Networking

The Networking forum covers all aspects of Networking in Azure, including endpoints, load-balancing, network security, DNS, Traffic Manager, virtual networks, and external connectivity.

Virtual Network:

  • Service overview

  • Technical documentation

  • Pricing details
  • Traffic Manager:

  • Service overview

  • Technical documentation

  • Pricing details
  • Network Watcher:

  • Service overview

  • Technical documentation

  • Pricing details
  • If you have any feedback on any aspect of Azure relating to Networking, we’d love to hear it.

    • Hot ideas
    • Top ideas
    • New ideas
    • My feedback
    1. Support rewriting HTTP headers

      In order to have more control over accessing multiple services through one facade provided by Front Door it'd be nice to have an opportunity to rewrite/add some HTTP headers when it's needed. Using rewriting it'd be possible to protect apps by creating some checks on added header value (e.g. 'x-frontdoor-key') on the app side. It'd make possible to be sure that all request are coming through WAF

      37 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  4 comments  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →
    2. Azure Front Door - cache Key Vault sourced certificates

      We use Front Door to host multiple clients under the same domain, and configured HTTPS with a wildcard certificate sourced from Azure Key Vault. The same source Key Vault, secret name and secret version is used for all frontend endpoints configured.
      Customer DNS records:
      customer1.domain.com -> frontdoorname.azurefd.net
      customer2.domain.com -> frontdoorname.azurefd.net
      customer3.domain.com -> frontdoorname.azurefd.net

      Wildcard certificate in Key Vault *.domain.com

      Every time a new client front end is added and HTTPS configured for it, the certificate is deployed again, which takes 20 minutes. Front Door should recognize that the same version of the same certificate is already been uploaded before and…

      36 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  1 comment  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →
    3. Allow SSL/TLS configuration on Azure Frontdoor

      Allow option to configure SSL protocols and best practices, same as an application gateway on Azure front door service.
      Currently, Azure Frontdoor supports TLS 1.0 as well, there should be an option to select protocols as well as the cipher suite.

      35 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →
    4. Azure AppGateway same port cant be used on both private and public IP

      Currently we have an app gateway deployed, we have several listeners that are on a private IP address, (for internal users) the plan was to also make these sites available on an external IP on the same app gateway.

      However it appears once a port has been assigned in a listener, it can not be assigned to another listener with a different front end port.

      A ticket was raised with MS ref: :118062518450635.

      34 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →

      Thanks for the valid suggestion. Your feedback is now open for the user community to upvote which allows us to effectively prioritize your request against our existing feature list and also gives us insight into the potential impact of implementing the suggested feature

    5. HTTP -> HTTPS redirect routing shouldn't count in the price

      The current pricing of Azure Front door service is $0.03 per hour per routing rule (~27$ per month per routing rule). Adding a rule for simple HTTP -> HTTPS redirect immediately increases the cost by $27 per month.
      Who am I to suggest prices, but I think it would be nice if a simple HTTP -> HTTPS redirect didn't count in pricing.

      32 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →
    6. Integrating App service on the exsiting VNET that already has static (or dynamic) IP.

      I want to integrating App service on the exsiting VNET that already has static (or dynamic) IP.

      31 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  1 comment  ·  Virtual Network  ·  Flag idea as inappropriate…  ·  Admin →
    7. Add support for Azure Network Security Group Inbound rules to the Azure Application Gateway

      • In Azure, we CANNOT apply inbound NSG rule with destination public IP of APPGW to allow/block traffic to this APPGW. We known This is by design:
      Network security groups are processed after Azure translates a public IP address to a private IP address for inbound traffic, and before Azure translates a private IP address to a public IP address for outbound traffic.
      • Even for VM level public IP, we cannot allow/block traffic via inbound subnet level NSG with that destination public IP
      • The workaround I can think of is to deploy each gateway to dedicated subnet then…

      27 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    8. Ability to connection Azure Virtual Network Gateway to AWS Transit Gateway through VPN

      Ability to connect Azure VNet to AWS VPC through Azure Virtual Network Gateway and AWS Transit Gateway through VPN connection with BGP. Found 169.x.x.x AWS use for tunnel IP in routed VPN but Azure uses it for reserved range and that causes conflict right now.

      26 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    9. Pathbased rules are case sensitive for WAF_v2

      Hello,
      It seems as the 'Paths' of Pathbased rules of Azure Application Gateway with tier 'WAF_v2' are case sensitive.

      f.eks: when pathbased rule path is /foo, only 'http://gatwaydns:port/foo' will fire that path rule while 'http://gatwaydns:port/Foo' will not.

      this can become blocking if there exist multiple clients where case sensitivity has not been of consirn.

      Please fix.
      Thanks.

      25 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  3 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    10. Azure firewall application rule does not support non-http80/http8080/https443 protocol, for example SMTP. Please add the new feature.

      In order to inspect access to smtp.office365.com through Azure firewall, and leverage target FQDN in application rule, please add SMTP protocol support since currently AFW does not support non-http80/http8080/https443 protocol.

