Networking

The Networking forum covers all aspects of Networking in Azure, including endpoints, load-balancing, network security, DNS, Traffic Manager, virtual networks, and external connectivity.

Virtual Network:

  • Service overview

  • Technical documentation

  • Pricing details
  • Traffic Manager:

  • Service overview

  • Technical documentation

  • Pricing details
  • Network Watcher:

  • Service overview

  • Technical documentation

  • Pricing details
  • If you have any feedback on any aspect of Azure relating to Networking, we’d love to hear it.

    • Hot ideas
    • Top ideas
    • New ideas
    • My feedback
    1. Add Service Tags to Route Tables/UDR

      Include the ability to add Service Tags to UDRs. We have experienced that while many times services require NSGs to be open for a Service, many users have a default route in the Route Tables to push traffic through network virtual appliances. To circumvent having to put an entire datacenter range IP on UDRs to get services to work, there should be Service Tags in the UDR destination field in order to be able to add specific services the ability to talk to VNET-joined services. A good example of this is API Management. While the team does not support a…

      25 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Virtual Network  ·  Flag idea as inappropriate…  ·  Admin →
    2. Allow upload of DNS zone via portal.

      Allow admins to upload a saved DNS zone via the portal instead of the CLI only.

      24 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  DNS  ·  Flag idea as inappropriate…  ·  Admin →
    3. Allow option to choose the SSL endpoint to target for Azure Web App endpoints in Traffic Manager

      There is a limitation with using Traffic Manager with Azure Web Apps/App Services right now.

      See this article: https://docs.microsoft.com/en-us/azure/app-service-web/web-sites-configure-ssl-certificate#step-3-change-your-domain-name-mapping-ip-based-ssl-only

      When a user combines both IP-based SSL and SNI-based SSL bindings in their app service, SNI-based bindings need to have different DNS configurations in order to work properly. The SNI-based bindings need to target "sni.<appname>.azurewebsites.net" instead of just <appname>.azurewebsites.net.
      It's not possible to directly get to the site at "sni.<appname>.azurewebsites.net" as it's only used for SSL routing in the App Service infrastructure, so you cannot use this URL when adding the App Service as an external endpoint (pinging fails and it…

      23 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      2 comments  ·  DNS  ·  Flag idea as inappropriate…  ·  Admin →
    4. Replicate NSG to new region when using Azure Site Recovery

      This is really needed feature!
      The benefit having this is when setup Azure Site Recovery, which replicates VNET and VMs to a different region BUT there is no way to replicate NSGs! Manual work to replicate all security rules from one NSG in source region to another NSG to target region can take up hours if there are 200+ security rules !

      Please implement this.
      Thanks

      23 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      under review  ·  0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    5. Capability to apply WAF rules to each path rule.

      One of the customer wants capability to apply WAF rules to each path. Can you consider that?

      22 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      3 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    6. Application Gateway should support OAuth2 and/or JWT token validation

      Azure Application Gateway should support OAuth2 and/or JWT token validation so it can be used as a reverse proxy.

      22 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      under review  ·  1 comment  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    7. Service Groups (tcp/udp) for Network Secrurity Group (NSG) for complex services.

      Some time for services to work we need many tcp/udp ports. For example to limit access from DMZ to AD in another subnet we need to create a lot-lot-lot of rules.
      Is it possible to create object with needed tcp/udp ports group and apply this service group to one NSG rule.

      22 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    8. 20 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Virtual Network  ·  Flag idea as inappropriate…  ·  Admin →
    9. P2S IP address leasing

      Currently our P2S model uses a predefined address space, and then VPN clients are assigned an address out of that pool.

      This is pretty standard.

      What I would like to see is an option to apply lease times to those IP addresses, the same way DHCP normally functions. The reason being most of our VPN connectors are cellular dial-in clients, and they suffer brief disconnects.

      Each time they disconnect and reconnect they receive a new IP address, and we have a service running that then has to re-establish where the client's listener port is, and do a bunch of housekeeping…

      20 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      2 comments  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    10. time protocol

      Network Time - Precision Time Protocol (IEEE 1588 std) support

      Azure should provide a know reference service for a network time protocol such as NTP or preferably for the IEEE 1588 standard Precision Time Protocol, or provide this as an option with the Blockchain service.

