of Azure relating to Networking, we’d love to hear it.

    • Hot ideas
    • Top ideas
    • New ideas
    • My feedback
    1. Enabled configurable session affinity at the load balancer.

      I would like each request from a user to go to the same web role instance. The motivation is performance of cached data.

      Configuration based to IP address, form data, and query string data would be useful. I believe this can be configured at the load balancer.

      In my case, this is a Facebook app, so affinity based on the fbsiguser parameter in the POST data would send the same Facebook user to the same VM instance.

      194 votes
      Vote

      We're glad you're here

      Please sign in to leave feedback

      Signed in as (Sign out)
      You have left! (?) (thinking…)
      13 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    2. Add Custom Apex (Naked) Domains as front end hosts for Azure Front Door Service

      Azure Front Door Service is currently missing the ability to onboard Apex (Naked) Domains e.g. https://contoso.com https://example.com

      It runs on Anycast IP addresses that seem globally consistent for the Frontend host (something.azurefd,net)

      So why not allow me to onboard an Apex domain to the service by creating DNS A and / or AAAA records at the custom zone apex that point to the allocated Anycast IPs? (CNAMEs are not supported at the Zone Apex)

      If the answer is that the Anycast IPs aren't allocated in perpetuity please fix that first then add this feature!

      192 votes
      Vote

      We're glad you're here

      Please sign in to leave feedback

      Signed in as (Sign out)
      You have left! (?) (thinking…)
      17 comments  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →
    3. Allow SSL termination at the load balancer

      Enable us to terminate SSL at the built in load balances to save having to distribute certificates across our VMs and offload the workload from the VMs.

      184 votes
      Vote

      We're glad you're here

      Please sign in to leave feedback

      Signed in as (Sign out)
      You have left! (?) (thinking…)
      8 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    4. Provide VNet to VNet Peering Alternative

      I am at a loss to understand why the only option to Peer VNets together is the extremely limited VPN Gateway (High Performance or otherwise), especially in the context of VNet Peers within the same Region. Why are we limited to the VPN GW Bandwidth for VNet traffic occurring entirely within Azure?

      I feel there should be an alternative option for Peering VNets together - at least if they reside in the same Region. Leave the VPN Gateway for external connectivity. This would open up a number of options in regards to Network Topology and make Azure flexibility more comparable…

      181 votes
      Vote

      We're glad you're here

      Please sign in to leave feedback

      Signed in as (Sign out)
      You have left! (?) (thinking…)
      10 comments  ·  Virtual Network  ·  Flag idea as inappropriate…  ·  Admin →
    5. Allow an HTTP to HTTPS redirect on Azure Front Door

      Allow an HTTP to HTTPS redirect on Azure Front Door.

      183 votes
      Vote

      We're glad you're here

      Please sign in to leave feedback

      Signed in as (Sign out)
      You have left! (?) (thinking…)
      7 comments  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →
    6. Allow customization of Application Gateway WAF rule matching

      I would like to be able to selectively remove some cookies and some HTTP headers from all rule application scans, on a case by case basis.

      Problem Statement:
      The web application firewall functionality of the application gateway scans the entire HTTP message, without the ability to customize where the scan will occur.

      This leads to false positives where scan pattern matches will detect suspicious characters in URL encoded blobs like security or access tokens, or in other arbitrary places like cookies.

      The following Microsoft tools have caused this problem on my environment:
      - Kudu tools for web applications
      - API…

      175 votes
      Vote

      We're glad you're here

      Please sign in to leave feedback

      Signed in as (Sign out)
      You have left! (?) (thinking…)
      20 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    7. Add HTTP/2 support to Azure Application Gateway

      Add HTTP/2 support to Azure Application Gateway. HTTP/2 has been around for long enough that this should be supported by now. We were disappointed once again after spending time investigating Azure Application Gateway that this is not supported. We shouldn't have to go backwards to use this service.

      168 votes
      Vote

      We're glad you're here

      Please sign in to leave feedback

      Signed in as (Sign out)
      You have left! (?) (thinking…)
      11 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    8. Configurable back-end health check aggressiveness

      Related thread:
      https://social.msdn.microsoft.com/Forums/en-US/75cfb536-71f6-4c88-ac80-ec693f3e6229/azure-front-door-healthcheck-frequency?forum=WAVirtualMachinesVirtualNetwork

      Behind my frontdoor are two "back-ends", each consists of a single web app.

