Networking

The Networking forum covers all aspects of Networking in Azure, including endpoints, load-balancing, network security, DNS, Traffic Manager, virtual networks, and external connectivity.

Virtual Network:

  • Service overview

  • Technical documentation

  • Pricing details

  • Traffic Manager:

  • Service overview

  • Technical documentation

  • Pricing details

  • Network Watcher:

  • Service overview

  • Technical documentation

  • Pricing details

  • If you have any feedback on any aspect of Azure relating to Networking, we’d love to hear it.

    • Hot ideas
    • Top ideas
    • New ideas
    • My feedback
    1. Add Custom Apex (Naked) Domains as front end hosts for Azure Front Door Service

      Azure Front Door Service is currently missing the ability to onboard Apex (Naked) Domains e.g. https://contoso.com https://example.com

      It runs on Anycast IP addresses that seem globally consistent for the Frontend host (something.azurefd,net)

      So why not allow me to onboard an Apex domain to the service by creating DNS A and / or AAAA records at the custom zone apex that point to the allocated Anycast IPs? (CNAMEs are not supported at the Zone Apex)

      If the answer is that the Anycast IPs aren't allocated in perpetuity please fix that first then add this feature!

      192 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      14 comments  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →
    2. Provide VNet to VNet Peering Alternative

      I am at a loss to understand why the only option to Peer VNets together is the extremely limited VPN Gateway (High Performance or otherwise), especially in the context of VNet Peers within the same Region. Why are we limited to the VPN GW Bandwidth for VNet traffic occurring entirely within Azure?

      I feel there should be an alternative option for Peering VNets together - at least if they reside in the same Region. Leave the VPN Gateway for external connectivity. This would open up a number of options in regards to Network Topology and make Azure flexibility more comparable…

      184 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      10 comments  ·  Virtual Network  ·  Flag idea as inappropriate…  ·  Admin →
    3. Allow SSL termination at the load balancer

      Enable us to terminate SSL at the built in load balances to save having to distribute certificates across our VMs and offload the workload from the VMs.

      184 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      8 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    4. Allow an HTTP to HTTPS redirect on Azure Front Door

      Allow an HTTP to HTTPS redirect on Azure Front Door.

      183 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      7 comments  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →
    5. Allow customization of Application Gateway WAF rule matching

      I would like to be able to selectively remove some cookies and some HTTP headers from all rule application scans, on a case by case basis.

      Problem Statement:
      The web application firewall functionality of the application gateway scans the entire HTTP message, without the ability to customize where the scan will occur.

      This leads to false positives where scan pattern matches will detect suspicious characters in URL encoded blobs like security or access tokens, or in other arbitrary places like cookies.

      The following Microsoft tools have caused this problem on my environment:
      - Kudu tools for web applications
      - API…

      175 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      20 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    6. Add HTTP/2 support to Azure Application Gateway

      Add HTTP/2 support to Azure Application Gateway. HTTP/2 has been around for long enough that this should be supported by now. We were disappointed once again after spending time investigating Azure Application Gateway that this is not supported. We shouldn't have to go backwards to use this service.

      168 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      9 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    7. Configurable back-end health check aggressiveness

      Related thread:
      https://social.msdn.microsoft.com/Forums/en-US/75cfb536-71f6-4c88-ac80-ec693f3e6229/azure-front-door-healthcheck-frequency?forum=WAVirtualMachinesVirtualNetwork

      Behind my frontdoor are two "back-ends", each consists of a single web app.

      For each back-end I have configured a health check with interval of 120 seconds. My expectation was that this leads to roughly 30 requests per hour.

      In reality, my application insights shows 64000 requests in the past 24 hours, that's more than 40 requests per minute! A live traffic log confirms this: I see health check requests come in almost every second...

      With the current behavior there is hardly any correlation with the configured "Interval" setting.

      It would be great if there was an…

      165 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      9 comments  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →
    8. Support for dropping port out of x-forwarded-for header

      Hi,

      I've seen some compatibility issues with the x-forwarded-for header as it comes in on the format IP:Port rather than just IP. It would be useful to be able to adjust this header to just provide IP without the port. I think this should be adjustable, so IP:Port or just IP being available options rather than just one or the other.

      This would help x-forwarded-for being easy to parse on systems that only expect the IP to be sent through.

      Thanks,

      Neil

      160 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      8 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    9. Enable split DNS for providing both public and internal name resolution to VMs in the VNET.

      Amazon Route 53 supports split-view DNS, so you can configure public and "PRIVATE" hosted zones to return different external and internal IP addresses for the same domain names.
      i think a similar capability can be very useful also in Azure

      150 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      5 comments  ·  DNS  ·  Flag idea as inappropriate…  ·  Admin →
    10. Adding another NIC to single NIC environment easily (IaaS v2)

      When adding another NIC to single NIC environment in IaaS v2, we receive the following errors:


      Update-AzureRmVM : Virtual machines with multiple network interfaces and virtual machines with a single network interface are not supported in the same availability set, also a virtual machine having a single network interface cannot be updated to have multiple network interfaces and vice-versa.
      StatusCode: 400

      ReasonPhrase: Bad Request

      So we have to delete the VM and recreate the VM with multiple NIC. Adding another NIC is typical scenario, though, we can't do that easily.

      Can you add a feature to add another NIC to…

      150 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      6 comments  ·  Virtual Network  ·  Flag idea as inappropriate…  ·  Admin →

      Hi there,

      You are now able to add a NIC to those VM sizes that support multiple NICs. The VM must be stopped (+deallocated) to be able to do this.

