I'd like to be able to block all outbound traffic on my NSG but still allow windows update to work. This is difficult to do as the windows update depends on quite a few DNS names and the IP address of these apparently changes often.
If I could specify an "Allow" rule for a service tag called "WindowsUpdate" or similar with a higher priority than my "DenyAll" rule this would acheive this.742 votes
We are currently working on onboarding this Service Tag. Please stay tuned and check the Service Tag documentation for updates
Allow HTTPS only configuration to responds with 'redirect to HTTPS' when HTTP request is received. This will be very useful for the new static website storage accounts. Especially, when the wider premium 3rd party CDN is not needed.588 votes
This is in progress for Azure CDN from Microsoft.
-Max G [MSFT]
Application gateway has a very low listener limit (20 listeners / certificates). This severely limits it's usefulness for multi-tenant/domain applications where a web farm / service hosts many endpoints. IIS itself has no such small limit, but due to constraints on certificate deployment in cloud services, Application Gateway is the only clear path to wide scale SNI based SSL hosting. With it's low limit, it does not come close to meeting our use case. I would suggest the limit be removed or set to a very high limit like 10k+ so many certificates could be bound to host many different domains.
Application gateway has a very low listener limit (20 listeners / certificates). This severely limits it's usefulness for multi-tenant/domain applications where a web farm / service hosts many endpoints. IIS itself has no such small limit, but due to constraints on certificate deployment in cloud services, Application Gateway is the only clear path to wide scale SNI based SSL hosting. With it's low limit, it does not come close to meeting our use case. I would suggest the limit be removed or set to a very high limit like 10k+ so many certificates could be bound to host many different…441 votes
We have raised the limit to 100 recently. We are regularly reviewing the limits and will continue to look for opportunities to raise the limits even further. Stay tuned :)
Azure Application Gateway is a nice Service for Load Balancing Layer 7 HTTP and HTTPS traffic. Today, we can only attribute one IP address (Public or Private) to the Application Gateway Deployment. It is fundamental that a Load Balancer can support multiple IP addresses to provide flexibility (Based on many customers feedback)408 votes
Support for both public and private IP at the same time is available on both V1 and V2 SKU. Customers can host multiple sites behind the same IP and port using multi-site listener today.
Support for allowing same port on both public and private IP is in the roadmap.
We would like a virtual span port or port-mirroring ability384 votes
The ask is pretty self-explanatory.
We want to host sensitive data in Azure VMs and enable connectivity only via P2S VPN.
Today, the VPN client only requires having the cert to gain access the Azure Network. As the cert can easily end up in the hands of someone who shouldn't have access to it...it's not very secure.
For MFA, integration with PhoneFactor would be cool. At a minimum, the VPN client should require a username/password in addition to requiring the cert.318 votes
We are working on giving more control over authentication within Point-to-Site connectivity to Azure.
Instead of only requiring on a certificate for authentication in Azure VPN Point-to-site solutions, it would be nice if the Azure networking team would consider adding support for username (UPN) and password that is authenticated against either Azure AD or ADFS.302 votes
We are working on adding native AAD support, stay tuned for release dates.
Can be good when we create a Route/UDR to have the possibility to select in "Next Hop Type" a service Tag, or Azure Region IP range.288 votes
We’re currently working on implementing this feature!
Requesting Front Door be supporting OWASP secure headers (https://www.owasp.org/index.php/OWASPSecureHeaders_Project#tab=Headers)?
Currently, our POC website using Azure FrontDoor fails many OWASP header tests, especially when Front Door would claim to protect against few OWASP attacks.
Appreciate that these be on the FrontDoor roadmap in very near future.
OWASP HTTP Secure Headers
HTTP Strict Transport Security (HSTS)
Public Key Pinning Extension for HTTP (HPKP)
Currently there is no way to view usage statistics of the Azure application gateway. Information I would like to see:
- Per hour performance statistics (e.g. nr of connections, bandwith, CPU usage, etc.)
