Networking

The Networking forum covers all aspects of Networking in Azure, including endpoints, load-balancing, network security, DNS, Traffic Manager, virtual networks, and external connectivity.

Virtual Network:

  • Service overview

  • Technical documentation

  • Pricing details
  • Traffic Manager:

  • Service overview

  • Technical documentation

  • Pricing details
  • Network Watcher:

  • Service overview

  • Technical documentation

  • Pricing details
  • If you have any feedback on any aspect of Azure relating to Networking, we’d love to hear it.

    • Hot ideas
    • Top ideas
    • New ideas
    • My feedback
    1. STOP creating random Resource Groups!

      Honestly, what are we going to do with you MSFT when it comes to RBAC?

      When MSFT puts services into Preview and often months or years after they are so-called GA they still fail to recognize that they are violating Governance, RBAC, rules allowing Azure Services to randomly create Resource Groups in any given Azure Subscription.

      The two biggest violators of this right now are Databricks and Network Watcher.

      In most cases our clients should be refusing to use these services until they are capable of adhering to Governance and Security rules being enforce by InfoSec and others.

      Resource Groups are sacred beasts…

      11 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Watcher  ·  Flag idea as inappropriate…  ·  Admin →

      Thanks for the valid suggestion. Your feedback is now open for the user community to upvote & comment on. This allows us to effectively prioritize your request against our existing feature backlog and also gives us insight into the potential impact of implementing the suggested feature.

    2. Allow NVAs etc... to establish BGP session directly with VNETs

      To make HA scenarios a lot simpler with NVAs that support BGP (which most of them do nowadays) each VNET should allow you to establish a BGP session directly with it so you can advertise and learn routes dynamically straight to the VNET.

      This would help so many HA scenarios and also making sure traffic flows are symmetric a lot simpler by using BGP local preference, AS Path and Weight attributes.

      Perhaps this could be enabled via a VNET service endpoint on your VNET as required?

      11 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Virtual Network  ·  Flag idea as inappropriate…  ·  Admin →
    3. Static IP for VPN Client over Azure P2S Solution

      Concurrently, we can allocate Static Private Address space for all VPN Client (using SSL VPN) via our On-Premise network.

      Since Azure offers P2S solution as VPN Client access, there is no configuration where we can do the same as with On-Premise network.

      Though it is very much efficient if P2S can be further modify to allow us more control over IP allocation as we can do the same via On-Premise VPN Client, hoping that this solution can be look upon by your Product Team.

      11 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  3 comments  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    4. Tag Front Door

      Allow tagging an existing Front Door. Currently is possible to tag a front door only during creation.

      10 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →
    5. Set headers detailing TLS handshake

      Additional x-azure-{x} headers which provide details about the TLS handshake between the client and front door, such as the selected cipher, TLS version and key length. This will help provide operational insight about the client base.

      10 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →

      Thanks for the valid suggestion. Your feedback is now open for the user community to upvote which allows us to effectively prioritize your request against our existing feature list and also gives us insight into the potential impact of implementing the suggested feature

    6. Static public outbound IP for Application Gateway v1

      We use Application Gateway v1 because it has the possibility to assign a static private frontend IP.
      Now we would love to see the possibility to assign a static public IP for outbound traffic.

      10 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →

      Thanks for the valid suggestion. Your feedback is now open for the user community to upvote which allows us to effectively prioritize your request against our existing feature list and also gives us insight into the potential impact of implementing the suggested feature

    7. Fully private App Gateway v2

      From: https://docs.microsoft.com/en-us/azure/application-gateway/migrate-v1-v2

      " v2 gateways currently don't support only private IP addresses."

      We need to be able to create fully private App Gateway V2, without public IP.

      At the moment V2 Gateways will be public facing so we need to stick with V1. We cannot rely on NSG/Firewall to restrict traffic: we need to be able to provision a private load balancer.

      10 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Flag idea as inappropriate…  ·  Admin →
    8. DNSSEC support on Azure DNS servers

      DNSSEC support on Azure DNS servers

      10 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  DNS  ·  Flag idea as inappropriate…  ·  Admin →
    9. Add what network rule is matched in logging

      The Network rule log does not include the matching rule name like it does for Application rule log. In the Application rule log it reads "Action: Allow. Rule Collection: collection1000. Rule: rule1002" in the message, but Network rules end at "Action: Allow". It makes it hard to troubleshoot firewalls, and know what rule is causing the issue. It also makes it hard to introduce the firewall into an existing environment where you have to start with an allow all rule because you do not know if what rules are getting matched.

      10 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    10. Support to disable health check of Frond Door

      The health check of Frond Door is too frequent, which leads some negative impact. For example:
      1. More user pages, consume a lot of computing resources.
      2. If we use Azure DNS zone, DNS query will take extra charge.

