Networking
The Networking forum covers all aspects of Networking in Azure, including endpoints, load-balancing, network security, DNS, Traffic Manager, virtual networks, and external connectivity.
Virtual Network:
Traffic Manager:
Network Watcher:
If you have any feedback on any aspect of Azure relating to Networking, we’d love to hear it.
-
Send FIN after probe confirms healthy
The current behaviour of the four way handshake of the health probe is to not send the FIN until the next probe is due.
The FIN should be sent as soon as the health has been confirmed.
For example:
We've got an Azure Load Balancer running over a RabbitMQ cluster with a health probe set to check port 5672 every 60 seconds.A packet capture shows the following:
- Load balancer SYN
- RabbitMQ ACK
- Load Balancer ACK
- 10 seconds later RabbitMQ RST
- Another 50 seconds later Load Balancer FIN
Azure load balancer documentation declares that it does a four way handshake…
3 votesThank you for the feedback. We don’t have any near term plans to change probe behavior.
A possible workaround may be to use an HTTP endpoint and configure an HTTP probe or increase the RabbitMQ timeout.
Or you can instead substitute Azure Service Bus which also support AMQP.
— Christian -
Allow Internet traffic via VPN Gateway
Allow communication to the internet to devices connected to Azure via VPN.
Add ability to add routes to non connected LAN segments on the Azure VPN endpoint, and support non TCP/UDP traffic for VM’s (such as enabling IPSEC traffic )
2 votesWe will not be dedicating resources to this feature at this time. It is in our backlog.
Thanks,
Bridget [MSFT] -
Allow the load balancer to support Azure databases as a backend pool
It would be great if, in addition to Availability Sets and VMs, the various databases from Azure (MySQL, and PostgreSQL) could be part of a back end pool.
2 votesAzure Load Balancer can only distribute flows to VM instances, not other PaaS services.
-
Need drivers for Accelerated Networking for Linux on older OS kernels
Currently, anyone using Linux OS kernels released prior to January 2018 cannot use Azure Accelerated Networking for Linux. Users who are still reliant on older OS kernels should not have to upgrade. Accelerated Networking drivers for legacy OS kernels should be available.
2 votes -
Migrate CNAMEs
If I want to change an A record, which is being referenced by several CNAME records... I'd ideally like to just click a "Migrate to new A record" button... which would either let me pick an existing A record, or enter the name of a new A record... and then update all CNAMEs (within the zone) to use the target record.
2 votesThis feels like a very specialized scenario. I don’t think we can justify supporting this in the Azure Portal.
Please note that it should be possible for you to implement this in a script, building on the Azure PowerShell cmdlets or cross-platform Azure CLI.
-
Add & Support Multicast in VNET
We have a need for VNET to support Multicast for various applications (IaaS)
2 votes -
IN ACS Context We Need LBs Doing SSL Offload
In the context of Azure Container Services (Kubernetes in my case), it is a problem having Azure LBs with zero SSL Offloading. It's fine that SSL Offloading is offered with Application Gateways, but when ACS provisions a Kubernetes cluster with Azure LBs you have no ability out of the box to offload SSL for hosting web applications. It's great that Azure Kubernetes has a plugin to automate exposing pods via the Azure Load Balancer, but we need to have a way to do SSL load balancing that doesn't involve routing through nginx containers.
1 vote -
cannot delete vpn and there is no free support for bugs
I created a site to site vpn in the old portal as a test. I want to make a new one in the new portal, but cannot delete the old one. I tried everything.
1 voteHi,
Please open a Support Request if you still cannot delete the VPN gateway. In general, the currently portal is not 100% compatible with the features/resources created using the previous/old portal. Once you open a support request, if it’s a bug, it will get to the product team for the actual bug fix.
Thanks,
Yushun [MSFT] -
allow a different dns name from the service name (like in the old Portal)
For different situations, at times, you may want a different DNS name for your service than the service name. In the old Portal you could do this. The new one automatically makes them the same. Requests this feature be added back.
1 voteThe behaviour hasn’t changed—the DNS name and service name have always been the same
-
After I configured a Point-to-Site connection to a VNet using native Azure certificate authentication. I can't ping from Client to Azure VM.
After I configured a Point-to-Site connection to a VNet using native Azure certificate authentication. I can't ping from Client to Azure VM.
Help me!1 voteIn order to provide assistance, we need additional information. Please open a support ticket through the Azure Support Portal.