      For each back-end I have configured a health check with interval of 120 seconds. My expectation was that this leads to roughly 30 requests per hour.

      In reality, my application insights shows 64000 requests in the past 24 hours, that's more than 40 requests per minute! A live traffic log confirms this: I see health check requests come in almost every second...

      With the current behavior there is hardly any correlation with the configured "Interval" setting.

      It would be great if there was an…

      165 votes
      Vote

      We're glad you're here

      Please sign in to leave feedback

      Signed in as (Sign out)
      You have left! (?) (thinking…)
      9 comments  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →
    9. Support for dropping port out of x-forwarded-for header

      Hi,

      I've seen some compatibility issues with the x-forwarded-for header as it comes in on the format IP:Port rather than just IP. It would be useful to be able to adjust this header to just provide IP without the port. I think this should be adjustable, so IP:Port or just IP being available options rather than just one or the other.

      This would help x-forwarded-for being easy to parse on systems that only expect the IP to be sent through.

      Thanks,

      Neil

      160 votes
      Vote

      We're glad you're here

      Please sign in to leave feedback

      Signed in as (Sign out)
      You have left! (?) (thinking…)
      8 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    10. Enable split DNS for providing both public and internal name resolution to VMs in the VNET.

      Amazon Route 53 supports split-view DNS, so you can configure public and "PRIVATE" hosted zones to return different external and internal IP addresses for the same domain names.
      i think a similar capability can be very useful also in Azure

      150 votes
      Vote

      We're glad you're here

      Please sign in to leave feedback

      Signed in as (Sign out)
      You have left! (?) (thinking…)
      5 comments  ·  DNS  ·  Flag idea as inappropriate…  ·  Admin →
    11. Adding another NIC to single NIC environment easily (IaaS v2)

      When adding another NIC to single NIC environment in IaaS v2, we receive the following errors:


      Update-AzureRmVM : Virtual machines with multiple network interfaces and virtual machines with a single network interface are not supported in the same availability set, also a virtual machine having a single network interface cannot be updated to have multiple network interfaces and vice-versa.
      StatusCode: 400

      ReasonPhrase: Bad Request

      So we have to delete the VM and recreate the VM with multiple NIC. Adding another NIC is typical scenario, though, we can't do that easily.

      Can you add a feature to add another NIC to…

      150 votes
      Vote

      We're glad you're here

      Please sign in to leave feedback

      Signed in as (Sign out)
      You have left! (?) (thinking…)
      6 comments  ·  Virtual Network  ·  Flag idea as inappropriate…  ·  Admin →

      Hi there,

      You are now able to add a NIC to those VM sizes that support multiple NICs. The VM must be stopped (+deallocated) to be able to do this.

      Documentation here: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface
      https://docs.microsoft.com/en-us/azure/virtual-machines/virtual-machines-windows-multiple-nics?toc=%2fazure%2fvirtual-machines%2fwindows%2ftoc.json#add-a-nic-to-an-existing-vm

      — Anavi N [MSFT]

    12. Support for gateway diagnostics in ARM

      The only way to get diagnostics logs from a VNet gateway is via ASM cmdlets. CSP subscriptions do not offer any support for ASM, so troubleshooting is impossible. Please add native support in ARM for retrieving logs from a VNet gateway

      142 votes
      Vote

      We're glad you're here

      Please sign in to leave feedback

      Signed in as (Sign out)
      You have left! (?) (thinking…)
      5 comments  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    13. VNet Peering Limit - INCREASE

      With new concepts like Global VNet Peerings, Virtual Datacenter and Hub-Spoke Topology - VNEt peerings become more and more important.
      Please INCREASE the number of 50x allowed Peerings / Subscription/Vnet

      Many thanks in advance, you are doing a great JOB - keep it UP!
      Catalin

      140 votes
      Vote

      We're glad you're here

      Please sign in to leave feedback

      Signed in as (Sign out)
      You have left! (?) (thinking…)
      3 comments  ·  Virtual Network  ·  Flag idea as inappropriate…  ·  Admin →
    14. Allow Swapping of VIP with any two cloud service rolls (including reserved ip support)

      Using cloud services with VM's for development is currently a pain. If you don't use the staging/production setup under one cloud service you are out of luck if you want to do any sort of swapping.
      You should allow swapping the VIP's on any two cloud services (as long as they are in the same affinity group) as this would give far more development flexibility.