      Documentation here: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface
      https://docs.microsoft.com/en-us/azure/virtual-machines/virtual-machines-windows-multiple-nics?toc=%2fazure%2fvirtual-machines%2fwindows%2ftoc.json#add-a-nic-to-an-existing-vm

      — Anavi N [MSFT]

    11. Support for gateway diagnostics in ARM

      The only way to get diagnostics logs from a VNet gateway is via ASM cmdlets. CSP subscriptions do not offer any support for ASM, so troubleshooting is impossible. Please add native support in ARM for retrieving logs from a VNet gateway

      145 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      5 comments  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    12. Allow Swapping of VIP with any two cloud service rolls (including reserved ip support)

      Using cloud services with VM's for development is currently a pain. If you don't use the staging/production setup under one cloud service you are out of luck if you want to do any sort of swapping.
      You should allow swapping the VIP's on any two cloud services (as long as they are in the same affinity group) as this would give far more development flexibility.

      This should work with reserved Ips (if assigned to one or both the web services) also.

      An alternative would just to make the ability to assign and move reserved IP's from one cloud service to…

      140 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Virtual Network  ·  Flag idea as inappropriate…  ·  Admin →
    13. VNet Peering Limit - INCREASE

      With new concepts like Global VNet Peerings, Virtual Datacenter and Hub-Spoke Topology - VNEt peerings become more and more important.
      Please INCREASE the number of 50x allowed Peerings / Subscription/Vnet

      Many thanks in advance, you are doing a great JOB - keep it UP!
      Catalin

      140 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      3 comments  ·  Virtual Network  ·  Flag idea as inappropriate…  ·  Admin →
    14. Increase Idle Timeout on Internal Load Balancers to 120 Mins

      We use Azure Internal Load Balancers to front services which make use of direct port mappings for backend connections that are longer than the 30 min upper limit on the ILB. That is, our ILBs accept port connections on a nominated set of ports and pass those connections to the backend services running on the same ports.
      We are experiencing dropped TCP connections from clients connecting to the backend services via the ILB. After investigating the issue in collaboration with the Azure Networking Team it was verified that altering the default OS TCP keep alive duration to below 30mins would…

      123 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      3 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    15. Enable NSG Flow Logs for secured Storage Accounts

      At the moment, it's apparently not possible to use NSG Flow Logs with secured Storage Accounts, even if the exception "Allow trusted Microsoft services to access this storage account" is enabled on the Storage Account.

      It would be really helpful if you could add the Network Watcher this list of trusted Microsoft servies, so we can use secured Storage Accounts to store our NSG Flow Logs on.

      127 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      4 comments  ·  Network Watcher  ·  Flag idea as inappropriate…  ·  Admin →
    16. blob from azure virtual network

      As we follow PCI standards, we need to specify all outbound IP addresses from our services.
      This is a problem with azure services as IP ranges to Microsoft/Azure datacenters can change weekly.
      We would like to be able to create a site-to-site connection and access our azure resources through an IPSec connection to avoid weekly IP management . As I understand on Azure support, azure virtual network is only available from VMs and not azure services like BLOB storage containers.
      This is much desired!

      125 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      3 comments  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →

      Please look at Azure Service Endpoints at https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview, it is GA for storage as well as SQL.

      With service endpoints, service traffic switches to use virtual network private addresses as the source IP addresses when accessing the Azure service from a virtual network. This switch allows you to access the services without the need for reserved, public IP addresses used in IP firewalls.

    17. Add a Network Security Group tag for Azure Service

      Add a Network Security Group tag for Azure Services. Currently, if I create a rule blocking outbound internet traffic for a VNet or Subnet, blob.core.windos.net is blocked, causing all sorts of issues. The only work around now is to create rules to allow MS datacenter public IP’s and this list can change at any time. Having all these services in one tag would allow us to block outbound internet traffic without blocking access to Azure resources.

      125 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      9 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    18. Provide option to change which TLS versions are supported

      Provide option to change which TLS versions are supported - similar to the Azure App Service. This will allow for use of Front Door with PCI compliant apps.

      123 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      7 comments  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →
    19. ARM Template support for NSG Flow logs

      Add support to configure NSG Flow logs using Azure Resource Manager template.

      The goal is to have Azure Policy to deploy NSG Flow Log configuration.

      Reference to Docs:
      https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics-faq#can-i-configure-traffic-analytics-using-powershell-or-an-azure-resource-manager-template-or-client

      122 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      3 comments  ·  Network Watcher  ·  Flag idea as inappropriate…  ·  Admin →

      Great news! ARM Template support for NSG Flow Logs and Traffic Analytics is now available in all regions.

      Useful links:
      1. Documentation: https://docs.microsoft.com/azure/network-watcher/network-watcher-nsg-flow-logging-azure-resource-manager
      2. Template Reference: https://docs.microsoft.com/azure/templates/microsoft.network/2019-11-01/networkwatchers/flowlogs
      3. Quickstart Template: https://azure.microsoft.com/en-in/resources/templates/101-networkwatcher-flowlogs-create/

      We will soon be releasing a QuickStart template to make using this feature easier. Stay tuned.

      Thanks for your patience and keep your feedback on the forums coming.

    20. Internal load balancer vnet peering

      Currently when you connect 2 VNETS using a global vnet peer you cannot access internal load balancer between the networks. E.g if you have a resource behind a load balancer in vnet1 and you try to connect to the load balancer from vnet2 then you cannot connect.

      This causes problems for SQL Server Availability groups running over 2 regions meaning you need an internal load balancer in each region. If you then have a web farm spread over the 2 regions only web servers within the region hosting the listener address can connect to the listener. This basically removes one…

      122 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      6 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    • Don't see your idea?

    Feedback and Knowledge Base