Networking

The Networking forum covers all aspects of Networking in Azure, including endpoints, load-balancing, network security, DNS, Traffic Manager, virtual networks, and external connectivity.

Virtual Network:

  • Service overview

  • Technical documentation

  • Pricing details
  • Traffic Manager:

  • Service overview

  • Technical documentation

  • Pricing details
  • Network Watcher:

  • Service overview

  • Technical documentation

  • Pricing details
  • If you have any feedback on any aspect of Azure relating to Networking, we’d love to hear it.

    • Hot ideas
    • Top ideas
    • New ideas
    • My feedback
    1. Diagnostic log for Azure Firewall includes rule collection name for each entry

      Right now, if we follow https://docs.microsoft.com/en-us/azure/firewall/tutorial-diagnostics. The Diagnostic log entry for Azure Firewall likes below:
      { "category": "AzureFirewallNetworkRule", "time": "2019-09-03T10:08:17.4381790Z", "resourceId": "/SUBSCRIPTIONS/xxxx/RESOURCEGROUPS//PROVIDERS/MICROSOFT.NETWORK/AZUREFIREWALLS/", "operationName": "AzureFirewallNetworkRuleLog", "properties": {"msg":"TCP request from 10.0.1.100:22 to 112.85.42.195:45791. Action: Deny"}}

      Due to security policy and audit purpose on customer side, We want to have the rule collection name can be recorded as well, so that we know the traffic hits which rule.

      "category": "AzureFirewallNetworkRule", "time": "2019-09-03T10:08:17.4381790Z", "resourceId": "/SUBSCRIPTIONS/xxxx/RESOURCEGROUPS//PROVIDERS/MICROSOFT.NETWORK/AZUREFIREWALLS/", "operationName": "AzureFirewallNetworkRuleLog", "properties": {"msg":"TCP request from 10.0.1.100:22 to 112.85.42.195:45791. Action: Deny"}, "RuleCollectionName": "***"}

      9 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  2 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    2. "Azure Managed" SSL certificates for Application gateway for SSL offloading

      Please add the ability to use a Azure managed certificate for the application gateway for the use of SSL offloading. This feature would be nice so that we would not have to manage the certificate and it would auto update instead of us having to keep the certificate up to date.

      9 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    3. Allow the creation of null MX records for domains that accept no mail

      As per RFC7505, allow the creation of a NULL MX record by entering a single period '.' for the MX Record's Mail Exchange field.

      Currently, attempting to create one raises the following error: "Each label must contain at least one character. You may not input consecutive period '.' characters"

      9 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  DNS  ·  Flag idea as inappropriate…  ·  Admin →
    4. Forward Request's Original Host

      This is useful when backend services need a way to recognize the client's requested domain (i.e. multitenant saas based on custom domains).

      X-Forwarded-Host or other custom header where we can get the original domain's name.

      Thanks!
      Luis

      9 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  2 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    5. User Defined Route Redundancy.

      For better redundancy or IaaS services it would be usefull in a hub/spoke model (hubs are meshed with all spokes) environment to have the possibility to create a user defined route that allows us to send network traffic to two different endpoints based on a priority/weight/healthcheck scenario(s) to compensate for certain service failures in the hub enviroment which would other wise impact the SLA of spokes. Now it needs custom solutions to achieve this.

      9 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Flag idea as inappropriate…  ·  Admin →
    6. access key vault in another subscription

      Currently As per the below doc, we can't access the KeyVault in another subscription.

      https://docs.microsoft.com/en-us/azure/cdn/cdn-custom-ssl?tabs=option-2-enable-https-with-your-own-certificate


      • My certificate + Keyvault is in another subscription. Hence while creating/updating CDN endpoints, I can't select the certificate/KeyVault that is in another subsId.

      • Can you please enable this request, so that we can access the Keyvault in another subscription.

      9 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Content Delivery Network  ·  Flag idea as inappropriate…  ·  Admin →
    7. Allow setting intermediate certificates for SSL

      Application Gateway does not support setting intermediate certificate. Some CA provide leaf certificates that do not include all certificates in the certification path. When AG does not has the intermediate certificate, we need to manually create a certificate with the intermediate one.

      8 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →

      Thanks for the valid suggestion. Your feedback is now open for the user community to upvote which allows us to effectively prioritize your request against our existing feature list and also gives us insight into the potential impact of implementing the suggested feature

    8. Add other network security group as source while creating rule for nsg

      Like in aws we have feature while creating security group you can give other security group as a source so that it will allow traffic from source security group.
      I am looking for same feature in azure...in Azure we have 3 option for only for source ..1st one is IP or CIDR based..2nd is based on azure service tag..3rd is application security group.

      Let’s take an example if I created one security group A and after that doing creation for security group B so I need option to select security group A as a source so that my all traffic…

      8 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →

      Thanks for the valid suggestion. Your feedback is now open for the user community to upvote which allows us to effectively prioritize your request against our existing feature list and also gives us insight into the potential impact of implementing the suggested feature

    9. difrentiate IP ranges per service

      At the moment if we want to restrict access to Azure services we need to whitelist entire Region. PCI certification requirements require to limit also outgoing access to the specific IP addreses to avoid possibility that attacker will be able to exfiltrate data from attacked machine.
      With current scenario (whitelisting entire region) attacker can put FTP or HTTP upload server in the same region of the Azure and successfully upload data there. If ranges would be specific for services (e.g. Sql Azure, Key Vault, etc) then such exfiltration wouldn't be possible as we could restrict access to the services which…

      8 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  2 comments  ·  IP addresses  ·  Flag idea as inappropriate…  ·  Admin →
    10. Allow moving a Standard SKU Load balancer between Resource Groups like possible with the basic one

      Allow moving a Standard SKU Load balancer between Resource Groups like possible with the basic one.
      while in place upgrade from basic to standard is not an option, this might help with the manual upgrade or even general maintenance of the service.

