Networking

The Networking forum covers all aspects of Networking in Azure, including endpoints, load-balancing, network security, DNS, Traffic Manager, virtual networks, and external connectivity.

Virtual Network:

  • Service overview

  • Technical documentation

  • Pricing details

  • Traffic Manager:

  • Service overview

  • Technical documentation

  • Pricing details

  • Network Watcher:

  • Service overview

  • Technical documentation

  • Pricing details

  • If you have any feedback on any aspect of Azure relating to Networking, we’d love to hear it.

    • Hot ideas
    • Top ideas
    • New ideas
    • My feedback
    1. Add a Network Security Group tag for Windows Update

      I'd like to be able to block all outbound traffic on my NSG but still allow windows update to work. This is difficult to do as the windows update depends on quite a few DNS names and the IP address of these apparently changes often.

      If I could specify an "Allow" rule for a service tag called "WindowsUpdate" or similar with a higher priority than my "DenyAll" rule this would acheive this.

      742 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      41 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    2. Redirect to HTTPS

      Allow HTTPS only configuration to responds with 'redirect to HTTPS' when HTTP request is received. This will be very useful for the new static website storage accounts. Especially, when the wider premium 3rd party CDN is not needed.

      588 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      26 comments  ·  Content Delivery Network  ·  Flag idea as inappropriate…  ·  Admin →
    3. Increase listener limit for Application Gateway

      Application gateway has a very low listener limit (20 listeners / certificates). This severely limits it's usefulness for multi-tenant/domain applications where a web farm / service hosts many endpoints. IIS itself has no such small limit, but due to constraints on certificate deployment in cloud services, Application Gateway is the only clear path to wide scale SNI based SSL hosting. With it's low limit, it does not come close to meeting our use case. I would suggest the limit be removed or set to a very high limit like 10k+ so many certificates could be bound to host many different…

      441 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      24 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    4. Enable Multiple IP addresses for Azure Application Gateway

      Azure Application Gateway is a nice Service for Load Balancing Layer 7 HTTP and HTTPS traffic. Today, we can only attribute one IP address (Public or Private) to the Application Gateway Deployment. It is fundamental that a Load Balancer can support multiple IP addresses to provide flexibility (Based on many customers feedback)

      408 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      19 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →

      Support for both public and private IP at the same time is available on both V1 and V2 SKU. Customers can host multiple sites behind the same IP and port using multi-site listener today.

      Support for allowing same port on both public and private IP is in the roadmap.

    5. Please add port-mirroring to Azure to enable DLP and logging applications

      We would like a virtual span port or port-mirroring ability

      384 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      14 comments  ·  Virtual Network  ·  Flag idea as inappropriate…  ·  Admin →
    6. Provide multi-factor authentication capabilities in VPN client

      The ask is pretty self-explanatory.

      We want to host sensitive data in Azure VMs and enable connectivity only via P2S VPN.

      Today, the VPN client only requires having the cert to gain access the Azure Network. As the cert can easily end up in the hands of someone who shouldn't have access to it...it's not very secure.

      For MFA, integration with PhoneFactor would be cool. At a minimum, the VPN client should require a username/password in addition to requiring the cert.

      318 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      17 comments  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    7. Point-to-site VPN authentication support for Azure AD

      Instead of only requiring on a certificate for authentication in Azure VPN Point-to-site solutions, it would be nice if the Azure networking team would consider adding support for username (UPN) and password that is authenticated against either Azure AD or ADFS.

      302 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      12 comments  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    8. implement Service tags for UDR/Route

      Can be good when we create a Route/UDR to have the possibility to select in "Next Hop Type" a service Tag, or Azure Region IP range.

      288 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      19 comments  ·  Virtual Network  ·  Flag idea as inappropriate…  ·  Admin →
    9. Enable OWASP secure headers on Azure FrontDoor service

      Requesting Front Door be supporting OWASP secure headers (https://www.owasp.org/index.php/OWASPSecureHeaders_Project#tab=Headers)?
      Currently, our POC website using Azure FrontDoor fails many OWASP header tests, especially when Front Door would claim to protect against few OWASP attacks.
      Appreciate that these be on the FrontDoor roadmap in very near future.

      OWASP HTTP Secure Headers

      HTTP Strict Transport Security (HSTS)
      Public Key Pinning Extension for HTTP (HPKP)
      X-Frame-Options
      X-XSS-Protection
      X-Content-Type-Options
      Content-Security-Policy
      X-Permitted-Cross-Domain-Policies
      Referrer-Policy
      Expect-CT
      Feature-Policy

      261 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      started  ·  7 comments  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →
    10. Insight in Azure application gateway performance

      Currently there is no way to view usage statistics of the Azure application gateway. Information I would like to see:


      • Per hour performance statistics (e.g. nr of connections, bandwith, CPU usage, etc.)