      24 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  2 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    11. Azure Firewall with Just in Time Access

      With the latest just in time access support for Azure Firewall, DNAT rules are added when access is requested to the private IP. We have secure servers without public endpoints secured by JIT. As soon as a request is made to access port 3389, Azure Firewall NATs a port (13389) on its public endpoint mapped to our server. There is no notification of this happening at the time of the JIT request. It would be great to have a feature that would allow the DNAT setting to be disabled when requesting access through JIT.

      24 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    12. Disable BGP Route Propagation for Peered VNETs

      Currently, the BGP Route Propagation for Peered VNETs only affects Routes learned from the Gateway Subnet. For Customer scenarios where all straffic should be forwarded over NVAs, i twould be good if a option to disable propagation from Peered VNETs will be available. Otherwise, multiple static routes are required.

      23 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  5 comments  ·  Virtual Network  ·  Flag idea as inappropriate…  ·  Admin →
    13. Microsoft could be a provider of domain registrations.

      Currently we use Registro.br, Godaddy, 101Domain, Amazon Route 53, Google Domains among others for domain registrations. Microsoft could be a provider of domain registrations. It would be another service that would add to the cloud services already offered by Microsoft. Having everything centralized would be ideal, all in one invoice and customer loyalty.

      23 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  DNS  ·  Flag idea as inappropriate…  ·  Admin →
    14. Grant the ability to add and advertise static routes from an Express Route gateway

      We have a scenario where we would like to use an NVA as a gateway in between both our on premise and Express Route connected VNETs and a new VNET that is not directly peered with the Express Route gateway VNET.
      On Premise/Peered VNETS <----> ExprRt VNET<----> NVA VNET<---->NEW VNET
      Since the NEW VNET is not peered with the ExprRT VNET, the address space is not advertised down the express route to the on premise environment. We would like the ability to both add and advertise static routes from the express route gateway or via a UDR attached to the…

      22 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      2 comments  ·  ExpressRoute  ·  Flag idea as inappropriate…  ·  Admin →

      Thanks for the valid suggestion. Your feedback is now open for the user community to upvote which allows us to effectively prioritize your request against our existing feature list and also gives us insight into the potential impact of implementing the suggested feature

    15. Add Outbound internet traffic routing capability for Azure Internal Load balancer

      The Azure Internal load balancer - standard Tier have limitation on Outbound connectivity for Azure VM that does not have Public IP associated with them.
      https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-outbound-connections

      We have Azure Microsoft SQL Virtual Machine that should not have any Public IP associated with them for security reason . We had to use Azure ILB for MS SQL Always ON Configuration. We had to use some of the standard Tier features. We are having issues with Outbound connectivity for the configuration. It would be ideal if Microsoft can also add to Standard SKU the outbound connectivity feature available in Basic SKU

      22 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    16. Allow RegEx Search Patterns for URL Path Patterns in Front Door Rules, and Multiple Wildcards

      Right now, Azure Front Door URL Path Patterns support matching through only one wildcard (asterisk)
      that currently must be preceded by a slash and must appear at the very end of the URL Path Pattern.
      This is still true as of September 1, 2019.

      For some use cases, it is crucial to have much more control over each URL path pattern, than the current existing functionality in Azure Front Door.

      We would like to see the possibility to have more versatile rules in Azure Front Door, including both of the following:

      1) The ability to place more than one wildcard…

      22 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →
    17. Allow GRE packets in Azure virtual networks for the purpose of configuring a PPTP VPN within an Azure VM

      This is to allow those who do not have access to on premises devices to be able to connect to the on premises VPN using the credentials that where provided to them. In my case site-to-site, point-to-site and other VPN connection methods offered by Azure are inadequate as they require installing or configuring something on site and I do not have access to any of the on premises resources.

      21 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    18. Support to retrieve effective route of Azure Firewall

      I believe Azure Firewall doesn't support to retrieve effective route at this moment. While if we advertise a lot of routes from on-premise or if we have hub-spoke setup, it's hard for us to know how Azure Firewall forward the traffic. Can we add this feature? Thanks!

      21 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    19. Azure Firewall - FQDN Based NAT!

      I strongly hope AzureFirewall has "FQDN-based-Nat" function!!!

      20 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    20. Add option to detach specific files from the Azure Front Door dynamic cache

      When you host a SPA (Single Page Application) on an Azure Blob storage with Azure Front Door (with dynamic caching activated):

      Everytime you release a new version of the app, users have to force-reload the page in order to get the new version.
      Because the links to the new assets (like main.***.js, ...) are located in the index.html, which has been cached.

      I was able to solve it:
      1. Let the Azure CLI set the Cache-Control header to "no-cache" on the index.html after pushing it to the blob storage:
      az storage blob update --account-name $(storageAccount) --container $web --name index.html --content-cache-control…

      20 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →

      Thanks for the valid suggestion. Your feedback is now open for the user community to upvote which allows us to effectively prioritize your request against our existing feature list and also gives us insight into the potential impact of implementing the suggested feature

    • Don't see your idea?

    Feedback and Knowledge Base