Networking

The Networking forum covers all aspects of Networking in Azure, including endpoints, load-balancing, network security, DNS, Traffic Manager, virtual networks, and external connectivity.

Virtual Network:

  • Service overview

  • Technical documentation

  • Pricing details
  • Traffic Manager:

  • Service overview

  • Technical documentation

  • Pricing details
  • Network Watcher:

  • Service overview

  • Technical documentation

  • Pricing details
  • If you have any feedback on any aspect of Azure relating to Networking, we’d love to hear it.

    • Hot ideas
    • Top ideas
    • New ideas
    • My feedback
    1. Support Proxy Protocol

      The current Azure Load Balancer implementation does not support the Proxy Protocol as AWS does (https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-proxy-protocol.html).

      This makes implementing Openshift on Azure troublesome as the real client IP is not available to backends (https://docs.openshift.com/container-platform/3.9/install_config/router/proxy_protocol.html).

      The proxy protocol allows pass through of real client IP's to the backend application for TCP load balancer setups. This may be particular important for Openshift deployments or alike, where the certificate management should be done in the PaaS platform (on the router) and not on the ELB.

      Right now the Openshift template from MS (https://github.com/Microsoft/openshift-origin) uses TCP proxy setup.…

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      4 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →

      Thank you for your feedback.

      Azure Load Balancer does not terminate connections, it is not a proxy, and does always preserve the source IP address of the inbound flow.

      We don’t provide logging from the Load Balancer resource itself, but you can use NSG flow logs to retrieve flow information as needed.

    2. Powershell Command for Associating Backend Pools to InboundNAT rules on a Load Balancer

      Need a PowerShell command to allow association of an existing Backend Pool to an InboundNAT rule as currently this can only be achieved manually after rule creation and is extremely tedious and time consuming.

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    3. Test alert for diag log.

      I want to confirm whether LB can send diagnostic log to the storage account but I couldn't happen to put any logs intentionally. So I hope we can use test alert for diagnostic log.

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    4. Specify custom routes for P2S VPN

      I have to modify the routes.txt file to add additional routes for the VPN. Please provide the ability to specify user defined routes for the P2S VPN client.

      4 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    5. virtual machine scale sets NSG support

      Virtual machine scale sets (VMSS) do not have any feature which can allow blocking certain IP addresses from accessing it via load balancer. It would be great to have network security group support for VMSS to allow blocking unwanted traffic from the internet.

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    6. Provide access logging of the load balancer

      It would be great if we could get a log of all connections served by the load balancer, including the date/time, source IP:Port, the backend server it had forwarded to, connection duration, etc.

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      declined  ·  1 comment  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    7. Allow a VPN device to be configured using a domain name instead of an IP address

      Please allow the VPN device when creating a site-to-site connection to be setup using domain name instead of an IP address.

      This will allow sites with dynamics IPs to connect and also sites with dual-wan to failover to the secondary line without requiring expensive dual-circuit lines.

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    8. Provide wider range of config options similar to HAProxy

      Currently, available config options of ILB are very limited and thus we have to somehow rely on HAProxy setup to achieve specific loadbalancing needs. It would be nice if you could extend and mimic the options of HAProxy, most notably weights, custom acl's along with custom probe settings.

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →

      Thank you for your suggestion. I’m going to decline this for now as the Azure Load Balancer is a TCP & UDP load balancer and does not have layer 7 functionality. Application Gateway or a 3rd party product may be a solution for the interim. I have noted the ask, but any change to this for Azure Load Balancer would be long term.

      That said, we are looking at weighting, ACLs, and probe enhancements again now.

    9. New Small size template with multiple NICs

      It is not allowed to have more than 2 NIC for small size VM. Create new VM template group with NICs as central resource or add Small size templates to existing groups with more NICs.

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      declined  ·  0 comments  ·  Virtual Network  ·  Flag idea as inappropriate…  ·  Admin →
    10. Test alert for LoadBalancerAlertEvent.

      I can't confirm whether ALB can put diagnostic logs to a storage account. I hope we will be able to put test alert in future.

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    11. allow domains and wildcards in Network Security Groups

      Network Security Groups only allow us to use specific resources, tags, and IP ranges. Many APIs and other tools add/remove/change IP ranges regularly, given that clients are expected to point to the domain endpoint (e.g. smtp.gmail.com, Slack API webhooks, etc.).

      If we have to get new IP ranges and add them to NSGs, it creates an extra task. We should be able to use domain names/FQDNs/etc. with wildcards (e.g. *.gmail.com, *.slack.com) for NSG allow or deny rules so we have one less administrative task.