      • Advice on number of required instances based on metrics from last few days with recommendations to increase or decrease the number of instances

      Regards,

      Jan-Willem

      191 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      4 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    11. Allow ACL on Application Gateway for IP filtering via X-FORWARDED-FOR header

      We have requirements from customers to restrict access via their company subnets. It would be very nice if the App Gateway supported not only the SSL offload but the ability to apply ACLs to allow or deny access via a defined network range using X-FORWARDED-FOR headers.

      130 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      started  ·  12 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    12. Network Watcher Topology should get information for resources in different resource group than VNET

      The preview of Network Watcher has a Topology feature which draws objects connected to a specific VNET, which is great. But, I noted that for a full topology, ALL resources need to be on the same Resource Group than the VNET chosen. That doesn't make sense, because is pretty common to have VMs and NICs on different RGs. Would be great if you choose a RG and a VNET as a starting point, and Topology feature gather all other resources interconnected independently of their RGs.

      123 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      12 comments  ·  Network Watcher  ·  Flag idea as inappropriate…  ·  Admin →
    13. Monitoring of ExpressRoute

      I want to be alerted, when my metered ExpressRoute is reaching a certain limit (that it is cheaper for me to go with unlimited model).
      Overall no monitoring supported to verify if peering is up, how much inbound and outbound traffic is going through the ExpressRoute/Virtual Network Gateway.
      The ExpressRoute is critical and therefore its state needs to be monitored.

      86 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      started  ·  7 comments  ·  ExpressRoute  ·  Flag idea as inappropriate…  ·  Admin →
    14. Make all services available with IPv6 addresses.

      IPv4 addresses are running out and Azure has had a lot of problems with this, resolved by buying IPv4 address pools at a significant cost.
      Some users and cloud deployments only require connectivity with on premises networks (either IPv4 or IPv6, not both).
      Make IPv6 available for all services and allow the option of choosing what type of addresses are required (IPv4+IPv6 or IPv6 only).
      Also, consider:
      ● Giving each cloud service a /60 (or bigger) instead of a /64;
      ● Making IPv6 addresses static, since pool depletion is no longer an issue.

      84 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      2 comments  ·  IPv6  ·  Flag idea as inappropriate…  ·  Admin →
    15. Application gateway should have the capability to store certificate in Azure Key Vault

      Currently Application gateway does not store certificate in Azure Key Vault. We believe that Application gateway should have the capability to do that. This will give customer more control over their certificate than saving it in Microsofts encrypted storage.

      65 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      3 comments  ·  Flag idea as inappropriate…  ·  Admin →
    16. Provide API to access CDN Supplemental Management Portal

      API is needed to add new rules (e.g. Country Filtering, Token Auth, etc.) for newly added content.

      Use case: User adds new video content in CMS where he is able to block this video in some regions.

      60 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      7 comments  ·  Content Delivery Network  ·  Flag idea as inappropriate…  ·  Admin →
      started  ·  Anton Kucer [MSFT] responded

      Work has started on both moving capabilities that are only available in the CDN Supplemental Portal (e.g. rules engine) into the Azure Portal and also providing API’s to support all of these features. This work will be done in multiple phases over the next several months.

    17. Allow IPv6 VIPs - Charge for *blocks of* IPv6 addreses

      It would be nice if we could purchase elastic IPv6 blocks of IPs, then when setting up an endpoint for a VM we could select the specific IP from the block for the endpoint.

      60 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  IPv6  ·  Flag idea as inappropriate…  ·  Admin →
    18. Add additional IP Protocols ls for NSG Rules

      Add the ability to add additional IP Protocols (i.e. ICMP, EIGRP, so forth) to an NSG rule. The only option today is TCP, UDP, or "". Currently to allow ICMP you have to allow any protocol "" and any port "*" in the rule instead of simply adding a rule for ICMP specifically. This inhibits the ability to meet security controls for isolation required in NIST SP800-53.

      49 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      4 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    19. Azure Internal Endpoints to Vnet

      Please provide Azure Services with an Internal Endpoint (a least Azure Storage and Azure Backup) to build up machines without Internet Connection.

      47 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      3 comments  ·  Virtual Network  ·  Flag idea as inappropriate…  ·  Admin →
    20. Support for drainstop in Azure App Gateway

      Traditional loadbalancers support the following states, to facilitate performing maintenance on a system of multiple nodes gracefully:
      Enabled (All traffic allowed)
      Disabled (Only persistant or active connections allowed)
      Force Offline (only active connections allowed)

      When a application gateway node is "unhealthy" it only allows active connections. We are looking for a way to force a node into an "unhealthy" state.

      The currently supported method is to use a custom probe that checks a file/path. I would like a solution that doesn't involve making changes on the server going into maintenance mode.

      46 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      3 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    ← Previous 1 3
    • Don't see your idea?

    Feedback and Knowledge Base