Networking

The Networking forum covers all aspects of Networking in Azure, including endpoints, load-balancing, network security, DNS, Traffic Manager, virtual networks, and external connectivity.

Virtual Network:

  • Service overview

  • Technical documentation

  • Pricing details
  • Traffic Manager:

  • Service overview

  • Technical documentation

  • Pricing details
  • Network Watcher:

  • Service overview

  • Technical documentation

  • Pricing details
  • If you have any feedback on any aspect of Azure relating to Networking, we’d love to hear it.

    How can we improve Azure Networking?

    You've used all your votes and won't be able to post a new idea, but you can still search and comment on existing ideas.

    There are two ways to get more votes:

    • When an admin closes an idea you've voted on, you'll get your votes back from that idea.
    • You can remove your votes from an open idea you support.
    • To see ideas you have already voted on, select the "My feedback" filter and select "My open ideas".
    (thinking…)

    Enter your idea and we'll search to see if someone has already suggested it.

    If a similar idea already exists, you can support and comment on it.

    If it doesn't exist, you can post your idea so others can support it.

    Enter your idea and we'll search to see if someone has already suggested it.

    • Hot ideas
    • Top ideas
    • New ideas
    • My feedback
    1. Allow Mutual SSL Auth on Application Gateway

      At the moment SSL termination is possible with Application Gateway but it doesn't cater for instances where client authentication is required (mutual auth). So if client auth is required, SSL needs to be passed through and terminated on each of the web servers. This increases load across the server farm and makes management of certificates more difficult since all certs need to be maintained on all servers. I believe this function is available with API Management but the additional cost is hard to justify if one doesn't require the other additional features. So having mutual SSL auth capability built into…

      761 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      43 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    2. Azure Application Gateway WAF Mode Increase Limit on SecRequestBodyLimit

      When we have the WAF set to prevention mode some of our HTTP post are denied with code 413.

      Request body no files data length is larger than the configured limit (131072).. Deny with code (413)

      Can you make these two settings configurable on the WAF?

      SecRequestBodyLimit
      SecRequestBodyNoFilesLimit

      Thanks
      Mark

      289 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      14 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    3. Allow Network Security Groups (NSGs) to Reference Application Security Groups (ASGs) From Different Location

      Remove the limitation of restricting Network Security Groups (NSGs) ability to leverage/associate Application Security Groups (ASGs) that are not within the same location of the target Virtual Network (VNET).

      This is especially important, to provide granularity and segregation/isolation in a hub-and-spoke networking model (i.e. VNetA-ASG1-to-VNetB-ASG1), in association with VNet Peering.

      256 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      14 comments  ·  Virtual Networks (VNET)  ·  Flag idea as inappropriate…  ·  Admin →
    4. Add a Network Security Group tag for Windows Update

      I'd like to be able to block all outbound traffic on my NSG but still allow windows update to work. This is difficult to do as the windows update depends on quite a few DNS names and the IP address of these apparently changes often.

      If I could specify an "Allow" rule for a service tag called "WindowsUpdate" or similar with a higher priority than my "DenyAll" rule this would acheive this.

      207 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
    5. HA Ports for Standard load balancers with Public IP

      Current review of HA ports only supports Internal LB without any public IP attached. The majority of NVA deployments are with Public IP attached to the LB.

      183 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      8 comments  ·  Load Balancing  ·  Flag idea as inappropriate…  ·  Admin →
    6. Allow transit routing between ExpressRoute, VPN Gateways, and NVAs by allowing them to peer with BGP and exchange routes.

      Allow transit routing between ExpressRoute Gateways, VPN Gateways, and NVAs by allowing them to peer with BGP and exchange routes. This functionality would give the customer more flexibility in how they lay out their network.

      161 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      12 comments  ·  Virtual Networks (VNET)  ·  Flag idea as inappropriate…  ·  Admin →
    7. Ability to create source/destination objects containing multiple IP addresses/ranges

      When creating NSGs it would be nice to be able to define network object groups that contain a list of IP addresses or ranges which can then be applied to the source or destination addresses of the NSG. If I only want to allow services to a specific set of IPs I have to create a rule for each distinct IP address. Even having the ability to add multiple IPs or IP ranges would work for source/destination but objects would be better so they can be used across multiple rules.

      159 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
    8. Support IPv6 in Application Gateway front-end public IP

      Support IPv6 in Application Gateway front-end public IP

      143 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      planned  ·  0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    9. Support wildcard hosts in custom hostnames

      Many of current SaaS applications enable customers to select it`s own subdomain in order do have a personalized url.

      So let's say I own contoso.com and I let my customers select any subdomain (*.contoso.com) like:

      foo.contoso.com
      bar.contoso.com

      That's cool with a couple customers but when you have a large system it's not doable setup one by one, even that you can automate that.