      Sometimes we only have one backend VM as backend pool, which health check is not required.

      It would be highly suggested to have a feature like users can disable health check manually in case it's not needed.

      Thanks!

      10 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →
    11. Allow background images for Azure Bastion.

      Having a number of different servers to manage, we normally use bginfo to let the desktop background help us identify what server, which user and the current state of the server. Bastion does not at the present time show background images - adding this feature would be extremely helpful.

      Another useful feature would be to add the servername to the browser tab, instead of having some really unuseful naming of the tab.

      9 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  1 comment  ·  Bastion  ·  Flag idea as inappropriate…  ·  Admin →
    12. "Azure Managed" SSL certificates for Application gateway for SSL offloading

      Please add the ability to use a Azure managed certificate for the application gateway for the use of SSL offloading. This feature would be nice so that we would not have to manage the certificate and it would auto update instead of us having to keep the certificate up to date.

      9 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    13. Forward Request's Original Host

      This is useful when backend services need a way to recognize the client's requested domain (i.e. multitenant saas based on custom domains).

      X-Forwarded-Host or other custom header where we can get the original domain's name.

      Thanks!
      Luis

      9 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  2 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    14. User Defined Route Redundancy.

      For better redundancy or IaaS services it would be usefull in a hub/spoke model (hubs are meshed with all spokes) environment to have the possibility to create a user defined route that allows us to send network traffic to two different endpoints based on a priority/weight/healthcheck scenario(s) to compensate for certain service failures in the hub enviroment which would other wise impact the SLA of spokes. Now it needs custom solutions to achieve this.

      9 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Flag idea as inappropriate…  ·  Admin →
    15. Disable SNI TLS extension check on Azure Firewall

      We are getting a lot of "Action: Deny. Reason: SNI TLS extension was missing" on Azure Firewall Log, which causes application failure if client application doesn't support SNI at the time of client hello. Can we add a feature to support Disable SNI check on Firewall manually?

      9 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    16. Allow setting intermediate certificates for SSL

      Application Gateway does not support setting intermediate certificate. Some CA provide leaf certificates that do not include all certificates in the certification path. When AG does not has the intermediate certificate, we need to manually create a certificate with the intermediate one.

      8 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →

      Thanks for the valid suggestion. Your feedback is now open for the user community to upvote which allows us to effectively prioritize your request against our existing feature list and also gives us insight into the potential impact of implementing the suggested feature

    17. Add other network security group as source while creating rule for nsg

      Like in aws we have feature while creating security group you can give other security group as a source so that it will allow traffic from source security group.
      I am looking for same feature in azure...in Azure we have 3 option for only for source ..1st one is IP or CIDR based..2nd is based on azure service tag..3rd is application security group.

      Let’s take an example if I created one security group A and after that doing creation for security group B so I need option to select security group A as a source so that my all traffic…

      8 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →

      Thanks for the valid suggestion. Your feedback is now open for the user community to upvote which allows us to effectively prioritize your request against our existing feature list and also gives us insight into the potential impact of implementing the suggested feature

    18. difrentiate IP ranges per service

      At the moment if we want to restrict access to Azure services we need to whitelist entire Region. PCI certification requirements require to limit also outgoing access to the specific IP addreses to avoid possibility that attacker will be able to exfiltrate data from attacked machine.
      With current scenario (whitelisting entire region) attacker can put FTP or HTTP upload server in the same region of the Azure and successfully upload data there. If ranges would be specific for services (e.g. Sql Azure, Key Vault, etc) then such exfiltration wouldn't be possible as we could restrict access to the services which…

      8 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  2 comments  ·  IP addresses  ·  Flag idea as inappropriate…  ·  Admin →
    19. Allow moving a Standard SKU Load balancer between Resource Groups like possible with the basic one

      Allow moving a Standard SKU Load balancer between Resource Groups like possible with the basic one.
      while in place upgrade from basic to standard is not an option, this might help with the manual upgrade or even general maintenance of the service.

      7 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    20. Simplify Network Peering across Tenants

      When you need to peer networks across tenants, you need to create a user in each tenant, and then add them as guests to the other tenants. You also need to ensure that the guest users have the appropriate access. This doesn't meet the need-to-know and least-privilege requirements, especially if you don't fully trust the other party. This also makes it incredibly difficult to automate due to the dependency on user accounts.

      Simplify the peering process by allowing both parties to share keys and network ids in order to peer. Allow service principals to create the peers and only connect…

      7 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      2 comments  ·  Virtual Network  ·  Flag idea as inappropriate…  ·  Admin →

      Thanks for the valid suggestion. Your feedback is now open for the user community to upvote which allows us to effectively prioritize your request against our existing feature list and also gives us insight into the potential impact of implementing the suggested feature

    • Don't see your idea?

    Feedback and Knowledge Base