Networking

The Networking forum covers all aspects of Networking in Azure, including endpoints, load-balancing, network security, DNS, Traffic Manager, virtual networks, and external connectivity.

Virtual Network:

  • Service overview

  • Technical documentation

  • Pricing details

  • Traffic Manager:

  • Service overview

  • Technical documentation

  • Pricing details

  • Network Watcher:

  • Service overview

  • Technical documentation

  • Pricing details

  • If you have any feedback on any aspect of Azure relating to Networking, we’d love to hear it.

    • Hot ideas
    • Top ideas
    • New ideas
    • My feedback
    1. Add Service Tags to Route Tables/UDR

      Include the ability to add Service Tags to UDRs. We have experienced that while many times services require NSGs to be open for a Service, many users have a default route in the Route Tables to push traffic through network virtual appliances. To circumvent having to put an entire datacenter range IP on UDRs to get services to work, there should be Service Tags in the UDR destination field in order to be able to add specific services the ability to talk to VNET-joined services. A good example of this is API Management. While the team does not support a…

      34 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Virtual Network  ·  Flag idea as inappropriate…  ·  Admin →
    2. There is no way for us to find the private IP assigned for the application gateway in the back end. Hence please improve this feature.

      There is no way for us to find the private IP assigned for the application gateway in the back end. Hence please improve this feature. Please have it enabled for the GUI, so that this can be use full to troubleshoot any network issues.

      32 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      under review  ·  3 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    3. Manage allowed IP addresses - show and allow to add current IP address with one click (like in the old portal)

      Now you have to know your current IP address and enter it manually to allow access to SQL - means you need to find out your ip first.

      In the old portal you have the option to add your current IP address with one click (see attached screenshot).

      I would love it if you bring this feature to the new portal.

      32 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      under review  ·  0 comments  ·  IP addresses  ·  Flag idea as inappropriate…  ·  Admin →
    4. Make CDN caching optimized for Smooth Streaming

      With Smooth Streaming, because of the latency and low bandwidth during the first access of the video (before it is cached by CDN), Smooth Streaming will choose a low bitrate stream, and the higher bitrate streams may never be cached at the CDN edge server because they are never accessed; or if we are lucky it requires at least many replays of the video before all streams are cached. This is a huge problem with videos not frequently accessed.

      Therefore it should be possible to force a container to cache all blobs within it as soon as one of its…

      31 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      under review  ·  1 comment  ·  Content Delivery Network  ·  Flag idea as inappropriate…  ·  Admin →
    5. 30 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      2 comments  ·  Virtual Network  ·  Flag idea as inappropriate…  ·  Admin →
    6. Allow upload of DNS zone via portal.

      Allow admins to upload a saved DNS zone via the portal instead of the CLI only.

      28 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  DNS  ·  Flag idea as inappropriate…  ·  Admin →
    7. Capability to apply WAF rules to each path rule.

      One of the customer wants capability to apply WAF rules to each path. Can you consider that?

      28 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      3 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    8. WAF - Allow access to configure ModSecurity variables such as tx.high_risk_country_codes

      The tx.highriskcountry_code and other variables like GeoIP database need to be configured for rules in REQUEST-910-IP-REPUTATION to have any affect. These could be defaulted to a value (and documented) for now, but overriding these ModSecurity variables per instance is needed in the future.

      As it stands right now it appears that these are not configured, and are leading to people thinking they are protected by these rules when they are not.

      28 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    9. NSG Master Rule list

      NSG Master Rule list

      It should be possible to define the list of rules as a master list independent of NSG.
      Once defined, one should be able to use the rules with any NSG from the defined list.
      In most cases, we need to define the same rule again and again for different NSG.
      It becomes very difficult to maintain rules.

      There should also be an option to logically group the rules in the master rule list so that they are easy to search and apply.
      Maybe while creating NSG, all rules in the group of master rule list should…

      26 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    10. Allow option to choose the SSL endpoint to target for Azure Web App endpoints in Traffic Manager

      There is a limitation with using Traffic Manager with Azure Web Apps/App Services right now.