      7 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    11. Simplify Network Peering across Tenants

      When you need to peer networks across tenants, you need to create a user in each tenant, and then add them as guests to the other tenants. You also need to ensure that the guest users have the appropriate access. This doesn't meet the need-to-know and least-privilege requirements, especially if you don't fully trust the other party. This also makes it incredibly difficult to automate due to the dependency on user accounts.

      Simplify the peering process by allowing both parties to share keys and network ids in order to peer. Allow service principals to create the peers and only connect…

      7 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      2 comments  ·  Virtual Network  ·  Flag idea as inappropriate…  ·  Admin →

      Thanks for the valid suggestion. Your feedback is now open for the user community to upvote which allows us to effectively prioritize your request against our existing feature list and also gives us insight into the potential impact of implementing the suggested feature

    12. Azure WAF v2 is not recognized by Azure Security Center as security solution and it has not mentioned anywhere.

      Azure WAF v2 is not recognized by Azure Security Center as a security solution and it has not mentioned anywhere. The details that are provided is not enough to understand that it is not being recognized as below.

      Partner solution name: Application Gateway

      Type: Saas-based Web Application Firewall
      Integration mode: Semi-automatically provisioned
      Status : Not reported

      Status has never been reported to Azure Security Center. Usually this means that this security solution isn't configured yet. It is recommended you login to the security solution management console to finalize the initial configuration

      7 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  1 comment  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    13. Mutual SSL

      We ran into a limitation of the App GW today when the scenario required mutual SSL auth between the client IoT device and the backend server. Our Application Gateway always acts as a proxy to terminate incoming traffic and create new connections to our backend pools (SSL end to end).

      My team is looking for a way for the Application Gateway to include part of the client certificate in a header. Something that would be a unique to the client reaching out so that the backend could authenticate as needed.

      Please support this feature functionality!

      7 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    14. enable Bastion users to select either RDP or SSH for connecting to Linux VM

      Currently the Bastion service only lets you connect to a Linux VM using SSH. It would be nice if one could use Bastion to connect using RDP protocol as well, assuming xRDP was enabled and the port was opened to the Linux VM.

      7 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  1 comment  ·  Bastion  ·  Flag idea as inappropriate…  ·  Admin →
    15. Guaranteed time to roll out a custom SSL certificate when creating/updating FrontDoor endpoints

      When creating or updating a FrontDoor endpoint with a new URL it would be useful to have a expected time when all locations globally will serve with the correct certificate. I have been advised by Azure Support now that a normal turnaround time for our scenario (certificate provided by us, stored in Keyvault) should be 6-8 hours, but have just had an instance where it has taken over 24.

      Given we will be regularly adding new URLs and will need to advise clients when they should be able to correctly access the addresses a) it would be useful to be…

      6 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →
    16. Application Gateway

      The notification for all the processes is generic. For example - if you are updating a listener or you are updating a Backend HTTP Pool, the notification is generic, and it is not possible to distinguish as to which process is taking how much time, or which process is currently in progress.

      6 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    17. FQDN like this 'gr-Prod-*.cloudapp.net' can not be set

      Even though this rule is mentioned in the docs here - https://docs.microsoft.com/en-us/azure/app-service/environment/firewall-integration#fqdn-httphttps-dependencies, it's not possible to create because the portal says gr-Prod-*.cloudapp.net invalid FQDN.

      I know that ASE rules should be handled by Service Tags, but not in my case.

      6 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    18. Allow Bastion service connect to Linux VMs over 3389 RDP

      From Azure portal allow Bastion service to connect to Linux VMs over 3389 RDP session as well if xrdp11 or other RDP services are installed and running on Linux VM.

      6 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Bastion  ·  Flag idea as inappropriate…  ·  Admin →

      Thanks for the valid suggestion. Your feedback is now open for the user community to upvote which allows us to effectively prioritize your request against our existing feature list and also gives us insight into the potential impact of implementing the suggested feature

    19. Azure DNS Logs

      Need to access DNS Request Logs on "Azure DNS" service. Actually, we can't search on any logs if we get a DDOS attack on our zone. So, we can receive a big invoice because of huge query number without to know who is requesting our DNS zone.

      6 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  DNS  ·  Flag idea as inappropriate…  ·  Admin →

      Thanks for the valid suggestion. Your feedback is now open for the user community to upvote which allows us to effectively prioritize your request against our existing feature list and also gives us insight into the potential impact of implementing the suggested feature

    20. Allow creating multiple TXT records at the root of the domain

      I have customers that have multiple TXT records at the root of their domain with their current DNS provider. This is not possible in Azure. Hence we cannot move their DNS to Azure. Please make this possible.

      6 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  DNS  ·  Flag idea as inappropriate…  ·  Admin →
    • Don't see your idea?

    Feedback and Knowledge Base