Networking

The Networking forum covers all aspects of Networking in Azure, including endpoints, load-balancing, network security, DNS, Traffic Manager, virtual networks, and external connectivity.

Virtual Network:

  • Service overview

  • Technical documentation

  • Pricing details
  • Traffic Manager:

  • Service overview

  • Technical documentation

  • Pricing details
  • Network Watcher:

  • Service overview

  • Technical documentation

  • Pricing details
  • If you have any feedback on any aspect of Azure relating to Networking, we’d love to hear it.

    • Hot ideas
    • Top ideas
    • New ideas
    • My feedback
    1. Azure Firewall - FQDN Based NAT!

      I strongly hope AzureFirewall has "FQDN-based-Nat" function!!!

      20 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    2. Azure Application Gateway CPU Utilization Metric

      The Application Gateway offering provides quite a few useful metrics, but lacks some core performance metrics. Please, at a minimum, provide a metric and alert for CPU utilization of the instances behind an Application Gateway. When CPU utilization is not monitored at this level, it can affect the performance of dependent applications.

      19 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  1 comment  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    3. Support PATCH requests for networking resources

      When I do ARM deployment of a storage account, give it tags and an IP whitelist, then re-deploy ARM template without specifying account's tags or IP whitelist property, it will keep all properties which were not specified in the template and not change them. Perfect for idempotent PATCH-sematics re-deployments.

      Try the same thing with network resources: route tables, virtual networks, firewall, front door and my tags will be wiped, and my existing configuration will be wiped out unless I provide all properties.
      This seems to hold true for all resources that do not support PATCH method in the API.

      Suggestion…

      18 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Flag idea as inappropriate…  ·  Admin →
    4. Virtual WAN - BGP Routes

      Currently we are unable to efficiently verify what routes have been learnt when BGP has been established for Virtual WAN.

      Could the team consider the creation of a PS Cmdlet or AZ CLI cmd to allow for engineers to check what routes have been learnt when BGP has been established for Virtual WAN.

      18 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Virtual WAN  ·  Flag idea as inappropriate…  ·  Admin →
    5. Add deployable sub-resources of Azure Firewall

      When deploying via ARM or API, you can separately deploy Subnets to Virtual Networks. This is useful for "append" type deployments to existing Virtual Networks.

      Same would be useful for Azure Firewall and its array sub resources, such as NAT rules, IP configurations, Network rules and Application rules.

      18 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Flag idea as inappropriate…  ·  Admin →
    6. Azure Firewall geo based rules

      Support for geo based Rules in azure firewall.
      IE Any traffic from Country A will be blocked

      18 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    7. Application Gateway frontend PublicIP should allow a Reverse FQDN

      Currently Application Gateways can have Public IPs with a DNS label, however modifying the Public IP adding an FQDN via:

      $pip.DnsSettings.ReverseFqdn = "<my.domain.com>"

      is currently not allowed. This is a request to allow Reverse FQDNs for Application Gateway frontend Public IPs.

      -Chris Jackson

      17 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →

      Thanks for the valid suggestion. Your feedback is now open for the user community to upvote which allows us to effectively prioritize your request against our existing feature list and also gives us insight into the potential impact of implementing the suggested feature

    8. Allow control of the ARRAffinity set cookie response header

      Problem:
      When a request for contoso.com hits an Azure App Gateway and the back end is routed to contoso.azurewebsites.com, the set ARRAffinity cookie response includes the optional domain attribute (as per RFC6225 Page 22) that specifies "contoso.azurewebsites.net". causing the user agent to never write the cookie since the Domain attribute doesn't match the requested domain.

      Proposed Solutions:
      Solution #1
      Give us a way to disable the Set Cookie: domain attribute similar to the way we can add a "Arr-Disable-Session-Affinity" response header to disable the cookie entirely. I'm suggesting an "Arr-Disable-Session-Affinity-Strict-Domain" response header to tell the ARR proxy not to write…

      17 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  2 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    9. Allow the Front Door WAF to block/allow by the Socket IP, and not just the Client IP

      Currently, the option to block by IP on the Azure Front Door WAF only allows you to block by the RemoteAddr IP, which is the Client IP. We use a reverse proxy so need the ability to block by what is called the SocketIP in the Azure WAF Logs.