      See this article: https://docs.microsoft.com/en-us/azure/app-service-web/web-sites-configure-ssl-certificate#step-3-change-your-domain-name-mapping-ip-based-ssl-only

      When a user combines both IP-based SSL and SNI-based SSL bindings in their app service, SNI-based bindings need to have different DNS configurations in order to work properly. The SNI-based bindings need to target "sni.<appname>.azurewebsites.net" instead of just <appname>.azurewebsites.net.
      It's not possible to directly get to the site at "sni.<appname>.azurewebsites.net" as it's only used for SSL routing in the App Service infrastructure, so you cannot use this URL when adding the App Service as an external endpoint (pinging fails and it…

      23 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      2 comments  ·  DNS  ·  Flag idea as inappropriate…  ·  Admin →
    11. Service Groups (tcp/udp) for Network Secrurity Group (NSG) for complex services.

      Some time for services to work we need many tcp/udp ports. For example to limit access from DMZ to AD in another subnet we need to create a lot-lot-lot of rules.
      Is it possible to create object with needed tcp/udp ports group and apply this service group to one NSG rule.

      23 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    12. P2S IP address leasing

      Currently our P2S model uses a predefined address space, and then VPN clients are assigned an address out of that pool.

      This is pretty standard.

      What I would like to see is an option to apply lease times to those IP addresses, the same way DHCP normally functions. The reason being most of our VPN connectors are cellular dial-in clients, and they suffer brief disconnects.

      Each time they disconnect and reconnect they receive a new IP address, and we have a service running that then has to re-establish where the client's listener port is, and do a bunch of housekeeping…

      23 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      2 comments  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    13. Support IP address in Backend Pool (Azure Load Balancer)

      Currently you can only include VMs or VMSS within an Azure Load Balancer Backend Pool.

      If we could choose an IP Address we would be able to load balance other resources hosted in Azure as well.

      Our use case:
      Load balance DNS queries (over udp-53) to Azure Container Groups (private IP).

      22 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      under review  ·  0 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    14. IPFIX/NetFlow export for traffic visibility

      Give ability for Express Route traffic to be visualized by a IPFIX/Netflow tool. i.e. Solarwinds NetFlow, LiveAction LiveNX etc.

      22 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      under review  ·  1 comment  ·  ExpressRoute  ·  Flag idea as inappropriate…  ·  Admin →
    15. To have the possibility to set radius timeout on the VPN gateway point to site confguration

      When using the new radius authentication feature on Azure VPN Gateway it would be nice to be able to control the timeout to the radius server. This would make the usage of Azure MFA for VPN authentication possible. (IT works now if users are very fast at answering the phone)

      22 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      5 comments  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    16. Provide dyndns protocols

      Provide dyndns2 and other dynamic DNS protocols for Azure DNS to allow updating from network devices and such.

      21 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      2 comments  ·  DNS  ·  Flag idea as inappropriate…  ·  Admin →

      Hi,

      Thank you for your suggestion on feedback.azure.com for Dynamic DNS support in Azure DNS.

      Please can you clarify a couple of points about your suggestion for us:
      1. Are you looking for Dynamic DNS support for Internet-facing domains, or for internal domains?
      2. In the case of Internet domains, how would you expect requests to be secured?

      Thanks!

    17. Support traffic fork/shadowing/mirror on application gateway.

      Support traffic fork/shadowing/mirror on application gateway. Sometimes we need send shadow traffic to a testing/staging environment, and the best place to do this is layer 7 load balancer..

      19 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    18. time protocol

      Network Time - Precision Time Protocol (IEEE 1588 std) support

      Azure should provide a know reference service for a network time protocol such as NTP or preferably for the IEEE 1588 standard Precision Time Protocol, or provide this as an option with the Blockchain service.

      19 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      under review  ·  1 comment  ·  Virtual Network  ·  Flag idea as inappropriate…  ·  Admin →
    19. Application Gateway Disable Probe

      It's impossible to host non-HTTP processes behind an application gateway due to the health probes. I run a Service Fabric cluster and want the TCP management endpoint (19000) to be available through the gateway so I can take advantage of other offerings. The endpoint is marked as dead since it doesn't respond to HTTTP/S requests. If the AGW could support TCP health checks or allow marking a service as always-up I could accomplish my goal.

      19 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      under review  ·  0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    20. allow KMS traffic in Azure Firewall

      Azure Firewall currently block by default traffic to Azure KMS servers, this should be included in the built-in to not disrupt license validation.

      18 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      under review  ·  1 comment  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    • Don't see your idea?

    Feedback and Knowledge Base