      19 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      under review  ·  1 comment  ·  Virtual Network  ·  Flag idea as inappropriate…  ·  Admin →
    11. To have the possibility to set radius timeout on the VPN gateway point to site confguration

      When using the new radius authentication feature on Azure VPN Gateway it would be nice to be able to control the timeout to the radius server. This would make the usage of Azure MFA for VPN authentication possible. (IT works now if users are very fast at answering the phone)

      19 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      5 comments  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    12. Provide dyndns protocols

      Provide dyndns2 and other dynamic DNS protocols for Azure DNS to allow updating from network devices and such.

      18 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      2 comments  ·  DNS  ·  Flag idea as inappropriate…  ·  Admin →

      Hi,

      Thank you for your suggestion on feedback.azure.com for Dynamic DNS support in Azure DNS.

      Please can you clarify a couple of points about your suggestion for us:
      1. Are you looking for Dynamic DNS support for Internet-facing domains, or for internal domains?
      2. In the case of Internet domains, how would you expect requests to be secured?

      Thanks!

    13. HEAD requests to monitor health

      It would be nice to be able to use HEAD requests for health monitoring instead of full GET

      18 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      under review  ·  0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    14. 17 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      under review  ·  0 comments  ·  Content Delivery Network  ·  Flag idea as inappropriate…  ·  Admin →
    15. Is it possible to disable http 1.0 protocol in Azure App Gateway?

      If the request is sent as HTTP 1.0 with a blank host header, the server may respond with its own internal IP (10.x.x.x) in the Location Header. This results in the internal IP address of the Real Server being exposed.

      E.g.
      Location: https://10.19.xx.***/

      17 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      under review  ·  1 comment  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    16. Add Support for Secondary DNS

      Given events of late concerning DNS outages and DDoS attacks, it would be advantageous if we could configure custom NS records in Azure DNS to use Secondary DNS.

      At the same time, support for AXFR records should be added to allow outbound zone transfers to be configured so that the Secondary DNS zone can be kept in sync automatically.

      This would then allow us to point to a Secondary DNS service like BuddyNS or DNSMadyEasy.

      16 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  DNS  ·  Flag idea as inappropriate…  ·  Admin →
    17. Introduce alert mechanism in network watcher?

      It would be great if you can introduce an alert mechanism with all the monitoring it does. For exmaple : similar to what we have for Azure VMs, when the cpu utilization goes down we can configure an alert for the based on the threshold.

      Network watcher monitors many many things it should have the capability to generate alerts based on it's monitoring capabilities.

      16 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Watcher  ·  Flag idea as inappropriate…  ·  Admin →
    18. Gray out existing connections so they can't be connected with ExpressRoute.

      Gray out existing connections so they can't be connected with ExpressRoute again and cause an outage.

      Failed to create connection 'ExpressRoute-EUS'. Error: The ExpressRoute connection for Nrp Resource Uri: https://eastus.network.azure.com/subscriptions/GUID/resourceGroups/expressroute-rg/providers/Microsoft.Network/connections/ExpressRoute-EUS2 already exists with a different Nrp Resource Uri:https://eastus.network.azure.com/subscriptions/GUID/resourceGroups/expressroute-rg/providers/Microsoft.Network/connections/US-East2

      "Do not allow redundant ER connection deployments to start. There is currently an error message but no block to starting a redundant connection deployment. This operation causes the circuit to lose connectivity."

      15 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      under review  ·  0 comments  ·  ExpressRoute  ·  Flag idea as inappropriate…  ·  Admin →
    19. Support DNS URI records

      Hello,

      I would like to get support for URI DNS Resource Record. It would allow Azure DNS to host DNS zones using new features, e.g. autodiscovery for Kerberos KDC Proxy Protocol (aka MS-KKDCP).

      For example this use-case enables configuration-less Kerberos clients, which is a big win for certain types of deployments.

      Example of use can be found in RFC draft
      https://tools.ietf.org/html/draft-mccallum-kitten-krb-service-discovery

      Thank you!

      URI record RFC: https://tools.ietf.org/html/rfc7553
      Petr Spacek

      15 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  DNS  ·  Flag idea as inappropriate…  ·  Admin →
    20. IPFIX/NetFlow export for traffic visibility

      Give ability for Express Route traffic to be visualized by a IPFIX/Netflow tool. i.e. Solarwinds NetFlow, LiveAction LiveNX etc.

      15 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      under review  ·  1 comment  ·  ExpressRoute  ·  Flag idea as inappropriate…  ·  Admin →
    • Don't see your idea?

    Feedback and Knowledge Base