Networking

The Networking forum covers all aspects of Networking in Azure, including endpoints, load-balancing, network security, DNS, Traffic Manager, virtual networks, and external connectivity.

Virtual Network:

  • Service overview

  • Technical documentation

  • Pricing details
  • Traffic Manager:

  • Service overview

  • Technical documentation

  • Pricing details
  • Network Watcher:

  • Service overview

  • Technical documentation

  • Pricing details
  • If you have any feedback on any aspect of Azure relating to Networking, we’d love to hear it.

    How can we improve Azure Networking?

    You've used all your votes and won't be able to post a new idea, but you can still search and comment on existing ideas.

    There are two ways to get more votes:

    • When an admin closes an idea you've voted on, you'll get your votes back from that idea.
    • You can remove your votes from an open idea you support.
    • To see ideas you have already voted on, select the "My feedback" filter and select "My open ideas".
    (thinking…)

    Enter your idea and we'll search to see if someone has already suggested it.

    If a similar idea already exists, you can support and comment on it.

    If it doesn't exist, you can post your idea so others can support it.

    Enter your idea and we'll search to see if someone has already suggested it.

    • Hot ideas
    • Top ideas
    • New ideas
    • My feedback
    1. Azure DNS needs DNSSEC support

      DNSSEC is required to be able to secure your DNS requests. At the moment this is not available. We cannot move until our domains to Azure DNS untill these requirements have been met.

      2,768 votes
      Vote
      Sign in
      (thinking…)
      Password icon
      Signed in as (Sign out)
      You have left! (?) (thinking…)

      Thanks for the suggestion. We recognise the strategic importance of DNSSEC and it is a key feature on our long-term backlog.

      DNSSEC represents a very large engineering investment, and hence we have to prioritize carefully vs other work. The most customer data we can get supporting the need for DNSSEC support, the better prioritization decisions we can make. We appreciate your votes and your comments.

    2. Azure should be its own domain registrar

      Windows Azure should offer domain registrar services so users don't have to maintain our domain names with a separate company. This also has the potential to greatly streamline the process of setting up a website on Azure.

      881 votes
      Vote
      Sign in
      (thinking…)
      Password icon
      Signed in as (Sign out)
      You have left! (?) (thinking…)
    3. Extend Azure DNS to support zone transfers so it can be used as seconday DNS

      If Azure DNS supported zone transfers, then if could be used both as a reliable secondary DNS service, or as an external proxy service for AD split-brain, or on-premise hosted DNS configurations.

      829 votes
      Vote
      Sign in
      (thinking…)
      Password icon
      Signed in as (Sign out)
      You have left! (?) (thinking…)

      Thanks you for the suggestion. This remains a key backlog item for us.

      We’d be interested in further input via your comments. Please consider the following questions:
      – Do you require zone transfers in to Azure DNS, or zone transfers out? Why?
      – Do you require AXFR or IXFR?
      – How should zone transfers be secured?

    4. Provide a 301 (Permanent) redirect service for apex (naked) domains

      Discussed in the Azure DNS docs: https://azure.microsoft.com/en-us/documentation/articles/dns-getstarted-create-recordset/#comment-2294403853

      Right now, you must use a static IP address if you want to point an apex (naked) domain (e.g., mycompany.com) to a Cloud Service (e.g., mycloudservice.cloudapp.net). Static IP's are stable as long as the Cloud Service isn't deprovisioned; however, for maximum security, simplicity, and maintainability (i.e., even if a cloud service is deprovisioned), it would be awesome if we could have 301 redirects for the apex domain to a the www CNAME endpoint and not need to be concerned with the IP address of the Cloud Service at all. The scenario goes like…

      498 votes
      Vote
      Sign in
      (thinking…)
      Password icon
      Signed in as (Sign out)
      You have left! (?) (thinking…)
    5. Provide explicit drain stop capabilities for Load Balancing.

      Many on-prem systems rely on an ability to gracefully drain traffic from a node before removing it from load balancing for updates or maintenance. While there are workarounds today for the Azure Load Balancing infrastructure (http://serverfault.com/questions/686095/gracefully-take-a-server-out-of-azure-load-balancer-drain-stop) it's not as flexible as existing on-prem services. Please add this feature.