      This should work with reserved Ips (if assigned to one or both the web services) also.

      An alternative would just to make the ability to assign and move reserved IP's from one cloud service to…

      140 votes
      Vote

      We're glad you're here

      Please sign in to leave feedback

      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Virtual Network  ·  Flag idea as inappropriate…  ·  Admin →
    15. Increase Idle Timeout on Internal Load Balancers to 120 Mins

      We use Azure Internal Load Balancers to front services which make use of direct port mappings for backend connections that are longer than the 30 min upper limit on the ILB. That is, our ILBs accept port connections on a nominated set of ports and pass those connections to the backend services running on the same ports.
      We are experiencing dropped TCP connections from clients connecting to the backend services via the ILB. After investigating the issue in collaboration with the Azure Networking Team it was verified that altering the default OS TCP keep alive duration to below 30mins would…

      123 votes
      Vote

      We're glad you're here

      Please sign in to leave feedback

      Signed in as (Sign out)
      You have left! (?) (thinking…)
      3 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    16. Enable NSG Flow Logs for secured Storage Accounts

      At the moment, it's apparently not possible to use NSG Flow Logs with secured Storage Accounts, even if the exception "Allow trusted Microsoft services to access this storage account" is enabled on the Storage Account.

      It would be really helpful if you could add the Network Watcher this list of trusted Microsoft servies, so we can use secured Storage Accounts to store our NSG Flow Logs on.

      127 votes
      Vote

      We're glad you're here

      Please sign in to leave feedback

      Signed in as (Sign out)
      You have left! (?) (thinking…)
      4 comments  ·  Network Watcher  ·  Flag idea as inappropriate…  ·  Admin →
    17. Add a Network Security Group tag for Azure Service

      Add a Network Security Group tag for Azure Services. Currently, if I create a rule blocking outbound internet traffic for a VNet or Subnet, blob.core.windos.net is blocked, causing all sorts of issues. The only work around now is to create rules to allow MS datacenter public IP’s and this list can change at any time. Having all these services in one tag would allow us to block outbound internet traffic without blocking access to Azure resources.

      125 votes
      Vote

      We're glad you're here

      Please sign in to leave feedback

      Signed in as (Sign out)
      You have left! (?) (thinking…)
      9 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    18. blob from azure virtual network

      As we follow PCI standards, we need to specify all outbound IP addresses from our services.
      This is a problem with azure services as IP ranges to Microsoft/Azure datacenters can change weekly.
      We would like to be able to create a site-to-site connection and access our azure resources through an IPSec connection to avoid weekly IP management . As I understand on Azure support, azure virtual network is only available from VMs and not azure services like BLOB storage containers.
      This is much desired!

      125 votes
      Vote

      We're glad you're here

      Please sign in to leave feedback

      Signed in as (Sign out)
      You have left! (?) (thinking…)
      3 comments  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →

      Please look at Azure Service Endpoints at https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview, it is GA for storage as well as SQL.

      With service endpoints, service traffic switches to use virtual network private addresses as the source IP addresses when accessing the Azure service from a virtual network. This switch allows you to access the services without the need for reserved, public IP addresses used in IP firewalls.

    19. Allow multiple reserved IP addresses be assigned to a single VM

      Currently you can only have one reserved (static) public IP for a given Azure VM. This limits any case where you would want to run multiple SSL enabled sites/applications on the standard 443 port.

      I understand there is support for SNI SSL with host headers but not all applications and devices support this feature. Current competition in you market allow up to 5 IPs. A limit I believe is still arbitrarily low given the power of your larger VM instances available.

      124 votes
      Vote

      We're glad you're here

      Please sign in to leave feedback

      Signed in as (Sign out)
      You have left! (?) (thinking…)
      8 comments  ·  IP addresses  ·  Flag idea as inappropriate…  ·  Admin →
    20. Provide option to change which TLS versions are supported

      Provide option to change which TLS versions are supported - similar to the Azure App Service. This will allow for use of Front Door with PCI compliant apps.

      123 votes
      Vote

      We're glad you're here

      Please sign in to leave feedback

      Signed in as (Sign out)
      You have left! (?) (thinking…)
      7 comments  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →
    • Don't see your idea?

    Feedback and Knowledge Base