Networking

The Networking forum covers all aspects of Networking in Azure, including endpoints, load-balancing, network security, DNS, Traffic Manager, virtual networks, and external connectivity.

Virtual Network:

  • Service overview

  • Technical documentation

  • Pricing details

  • Traffic Manager:

  • Service overview

  • Technical documentation

  • Pricing details

  • Network Watcher:

  • Service overview

  • Technical documentation

  • Pricing details

  • If you have any feedback on any aspect of Azure relating to Networking, we’d love to hear it.

    • Hot ideas
    • Top ideas
    • New ideas
    • My feedback
    1. KMS / RHUI service endpoint

      Could you kindly add service endpoint for KMS and RHUI.
      It will really helpful for managing VMs without SNAT Public IP.

      59 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Virtual Network  ·  Flag idea as inappropriate…  ·  Admin →
    2. NSG/ASG management and monitoring

      add capability to modify and monitor NSGs and ASGs.

      58 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      5 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    3. Application Gateway should support OAuth2 and/or JWT token validation

      Azure Application Gateway should support OAuth2 and/or JWT token validation so it can be used as a reverse proxy.

      55 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      under review  ·  2 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    4. Feature request: Changing idle timeout for Application Gateway with private IP address.

      Currently we can specify timeout only to a public IP address of Application Gateway. But we can’t change the timeout of a private IP of Application Gateway. Can you add a new feature to allow us to specify timeout for private IP address too.

      54 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      under review  ·  0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    5. Be able to manage Role/Action at subnet level inside a vnet

      In ARM and RBAC model : Possiblity to have the subnet as an independant resource to be able to say using RBAC : "i want my user1 to be able to deploy VM to subnet 1 and 2 but not 3 because subnet 3 is an infrastructure subnet unhautorized to users."

      51 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      7 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    6. Make Traffic manager able to access Web Apps that uses Authentication

      Traffic manager is currently unable to get the status of a Web App that's using the Authentication/Authorization (simple auth) feature. It would be nice if it could use some kind of service account (or similar) to get authenticated and get the Web App status but still have the security features intact.

      50 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      under review  ·  4 comments  ·  DNS  ·  Flag idea as inappropriate…  ·  Admin →
    7. designate set of name servers to all self hosted dns zones

      When maintaining DNS Records in Azure, you have to update registrars records to use name servers assigned to a domain. Now that those nameserver sets varies, it takes extra effort to create Records, specially if you have to do it manually.
      It would be easier if you could try and use same set of name servers to all dnz zones for the dns zones you are maintaining.

      49 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      5 comments  ·  DNS  ·  Flag idea as inappropriate…  ·  Admin →

      Thanks for the suggestion. We are tracking this on our backlog.

      Some background: Azure DNS supports multiple name servers, which are dynamically assigned as zones are created. This allows us to let customers create zones without first proving that they own the domain name (since if we supported only a single name server set, we couldn’t allow just anyone to create a zone and thereby block the legitimate domain name owner). Domain proof-of-ownership checks are a significant hassle, so it’s important that we avoid them where possible.

      Having said all that, I do understand that in some scenarios having a consistent set of name server names is desirable, and we are considering options for how we might support this in future.

    8. subnet expansion

      It would be nice if you could expand a subnet without having to remove all of the cloud services and VMs from the subnet. In our case we will have to destroy all of our subnets to expand one subnet. This is very inconvenient (yes we opened a support ticket).

      Additionally, make the tool available that the internal Microsoft support people use that creates a nice table of the various components of the subscription (I don't need to know datacenter, node, cluster). I've only seen snippets of the tables, but they are better than what I am getting from either…

      48 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Virtual Network  ·  Flag idea as inappropriate…  ·  Admin →
    9. Block out access to azure resources from outside

      I am looking for a way to completely block out access to azure resources from outside of Japan. An access from abroad is most likely from a person who are not from our company.

      Recently, I am terribly worried because there are a lot of illegal access from the outside country. It's very reassuring to have the ability to shut off foreign access in Azure. This scenario is difficult to achieve because the NSG feature has a limit in a number of IP addresses which can be restricted.

      45 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  IP addresses  ·  Flag idea as inappropriate…  ·  Admin →
    10. Signed cookie in CDN

      Enable authenticated access to CDN without the need to change URL or headers. This is especially useful for referencing a static web page in an IFRAME.

      Scenario. When user signs in to example.com, we would first redirect users to a non-cached page on CDN cdn.com, which would set the signed cookies, before redirecting back to example.com.

      On example.com, we have an IFRAME that references a static webpage on cdn.com. The static webpage references other images, JavaScript and CSS on cdn.com. The access to the webpage and other resources are authenticated by the signed cookie.