      458 votes
      Vote
      Sign in
      (thinking…)
      Password icon
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      17 comments  ·  Load Balancing  ·  Flag idea as inappropriate…  ·  Admin →
    6. Allow DNS servers to be advertised per subnet instead of VNET

      Instead of advertising the DNS servers per VNET, is there anyway we can specify what DNS servers should be advertised per subnet? In most cases, I would create a VNET and use NSGs to segregate out my traffic.

      The problem with specifying the DNS servers for the whole VNET, is now I am required to create a completely separate VNET for a DMZ, as my internal DNS servers are being advertised to those machines. In this case, being able to specify DNS servers at a subnet level will allow more flexibility in regards to creating one VNET instead of multiple…

      440 votes
      Vote
      Sign in
      (thinking…)
      Password icon
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      18 comments  ·  Virtual Networks (VNET)  ·  Flag idea as inappropriate…  ·  Admin →
    7. Let's Encrypt Integration for HTTPS certificates

      It should be possible to define a list of SSL hostnames. Application Gateway should automatically acquire and renew certificates for all given hostnames (most probably through the HTTP domain validation process).

      For every request, Application Gateway should use the correct certificate based on the hostname.

      Supporting multiple hostnames is critical to use Let's Encrypt with multi-site routing.

      436 votes
      Vote
      Sign in
      (thinking…)
      Password icon
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      2 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    8. Change existing Public IP SKU from Basic to Standard

      We have already setup our business in Azure and utilize Public IPs in our infrastructure that are used by many different clients. With the release of Standard SKU Load Balancer and the requirement for Standard SKU Public IPs, we cannot proceed to upgrade our setup. A change in IPs would mean weeks or even months in planning/communication and reconfiguration of firewalls,VPNs,application restrictions.

      424 votes
      Vote
      Sign in
      (thinking…)
      Password icon
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      under review  ·  24 comments  ·  IP addresses  ·  Flag idea as inappropriate…  ·  Admin →
    9. Site to Site VPN: allow local network range to include Azure VNET range

      I’ve created a virtual network (10.25.0.0/17) that our instances will live in, and created a local network representing CORPNET (10.0.0.0/8). In effect, we’re trying to have the virtual network be a subnet within our larger internal IP block to emulate an internal datacenter. When trying to create the site to site VPN using the local network, I get an error about an address conflict, which seems to be due to the virtual network and local network be overlapping.
      Per MSFT: The local network range cannot include the Azure VNET range. The local network definition(s) are used to establish routes between…

      421 votes
      Vote
      Sign in
      (thinking…)
      Password icon
      Signed in as (Sign out)
      You have left! (?) (thinking…)
    10. Auto-connect for point-to-site VPN.

      When the device is restarted, or internet connectivity is regained, the device automatically connects to the VPN again.

      371 votes
      Vote
      Sign in
      (thinking…)
      Password icon
      Signed in as (Sign out)
      You have left! (?) (thinking…)
    11. Allow creation of NSG rules based on FQDN along with Ports

      NSG gives option to configure NSG rules with IPAddress and Ports. Same like that we need option to configure Inbound/Outbound NSG rules based on the FQDN. Because most of our customers wants to block Internet access from their Azure IaaS VMs, If we do so, we lose the ability to configure Azure Disk Encryption, Azure Keyvault, Azure File Storage Services, Azure Websites...etc. Because all these Azure services requires its endpoints (FQDN) to be reachable from inside the VM

      259 votes
      Vote
      Sign in
      (thinking…)
      Password icon
      Signed in as (Sign out)
      You have left! (?) (thinking…)
    12. Allow network security groups to be created and renamed

      Currently, it seems I can't create security groups without creating an instance, or rename them for that matter. Or can I?

      My use case: I created an instance and and 'SSH' security group with it. Then decided I want to test HTTP as well via public IP. Oh well, I can't rename the SSH group to e.g. 'SSH+HTTP', nor can I create a new group to change the NIC to.

      255 votes
      Vote
      Sign in
      (thinking…)
      Password icon
      Signed in as (Sign out)
      You have left! (?) (thinking…)
    13. Possibility to set a DNS Suffix on Azure networks (like DNS Servers)

      There are many scenarios for Virtual Machines (and Other maybe) where NIC settings are cleared (VM Deallocated). DNS Servers can be set on Azure Network, and this VM will have DNS Servers settings via DHCP. But we have to set DNS Suffix manually each time, or set a script automatically at each boot.
      The idea is just to have a way to set a suffix DNS for VM Networks, with the same way as DNS Servers. With this settings, DHCP will assign DNS suffix to all VM automatically.

