Networking

The Networking forum covers all aspects of Networking in Azure, including endpoints, load-balancing, network security, DNS, Traffic Manager, virtual networks, and external connectivity.

Virtual Network:

  • Service overview

  • Technical documentation

  • Pricing details
  • Traffic Manager:

  • Service overview

  • Technical documentation

  • Pricing details
  • Network Watcher:

  • Service overview

  • Technical documentation

  • Pricing details
  • If you have any feedback on any aspect of Azure relating to Networking, we’d love to hear it.

    How can we improve Azure Networking?

    You've used all your votes and won't be able to post a new idea, but you can still search and comment on existing ideas.

    There are two ways to get more votes:

    • When an admin closes an idea you've voted on, you'll get your votes back from that idea.
    • You can remove your votes from an open idea you support.
    • To see ideas you have already voted on, select the "My feedback" filter and select "My open ideas".
    (thinking…)

    Enter your idea and we'll search to see if someone has already suggested it.

    If a similar idea already exists, you can support and comment on it.

    If it doesn't exist, you can post your idea so others can support it.

    Enter your idea and we'll search to see if someone has already suggested it.

    • Hot ideas
    • Top ideas
    • New ideas
    • My feedback
    1. Azure DNS needs DNSSEC support

      DNSSEC is required to be able to secure your DNS requests. At the moment this is not available. We cannot move until our domains to Azure DNS untill these requirements have been met.

      2,385 votes
      Vote
      Sign in
      Check!
      (thinking…)
      Reset
      or sign in with
      • facebook
      • google
        Password icon
        Signed in as (Sign out)
        You have left! (?) (thinking…)

        Thanks for the suggestion. We recognise the strategic importance of DNSSEC and it is a key feature on our long-term backlog.

        DNSSEC represents a very large engineering investment, and hence we have to prioritize carefully vs other work. The most customer data we can get supporting the need for DNSSEC support, the better prioritization decisions we can make. We appreciate your votes and your comments.

      • Azure should be its own domain registrar

        Windows Azure should offer domain registrar services so users don't have to maintain our domain names with a separate company. This also has the potential to greatly streamline the process of setting up a website on Azure.

        826 votes
        Vote
        Sign in
        Check!
        (thinking…)
        Reset
        or sign in with
        • facebook
        • google
          Password icon
          Signed in as (Sign out)
          You have left! (?) (thinking…)
        • Extend Azure DNS to support zone transfers so it can be used as seconday DNS

          If Azure DNS supported zone transfers, then if could be used both as a reliable secondary DNS service, or as an external proxy service for AD split-brain, or on-premise hosted DNS configurations.

          785 votes
          Vote
          Sign in
          Check!
          (thinking…)
          Reset
          or sign in with
          • facebook
          • google
            Password icon
            Signed in as (Sign out)
            You have left! (?) (thinking…)

            Thanks you for the suggestion. This remains a key backlog item for us.

            We’d be interested in further input via your comments. Please consider the following questions:
            – Do you require zone transfers in to Azure DNS, or zone transfers out? Why?
            – Do you require AXFR or IXFR?
            – How should zone transfers be secured?

          • Provide explicit drain stop capabilities for Load Balancing.

            Many on-prem systems rely on an ability to gracefully drain traffic from a node before removing it from load balancing for updates or maintenance. While there are workarounds today for the Azure Load Balancing infrastructure (http://serverfault.com/questions/686095/gracefully-take-a-server-out-of-azure-load-balancer-drain-stop) it's not as flexible as existing on-prem services. Please add this feature.

            448 votes
            Vote
            Sign in
            Check!
            (thinking…)
            Reset
            or sign in with
            • facebook
            • google
              Password icon
              Signed in as (Sign out)
              You have left! (?) (thinking…)
              16 comments  ·  Load Balancing  ·  Flag idea as inappropriate…  ·  Admin →
            • Provide a 301 (Permanent) redirect service for apex (naked) domains

              Discussed in the Azure DNS docs: https://azure.microsoft.com/en-us/documentation/articles/dns-getstarted-create-recordset/#comment-2294403853

              Right now, you must use a static IP address if you want to point an apex (naked) domain (e.g., mycompany.com) to a Cloud Service (e.g., mycloudservice.cloudapp.net). Static IP's are stable as long as the Cloud Service isn't deprovisioned; however, for maximum security, simplicity, and maintainability (i.e., even if a cloud service is deprovisioned), it would be awesome if we could have 301 redirects for the apex domain to a the www CNAME endpoint and not need to be concerned with the IP address of the Cloud Service at all. The scenario goes like…