      15 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →

      Thanks for the valid suggestion. Your feedback is now open for the user community to upvote which allows us to effectively prioritize your request against our existing feature list and also gives us insight into the potential impact of implementing the suggested feature

    10. FIX ROUTING between brazil and uruguay in south brazil azure datacenter

      There is a problem with south brazil azure datacenter. It has an error when connects to 'Antel' (Uruguay's ISP) causing and increment of ping of 100ms.
      I don't know exactly what is happening but searching and testing I suppose that is the azure server.
      I ran numerous of ping test to differents servers in brazil and the ping was pretty low (60ms approximately) but with the 'Azure Ping Test 2.0' I can conclude that are azure problems (maybe routing?), anyway I will attach two image files, the first one is the ping test to AWS (Amazon Web Services) and the…

      15 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Flag idea as inappropriate…  ·  Admin →
    11. Allow flags to be set on the Application Gateway Affinity Cookie

      Our security team is telling us that the cookie from the application gateway is failing security scans because the secure and httponly flags are not set.

      14 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →

      Thanks for the valid suggestion. Your feedback is now open for the user community to upvote which allows us to effectively prioritize your request against our existing feature list and also gives us insight into the potential impact of implementing the suggested feature

    12. ASG across vNets

      ASG are absolutely wonderful stuff.Would be good to have added features of ASG across subscriptions/Vnets and any possibility of specifying Hostnames

      14 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →

      Thanks for the valid suggestion. Your feedback is now open for the user community to upvote which allows us to effectively prioritize your request against our existing feature list and also gives us insight into the potential impact of implementing the suggested feature

    13. Custom error pages for Azure Frontdoor

      Allow us to configure custom error pages in Frontdoor. Ie, whenever I deploy my app, there's a momentary blip on the restart where Frontdoor displays a generic "Our services aren't available now". It would be nice to be able to configure this - either a custom message or fully link over to a static page in a storage account.

      13 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  1 comment  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →
    14. Azure Firewall - Allow rules for any port on FQDNs

      Currently there is no option to allow connections to FQDNs through the Azure firewall unless the connection is on port 80 or 443.
      This means that we can't secure connections from IaaS VMs to services such as Service Bus which requires ports 9350-9354.
      Currently the only other alternative is a 3rd party NVA.

      13 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →

      Thanks for the valid suggestion. Your feedback is now open for the user community to upvote which allows us to effectively prioritize your request against our existing feature list and also gives us insight into the potential impact of implementing the suggested feature

    15. VPN Show configuration

      Ability to see COMPLETE configuration of the VPN connection. See all the parameters of Phase 1 and 2, hash and encryption algorithms, PFS, DPD, SA, etc.

      12 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    16. Allow IP range whitelist for Application Gateway WAF IPS/IDS

      We have a range of web apps behind an Application Gateway (WAF in IPS mode) that need to be scanned on at least monthly basis for PCI compliance. We need to be able to whitelist the range of the scanners used by Qualys otherwise we get a FAIL for "Possible Scan Interference".

      Threat:
      Possible scan interference detected.

      A PCI scan must be allowed to perform scanning without interference from intrusion detection systems or intrusion prevention systems.
      The PCI ASV is required to post fail if scan interference is detected.

      12 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    17. NVA Public IP

      Ability to assign Public IP to an NVA interface, without going through the Azure Internal NAT. Like Onpremise Firewall. Currently, Azure creates interfaces with Private and Public IP, but only permit assigns Private IP to the NVA interfaces.

      12 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  IP addresses  ·  Flag idea as inappropriate…  ·  Admin →
    18. Customizing OWASP Rules in Application Gateway

      There should be the possibility to customize the OWASP rules in the Application Gateway WAF v2, not just the ability to turn them on or off. For example, Rule 911100 (method not allowed by policy) doesn't allow PUT or PATCH HTTP methods. It would be good to be able to modify this rule to allow more methods, not just turn the rule off if we want these methods.

      12 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  1 comment  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    19. VPN Debug

      Ability to execute a debug on the VPN Azure (Conecction - Local Network Gateway) and be able to see the logs in real time of traffic between the peers of vpn. For example, why a phase 1 or 2 is failing, why encryption domain matches or not, etc. Like a VPN onpremise do. Talking to the azure support team, they tell us that there is currently a way to do it, but only is allowed for the support team, not for azure users. Which makes losing a lot of time lifting a ticket, just to see a debug.

      12 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    20. Azure NVA Packet Capture

      Packet Capture between any azure component (Load Balancer, Appgateway, etc) and the NVA interfaces. Any way to capture inbound/outbound traffic asociated with an NVA interface. Like port mirroring. It would be very helpful when do troubleshooting.

      12 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Flag idea as inappropriate…  ·  Admin →
    • Don't see your idea?

    Feedback and Knowledge Base