      The ideal solution would be allowing custom hostname field to bind a wildcard domain, in this example *.contoso.com

      There's a similar idea for Application Gateway that has been for a while (https://feedback.azure.com/forums/217313-networking/suggestions/19527121-application-gateway-support-wildcard-hosts-in-lis)

      Similar products on…

      138 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      planned  ·  2 comments  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →
    10. IPSec tunnel over ExpressRoute

      We require confidentiality and integrity of our network links into Azure, and want to use ExpressRoute. Currently the Azure gateway ExpressRoute SKU does not support IPSec.

      Can you please add IPSec support to ExpressRoute, or to the Azure gateway Expressroute SKU.

      130 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      planned  ·  11 comments  ·  ExpressRoute  ·  Flag idea as inappropriate…  ·  Admin →
    11. Allow multiple reserved IP addresses be assigned to a single VM

      Currently you can only have one reserved (static) public IP for a given Azure VM. This limits any case where you would want to run multiple SSL enabled sites/applications on the standard 443 port.

      I understand there is support for SNI SSL with host headers but not all applications and devices support this feature. Current competition in you market allow up to 5 IPs. A limit I believe is still arbitrarily low given the power of your larger VM instances available.

      122 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      8 comments  ·  IP addresses  ·  Flag idea as inappropriate…  ·  Admin →
    12. 120 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      5 comments  ·  Virtual Networks (VNET)  ·  Flag idea as inappropriate…  ·  Admin →
    13. Custom error pages in Azure Front Door

      As for Application Gateway, we need to be able to customize the error page displayed when the access to an url is refused by an ip restriction rule.

      See : https://feedback.azure.com/forums/217313-networking/suggestions/18749326-application-gateway-custom-error-pages

      109 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      planned  ·  2 comments  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →
    14. Traffic Manager Logging & Alerts

      Traffic Manager needs to keep track of past endpoint health failures.
      In addition to this it should be possible to configure alerts about changes to endpoint health.

      107 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      planned  ·  6 comments  ·  Domain Name Service (DNS, Traffic Manager)  ·  Flag idea as inappropriate…  ·  Admin →
    15. Enable NSG Flow Logs for secured Storage Accounts

      At the moment, it's apparently not possible to use NSG Flow Logs with secured Storage Accounts, even if the exception "Allow trusted Microsoft services to access this storage account" is enabled on the Storage Account.

      It would be really helpful if you could add the Network Watcher this list of trusted Microsoft servies, so we can use secured Storage Accounts to store our NSG Flow Logs on.

      92 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      3 comments  ·  Network Watcher  ·  Flag idea as inappropriate…  ·  Admin →
    16. Application Gateway WAF: update to OWASP CRS 3.0.2

      The 'OWASP 3.0' (3.0.0) WAF rule set generates a lot of false positives, even on random base64 payloads. The only option is to disable many rules.

      2 examples which frequently trigger on SAML authentication exchanges are 932140 (https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/671) and 941120 (https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/675).

      OWASP CRS 3.0.2 reworked some rules, in order to reduce some of these false positives. Please support CRS 3.0.2 (either as an in-place upgrade for 3.0.0, or as a new option).

      91 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      12 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    17. multiple network security groups per NIC

      Allow multiple Network Security Groups per NIC. Amazon Web Services allows multiple NSGs to be associated to a NIC. This allows us to define one NSG for "Remote Access", a second for VLAN (it allows itself) and a third for "server role (DC, SQL, etc.)

      90 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
    18. Multiple Network Security Groups per subnet

      Provide ability to associate multiple Network Security Groups with a single subnet. Right now there is limitation to associate only one NSG per subnet.

      This limits reusability of NSGs which are created at subscription level. We have come across use-cases where multiple subnets have common rules and few subnet-specific rules.

      It will be help a lot in terms of rules management and reusability if it is possible to segregate common rules across subnets in an NSG which can them be applied on a subnet with additional NSGs for subnet specific rules.

      89 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Virtual Networks (VNET)  ·  Flag idea as inappropriate…  ·  Admin →
    19. Add more configurability to Traffic Manager monitoring endpoint

      I would like for the monitoring endpoint configuration to support two new options:

      1) How many consecutive times TrafficMgr does not get an http 200 from the endpoint before it deems it down. I have a scenario where I want it to be deemed down immediately after one failure for a quicker failover.
      2) How many consecutive times TrafficMgr receives an http 200 after it has deemed it down before it will deem it up again. I have seen a scenario where table storage (or SQL Azure) is inconsistent (fails one query then succeeds the next, back and forth) and…

      79 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      planned  ·  2 comments  ·  Domain Name Service (DNS, Traffic Manager)  ·  Flag idea as inappropriate…  ·  Admin →
    20. Improve VPN gateways performances and limits

      Using VPN to connect sites to Azure is great. But we are rapidly hitting the gateways limits:
      - One gateway per VNet
      - A max of 30 Tunnels per gateway (10 and 20 for standard)
      - A max of 200 Mb/s per gateway (shared by all VPNs)

      Today, not all regions and customers can afford 'ExpressRoute' to get more bandwidth and scalability. So why this 'very limited' options.

      77 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
    ← Previous 1 3 4
    • Don't see your idea?

    Feedback and Knowledge Base