      AWS implementation http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-signed-cookies.html

      45 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Content Delivery Network  ·  Flag idea as inappropriate…  ·  Admin →

      If you are using Azure CDN from Verizon Premium, you can open a technical support case to have this capability setup for you via the rules engine. Overall you would use the token authentication capabilities in Azure CDN from Verizon Premium to accomplish this – https://docs.microsoft.com/en-us/azure/cdn/cdn-token-auth. With token authentication the signed token is sent by default in the query string for your URL’s. The capability you are looking for is the ability to instead have the token sent as a cookie in the client request to the CDN.

      We will look at enabling this capability long term without the need to open a support case.

    11. Add Service Tags to Route Tables/UDR

      Include the ability to add Service Tags to UDRs. We have experienced that while many times services require NSGs to be open for a Service, many users have a default route in the Route Tables to push traffic through network virtual appliances. To circumvent having to put an entire datacenter range IP on UDRs to get services to work, there should be Service Tags in the UDR destination field in order to be able to add specific services the ability to talk to VNET-joined services. A good example of this is API Management. While the team does not support a…

      43 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Virtual Network  ·  Flag idea as inappropriate…  ·  Admin →
    12. Support the proper use of webfonts on Azure Websites using Azure CDN

      We need an easy way of setting the http protocol "access-control-allow-origin" on webfonts used on Azure Websites and distributed via the Azure CDN. Please make the CDN service respect http-protocol settings in the web.config file on Azure Websites.

      42 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      under review  ·  0 comments  ·  Content Delivery Network  ·  Flag idea as inappropriate…  ·  Admin →
    13. Replicate NSG to new region when using Azure Site Recovery

      This is really needed feature!
      The benefit having this is when setup Azure Site Recovery, which replicates VNET and VMs to a different region BUT there is no way to replicate NSGs! Manual work to replicate all security rules from one NSG in source region to another NSG to target region can take up hours if there are 200+ security rules !

      Please implement this.
      Thanks

      41 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      under review  ·  0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    14. Add option to connect or disconnect vpn

      In ASM model, we have an option to connect or disconnect an vpn connection. Now in arm model if we need to disconnect a vpn we need to delete the connection and if we need to connect the vpn we need tonrecreate thw connection

      40 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      3 comments  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    15. We need the new configuration in Azure Traffic Manager.

      We need the new configuration in Azure Traffic Manager.

      When prior region is replying intermittent healthy response to Traffice Manager, It occurs Failover and Failback repeatedly.
      (e.g. In case the endpoint returns HTTP 500 intermittently by some system failure, if TM receives HTTP 200 by luck when TM probes there, TM sends requests to troublous endpoint until next probe chance.)

      We need the configuration that manual Failback.

      39 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  DNS  ·  Flag idea as inappropriate…  ·  Admin →
    16. Add a system route for KMS

      Could you please add a system route to the KMS server. (kms.core.windows.net / 23.102.135.246)
      When using forced-tunneling, we must set an UDR to the KMS manually.

      38 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Virtual Network  ·  Flag idea as inappropriate…  ·  Admin →
    17. NAPTR Support (Name Authority Pointer)

      Support NAPTR records with Azure DNS. These are primarily used to complement SRV records which you currently support.
      https://en.wikipedia.org/wiki/NAPTR_record

      38 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      4 comments  ·  DNS  ·  Flag idea as inappropriate…  ·  Admin →
    18. Integrate Windows IPAM with Azure DHCP

      Integrate Windows IPAM with Azure DHCP services.
      Some info can be gathered for domain members using DDNS, but not for appliances and other services not using DDNS...

      37 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  DNS  ·  Flag idea as inappropriate…  ·  Admin →
    19. Add DNS names to NSG source/ destination options like we currently can with IP addresses and tags

      Enable NSGs to use DNS names instead of only IP addresses, Tags and any. A lot of services have very dynamic IP adresses. Using DNS names would help a lot.

      35 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      4 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    20. Adjust route based VPN vNet gateway traffic selectors

      We use routes based VPNs for most connectivity to Azure. However, we do have some policy based VPNs that need access to Azure as well.

      Unfortunately, it doesn’t appear that Azure lets you configure the local network prefix When using traffic selectors in IPSEC.

      This is extremely common on network equipment outside of Azure. I’ll reference an example with a Juniper SRX.

      https://www.juniper.net/documentation/en_US/junos/topics/example/ipsec-vpn-traffic-selector-configuring.html

      Azure automatically uses every prefix configured within a vNet as the local prefix. It’s my hope that we can configure this per ‘Connection’ when using traffic selectors.

      Can we have this feature considered?

      Thank you.

      35 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      2 comments  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    • Don't see your idea?

    Feedback and Knowledge Base