Regards,
Ali Zaman -
how can access to Guest VM of the Hyper-V on Azure from other Azure VM? (Nested Enabled VM(M Series))
i'm working with M Series VMs. first of all when you install Guest VM in External Virtual Network Switch, the VM can not take any ip address. you sould apply some settings on network interface of the Azure VM.
now, it work. Guest VM can connect to Internet through Azure VM. but other Azure VMs cannot acces to Guest Machine. i tryed route table, NSG, static route but it does not work.1 voteThank you for your question. Please post troubleshooting questions on the MSDN forum and someone will assist shortly. Uservoice is a platform for feature suggestions.
-
Optionally allow virtual servers a direct connection to the Internet, NAT is too limiting
Forcing NAT for every VM makes it much more difficult to build Highly Available systems using Azure.
IPSec is the most common way to secure communications across the Internet and is often used in IaaS when setting up highly available services.
For example, if I want to replicate MongoDB from US EAST to US WEST, using IPSec between the two VMs is the easiest way to accomplish that.
But Azure forces NAT for every VM making it impossible to use IPSec.
1 voteThanks for the feedback.
Although we will be working on providing a dedicated NAT IP address for a virtual machine we will not be routing the traffic directly to the VM, it will still go through Azure’s NAT device.
For high availability, Azure offers free load balancing on a cloud service. You can put 1 or more instances behind a public IP and can take advantage of the load balancing Azure provides to customers as a basic service.
I will be interested to know if that does not solve a particular scenario.
Thanks!
-
ExpressRoute between Azure datacenters without any connection to on premises
There is now ExpressRoute Premium Add-on which allows to bind VNETs in several datacenters to same ExpressRoute. This basically allows to handle routing between various azure VNETs via BGP. There is no need to connect various Azure VNETs via IPSEC VPNs then. We want this ExpressRoute networking/routing for our Azure VNETs but without creating leased line to Azure from on premises because we moved whole system to cloud and don't need dedicated connection to Azure at all.
So basically we want ExpressRoute Premium Add-on without ExpressRoute and manage our networking via virtual router appliance inside Azure completely separated from on…
1 voteHi!
You can have the same experience using vnet to vnet connectivity across regions. you can choose to use null encryption to enhance throughput and manage security in the application layer.Thanks,
-
Bug in Application Gateway - Cert password
I could not provision a listener on Application Gateway using a SSL Certificate where the password for the .pfx file was this string:
gzsh4~?w_"!a\3"'z9TU
I tried this via 3 different mechanisms:
Portal
Powershell scripting
Resource ManagerAll failed to provision the Ssl Certificate.
After regenerating the .pfx with a different password, everything was ok.
Guessing that the problem is one or more of these characters not being escaped correctly:
'
"
\Regards,
Ben.1 voteWe will work on this as part of a bug fix. Not a feature request.
-
1 vote
Thank you for the suggestion. This was done deliberately to correctly reflect the inbound rule and the matching outbound programming.
We are planning additional functionality in the outbound connections area. Stay tuned.
-
enable secondary private ip access internet
programs using second ip cannot access internet
please allow second ip have same nat rule like primary ip1 voteWe will not be adding this functionality for secondary private IPs. To have internet connectivity, we reccomend adding a public IP address or using a Load balancer: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-multiple-ip-addresses-powershell#add
-
Allow to Reserve VPN
Allow the Azure Admin to reserve IP address for specific clients so when they connect to the VPN via a Point-to-Site configuration, the client receive the same IP Address all the time.
1 voteHello,
Thank you for your feedback. In the future we want to move towards user- or identity-based policy instead of IP-based policy, so this feature ask does not fit with our long-term goals.
Thanks,
Bridget [MSFT] -
Load balanced set form not displaying
The Load balanced set creation form or details view doesn't display correctly. Instead, some sort of crying cloud icon is displayed. When clicking on the icon, it "flashes" the correct form but the crying cloud comes back.
1 votethank you for reporting this. please reach out to support if it happens again.
-
have a case where issue is with cookie based session affinity
Appreciate any help on this. Have a case, where issue is with cookie based session affinity on the APP GATEWAY, its on linux Centos i dont think it matters, So here's the thing:
I see 3 cookies (PFA trace) App gateway affinity, persistence cookie and session cookie)
APPLICTATIONGATEWAYAFFINITY cookie changes (bounces between 2 as 2 backend servers at times), so we would like to know when and why this cookie is changing (factors influencing this change).
And one most important thing i want to know is, if session cookie changes, will the cookie based session affinity be lost, even…
1 voteNeeds support ticket. Please open a support ticket to debug why the cookie is bouncing.
-
Accept request only from specific sourceIP address
It would be nice to enable a feature that requests are only allowed from a specific sourceIP address. That makes it easier for companys to manage a more advanced security. In my opinion there are many companys that want to secure a listener with sourceIP-restriction.
1 votePlease take a look at using Network Security Groups (NSG) for this purpose, which can be applied to a VM or subnet.
- Don't see your idea?