      241 votes
      Vote
      Sign in
      (thinking…)
      Password icon
      Signed in as (Sign out)
      You have left! (?) (thinking…)
    14. Support SNAT on internal Azure load Balancer

      Currently it seems Azure Internal Load Balancer does not support Source NAT.
      this mean that if 2 different services hosted on 2 different VM and the VM are on the same vnet the traffic is not load balanced if the ILB route the traffic to the same VM that start the request.
      example:
      Service A (exposed on port x) and B (exposed on port y) are hosted on VM 1 and VM2 on the same vnet.
      Service A has VIP z and Service B has VIP m.
      if service A is recalled via VIP z from VM 1 and ILB…

      216 votes
      Vote
      Sign in
      (thinking…)
      Password icon
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      7 comments  ·  Load Balancing  ·  Flag idea as inappropriate…  ·  Admin →
    15. Don't strip QOS DSCP markings

      Azure vNets with ExpressRoute should support QOS markings. Ideally the Expressroute circuit should honour and prioritise packets with DSCP priorities set.

      If honouring DSCP is not possible then the values should at least be passed along and not be stripped out.

      We have Azure connected to our internal MPLS network via an Expressroute Exchange provider. (Our MPLS provider is not setup as a Network provider in Azure). Some of our remote sites have congested links however with QOS we ensure all business applications perform well.

      We are now moving some business applications into Azure and getting performance problems due to…

      215 votes
      Vote
      Sign in
      (thinking…)
      Password icon
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      2 comments  ·  ExpressRoute  ·  Flag idea as inappropriate…  ·  Admin →
    16. Introduce 'Vanity name servers'

      We would like to see an introduction of delegations using name server names in our own zone (sometimes called 'vanity name servers').

      Using 'vanity name servers' are important for consolidating our corporate brand.

      Currently, the 'host' field of the SOA and the NS records at the zone apex are deliberately locked to discourage us from setting up delegations other than via the Azure DNS name server names.

      We realise such delegations would break were we ever to change the Azure DNS name server IP ranges in future, which would obviously need to be resolved prior to the introduction of this.

      173 votes
      Vote
      Sign in
      (thinking…)
      Password icon
      Signed in as (Sign out)
      You have left! (?) (thinking…)
    17. Point-to-site VPN authentication support for Azure AD

      Instead of only requiring on a certificate for authentication in Azure VPN Point-to-site solutions, it would be nice if the Azure networking team would consider adding support for username (UPN) and password that is authenticated against either Azure AD or ADFS.

      166 votes
      Vote
      Sign in
      (thinking…)
      Password icon
      Signed in as (Sign out)
      You have left! (?) (thinking…)
    18. Add a Network Security Group tag for Windows Update

      I'd like to be able to block all outbound traffic on my NSG but still allow windows update to work. This is difficult to do as the windows update depends on quite a few DNS names and the IP address of these apparently changes often.

      If I could specify an "Allow" rule for a service tag called "WindowsUpdate" or similar with a higher priority than my "DenyAll" rule this would acheive this.

      161 votes
      Vote
      Sign in
      (thinking…)
      Password icon
      Signed in as (Sign out)
      You have left! (?) (thinking…)
    19. 152 votes
      Vote
      Sign in
      (thinking…)
      Password icon
      Signed in as (Sign out)
      You have left! (?) (thinking…)
    20. Bring Your Own Public IP Address space and Internet subnet routing in Azure Virtual Networks

      When you own a public address space IPv4 and/or IPv6, Windows Azure should provide a way to use it (via LISP and/or classic routing).
      When you don't own a public address space, you should be able to rent it for your virtual network on Windows Azure both via Microsoft or via Tunnel Broker providers

      151 votes
      Vote
      Sign in
      (thinking…)
      Password icon
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      7 comments  ·  Virtual Networks (VNET)  ·  Flag idea as inappropriate…  ·  Admin →

      Reactivating this request…apologies that it was closed due to misunderstanding of your intent.

      We’ll take this request as: I need a simple way to host IP space that I own as Public IP’s in Azure which I can then use on my Azure-hosted services/VM’s.

      We’ve had multiple requests for this feature recently and are actively working through the design now. Unfortunately, we don’t have an estimated release date yet.

    ← Previous 1 3 4 5 10 11
    • Don't see your idea?

    Feedback and Knowledge Base