- Advice on number of required instances based on metrics from last few days with recommendations to increase or decrease the number of instances
Thank you for all the votes and feedback. We have started work on this and the capability will be supported soon. If you would like to get in touch with us to discuss your scenarios, please fill this form: https://aka.ms/ApplicationGatewayCohort
We have requirements from customers to restrict access via their company subnets. It would be very nice if the App Gateway supported not only the SSL offload but the ability to apply ACLs to allow or deny access via a defined network range using X-FORWARDED-FOR headers.130 votes
The preview of Network Watcher has a Topology feature which draws objects connected to a specific VNET, which is great. But, I noted that for a full topology, ALL resources need to be on the same Resource Group than the VNET chosen. That doesn't make sense, because is pretty common to have VMs and NICs on different RGs. Would be great if you choose a RG and a VNET as a starting point, and Topology feature gather all other resources interconnected independently of their RGs.123 votes
We are working on improving the capabilities of the Network Watcher Topology. This includes visualising resources across Resources Groups as well as across subscriptions, filters, handling large resource counts well and more.
Customers can expect access by Jan 2021 latest.
For preview access, sign up here: https://aka.ms/ARTaccess
I want to be alerted, when my metered ExpressRoute is reaching a certain limit (that it is cheaper for me to go with unlimited model).
Overall no monitoring supported to verify if peering is up, how much inbound and outbound traffic is going through the ExpressRoute/Virtual Network Gateway.
The ExpressRoute is critical and therefore its state needs to be monitored.86 votes
IPv4 addresses are running out and Azure has had a lot of problems with this, resolved by buying IPv4 address pools at a significant cost.
Some users and cloud deployments only require connectivity with on premises networks (either IPv4 or IPv6, not both).
Make IPv6 available for all services and allow the option of choosing what type of addresses are required (IPv4+IPv6 or IPv6 only).
● Giving each cloud service a /60 (or bigger) instead of a /64;
● Making IPv6 addresses static, since pool depletion is no longer an issue.84 votes
Currently Application gateway does not store certificate in Azure Key Vault. We believe that Application gateway should have the capability to do that. This will give customer more control over their certificate than saving it in Microsofts encrypted storage.65 votes
This capability will soon be supported and will be announced.
API is needed to add new rules (e.g. Country Filtering, Token Auth, etc.) for newly added content.
Use case: User adds new video content in CMS where he is able to block this video in some regions.60 votes
Work has started on both moving capabilities that are only available in the CDN Supplemental Portal (e.g. rules engine) into the Azure Portal and also providing API’s to support all of these features. This work will be done in multiple phases over the next several months.
It would be nice if we could purchase elastic IPv6 blocks of IPs, then when setting up an endpoint for a VM we could select the specific IP from the block for the endpoint.60 votes
We have Public IP Prefix – you can reserve a block of IPv4 addresses.
- Anavi N [MSFT]
Add the ability to add additional IP Protocols (i.e. ICMP, EIGRP, so forth) to an NSG rule. The only option today is TCP, UDP, or "". Currently to allow ICMP you have to allow any protocol "" and any port "*" in the rule instead of simply adding a rule for ICMP specifically. This inhibits the ability to meet security controls for isolation required in NIST SP800-53.49 votes
We have started to work on ICMP support for NSGs.
- Anavi N [MSFT]
Please provide Azure Services with an Internal Endpoint (a least Azure Storage and Azure Backup) to build up machines without Internet Connection.47 votes
Storage service tags gives this capability and it was Completed. Private IP for storage is under review.
Traditional loadbalancers support the following states, to facilitate performing maintenance on a system of multiple nodes gracefully:
Enabled (All traffic allowed)
Disabled (Only persistant or active connections allowed)
Force Offline (only active connections allowed)
When a application gateway node is "unhealthy" it only allows active connections. We are looking for a way to force a node into an "unhealthy" state.
The currently supported method is to use a custom probe that checks a file/path. I would like a solution that doesn't involve making changes on the server going into maintenance mode.46 votes
This is being worked on currently.
- Don't see your idea?