              445 votes
              Vote
              Sign in
              Check!
              (thinking…)
              Reset
              or sign in with
              • facebook
              • google
                Password icon
                Signed in as (Sign out)
                You have left! (?) (thinking…)
              • Site to Site VPN: allow local network range to include Azure VNET range

                I’ve created a virtual network (10.25.0.0/17) that our instances will live in, and created a local network representing CORPNET (10.0.0.0/8). In effect, we’re trying to have the virtual network be a subnet within our larger internal IP block to emulate an internal datacenter. When trying to create the site to site VPN using the local network, I get an error about an address conflict, which seems to be due to the virtual network and local network be overlapping.
                Per MSFT: The local network range cannot include the Azure VNET range. The local network definition(s) are used to establish routes between…

                421 votes
                Vote
                Sign in
                Check!
                (thinking…)
                Reset
                or sign in with
                • facebook
                • google
                  Password icon
                  Signed in as (Sign out)
                  You have left! (?) (thinking…)
                • Allow DNS servers to be advertised per subnet instead of VNET

                  Instead of advertising the DNS servers per VNET, is there anyway we can specify what DNS servers should be advertised per subnet? In most cases, I would create a VNET and use NSGs to segregate out my traffic.

                  The problem with specifying the DNS servers for the whole VNET, is now I am required to create a completely separate VNET for a DMZ, as my internal DNS servers are being advertised to those machines. In this case, being able to specify DNS servers at a subnet level will allow more flexibility in regards to creating one VNET instead of multiple…

                  416 votes
                  Vote
                  Sign in
                  Check!
                  (thinking…)
                  Reset
                  or sign in with
                  • facebook
                  • google
                    Password icon
                    Signed in as (Sign out)
                    You have left! (?) (thinking…)
                    17 comments  ·  Virtual Networks (VNET)  ·  Flag idea as inappropriate…  ·  Admin →
                  • Let's Encrypt Integration for HTTPS certificates

                    It should be possible to define a list of SSL hostnames. Application Gateway should automatically acquire and renew certificates for all given hostnames (most probably through the HTTP domain validation process).

                    For every request, Application Gateway should use the correct certificate based on the hostname.

                    Supporting multiple hostnames is critical to use Let's Encrypt with multi-site routing.

                    409 votes
                    Vote
                    Sign in
                    Check!
                    (thinking…)
                    Reset
                    or sign in with
                    • facebook
                    • google
                      Password icon
                      Signed in as (Sign out)
                      You have left! (?) (thinking…)
                      1 comment  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
                    • Auto-connect for point-to-site VPN.

                      When the device is restarted, or internet connectivity is regained, the device automatically connects to the VPN again.

                      326 votes
                      Vote
                      Sign in
                      Check!
                      (thinking…)
                      Reset
                      or sign in with
                      • facebook
                      • google
                        Password icon
                        Signed in as (Sign out)
                        You have left! (?) (thinking…)
                      • Change existing Public IP SKU from Basic to Standard

                        We have already setup our business in Azure and utilize Public IPs in our infrastructure that are used by many different clients. With the release of Standard SKU Load Balancer and the requirement for Standard SKU Public IPs, we cannot proceed to upgrade our setup. A change in IPs would mean weeks or even months in planning/communication and reconfiguration of firewalls,VPNs,application restrictions.

                        303 votes
                        Vote
                        Sign in
                        Check!
                        (thinking…)
                        Reset
                        or sign in with
                        • facebook
                        • google
                          Password icon
                          Signed in as (Sign out)
                          You have left! (?) (thinking…)
                          under review  ·  12 comments  ·  IP addresses  ·  Flag idea as inappropriate…  ·  Admin →
                        • Allow network security groups to be created and renamed

                          Currently, it seems I can't create security groups without creating an instance, or rename them for that matter. Or can I?

                          My use case: I created an instance and and 'SSH' security group with it. Then decided I want to test HTTP as well via public IP. Oh well, I can't rename the SSH group to e.g. 'SSH+HTTP', nor can I create a new group to change the NIC to.

                          241 votes
                          Vote
                          Sign in
                          Check!
                          (thinking…)
                          Reset
                          or sign in with
                          • facebook
                          • google
                            Password icon
                            Signed in as (Sign out)
                            You have left! (?) (thinking…)
                          • Possibility to set a DNS Suffix on Azure networks (like DNS Servers)

                            There are many scenarios for Virtual Machines (and Other maybe) where NIC settings are cleared (VM Deallocated). DNS Servers can be set on Azure Network, and this VM will have DNS Servers settings via DHCP. But we have to set DNS Suffix manually each time, or set a script automatically at each boot.
                            The idea is just to have a way to set a suffix DNS for VM Networks, with the same way as DNS Servers. With this settings, DHCP will assign DNS suffix to all VM automatically.