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    12. Allow multiple routes with weighting for the same address prefix

      I'd like to be able to add the same address prefix multiple times in a route table with weighting differing next hops for DR reasons.

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Virtual Network  ·  Flag idea as inappropriate…  ·  Admin →

      Thanks for sharing your feedback

      For Highly Available configuration, we recommnend using Standard Load Balancer with HA ports configuration.

      UDR with same prefix would require an orchestration to swich the preference in order to change the routing behavior, this might give you un-expected downtimes.

    13. loadbalancer inbound NAT rule to arbitrary IP

      Having an IPSec to on-prem, I would like to leverage an Azure Load Balancer to provide inbound NAT to services hosted on a private network (across the IPSec tunnel).

      Currently LB's can only direct to VM or Availability Set, not user specified IPs.

      It might make sense to create a "Private IP Address" resource type that would identify the 1..N addresses that the LB is NAT'ing to... or just let me plug in 1..N addresses.

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    14. Allow Traffic Manager to be enabled for Basic-tier Web Sites

      At the moment only Standard Web Sites can use it.

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  DNS  ·  Flag idea as inappropriate…  ·  Admin →

      Thank you for the suggestion.

      Our usage scenarios for Traffic Manager with Websites are focused on high availability / high performance applications. As such, we took the business decision that this feature should be limited to ‘Standard’ tier Websites.

    15. Vnet Integration Front Door

      VNET integration

      We are currently using application gateway for alot of our inbound traffic and considering to move to Front Door Service when GA but I have just noticed that there is no option to integrate into a VNET or am I wrong ?
      This would be a prerequisite option for us to move .

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →

      AFD can only route to public VIPs/FQDNs and cannot route to private IP spaces and thus also doesn’t support VNET integration. This is by design and we do not plan to add this support any time int he near future. One of the ways you can achieve this is by routing traffic from AFD to an Application Gateway/Standard Load Balancer tied to your VNET.

    16. Not to convert the service for famous port number when confirgurating the NSG rule

      Currently when creating a new NSG rule in portal or PowerShell with a famous port number as the service, the service will be convert to the pre-defined one even if I choose custom service. I want that the service remains to be the custom one.

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Flag idea as inappropriate…  ·  Admin →
    17. Load Balancer should drop all packets for ports not configured

      Load Balancer should drop all packets for ports not configured before they get to my NSGs. See REG: 119012221000062 for additional information. Basically, the Azure LB installed as part of the Azure AD service is configured for port 443. But my NSG flow logs show packets arriving on a port other than 443 and incidentally for the destination as the public IP associated with the LB. My initial complaint was why do I see such a public IP address and I was told this is unavoidable because SNAT is enabled on this LB. I have no control over this LB…

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →

      Thank you for the feedback. As per the information provided (accurately) in the support case, the packet does not reach your VM but does show up in NSG flow logs as dropped. This is by design and a result of Load Balancer being a pass through network load balancer, particular when SNAT ports are open. What you are observing is not packets reaching the virtual machine.
      — Christian

    18. Whats happening with 'legacy' Virtual Network Gateways?

      So the documents all describe 'Basic', 'Standard' and 'High Performance' SKUs as being 'Legacy'.

      I'm assuming this means that they are no longer being actively maintained and are likely to be made obsolete in the near future?

      If so, why is 'Basic' contained amongst the new Gateways on the pricing page? https://azure.microsoft.com/en-gb/pricing/details/vpn-gateway/

      There is a huge price difference between 'Basic' and 'VpnGw1'. Im comfortable paying for 'VpnGw1' in my production environment but not comfortable spending that much for my test environments.

      So if I want to maintain consistency and eliminate variables between my environments I just have to pay for…

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      5 comments  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    19. Allow wildcard certificates for Custom Domain https in Azure Front Door Service

      It would be great for a Front Door Managed certificate if there was an option to request a wildcard for the domain you wish to onboard to the Azure Front Door Service.

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      2 comments  ·  Flag idea as inappropriate…  ·  Admin →

      Customers can anyway upload a wildcard certificate in the case of Bring Your Own Certificate scenario. Additionally, given that Front Door at the time of onboarding the custom domain has only validated the ownership of the specific domain, we cannot really generate a wildcard certificate. This ask would only be relevant if AFD already supported onboarding wildcard domain names (*.contoso.com) which isn’t the case today.

    20. Application Gateway WAF logs need request body.

      It is difficult to take measures if you do not know what was examined by POST method.
      I want not only query strings in GET method but also request body of POST method.

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    • Don't see your idea?

    Feedback and Knowledge Base