                            228 votes
                            Vote
                            Sign in
                            Check!
                            (thinking…)
                            Reset
                            or sign in with
                            • facebook
                            • google
                              Password icon
                              Signed in as (Sign out)
                              You have left! (?) (thinking…)
                            • Allow creation of NSG rules based on FQDN along with Ports

                              NSG gives option to configure NSG rules with IPAddress and Ports. Same like that we need option to configure Inbound/Outbound NSG rules based on the FQDN. Because most of our customers wants to block Internet access from their Azure IaaS VMs, If we do so, we lose the ability to configure Azure Disk Encryption, Azure Keyvault, Azure File Storage Services, Azure Websites...etc. Because all these Azure services requires its endpoints (FQDN) to be reachable from inside the VM

                              211 votes
                              Vote
                              Sign in
                              Check!
                              (thinking…)
                              Reset
                              or sign in with
                              • facebook
                              • google
                                Password icon
                                Signed in as (Sign out)
                                You have left! (?) (thinking…)
                              • Don't strip QOS DSCP markings

                                Azure vNets with ExpressRoute should support QOS markings. Ideally the Expressroute circuit should honour and prioritise packets with DSCP priorities set.

                                If honouring DSCP is not possible then the values should at least be passed along and not be stripped out.

                                We have Azure connected to our internal MPLS network via an Expressroute Exchange provider. (Our MPLS provider is not setup as a Network provider in Azure). Some of our remote sites have congested links however with QOS we ensure all business applications perform well.

                                We are now moving some business applications into Azure and getting performance problems due to…

                                209 votes
                                Vote
                                Sign in
                                Check!
                                (thinking…)
                                Reset
                                or sign in with
                                • facebook
                                • google
                                  Password icon
                                  Signed in as (Sign out)
                                  You have left! (?) (thinking…)
                                  2 comments  ·  ExpressRoute  ·  Flag idea as inappropriate…  ·  Admin →
                                • Support SNAT on internal Azure load Balancer

                                  Currently it seems Azure Internal Load Balancer does not support Source NAT.
                                  this mean that if 2 different services hosted on 2 different VM and the VM are on the same vnet the traffic is not load balanced if the ILB route the traffic to the same VM that start the request.
                                  example:
                                  Service A (exposed on port x) and B (exposed on port y) are hosted on VM 1 and VM2 on the same vnet.
                                  Service A has VIP z and Service B has VIP m.
                                  if service A is recalled via VIP z from VM 1 and ILB…

                                  197 votes
                                  Vote
                                  Sign in
                                  Check!
                                  (thinking…)
                                  Reset
                                  or sign in with
                                  • facebook
                                  • google
                                    Password icon
                                    Signed in as (Sign out)
                                    You have left! (?) (thinking…)
                                    7 comments  ·  Load Balancing  ·  Flag idea as inappropriate…  ·  Admin →
                                  • Allow customization of Application Gateway WAF rule matching

                                    I would like to be able to selectively remove some cookies and some HTTP headers from all rule application scans, on a case by case basis.

                                    Problem Statement:
                                    The web application firewall functionality of the application gateway scans the entire HTTP message, without the ability to customize where the scan will occur.

                                    This leads to false positives where scan pattern matches will detect suspicious characters in URL encoded blobs like security or access tokens, or in other arbitrary places like cookies.

                                    The following Microsoft tools have caused this problem on my environment:
                                    - Kudu tools for web applications
                                    - API…

                                    175 votes
                                    Vote
                                    Sign in
                                    Check!
                                    (thinking…)
                                    Reset
                                    or sign in with
                                    • facebook
                                    • google
                                      Password icon
                                      Signed in as (Sign out)
                                      You have left! (?) (thinking…)
                                      15 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
                                    • Point-to-site VPN authentication support for Azure AD

                                      Instead of only requiring on a certificate for authentication in Azure VPN Point-to-site solutions, it would be nice if the Azure networking team would consider adding support for username (UPN) and password that is authenticated against either Azure AD or ADFS.

                                      160 votes
                                      Vote
                                      Sign in
                                      Check!
                                      (thinking…)
                                      Reset
                                      or sign in with
                                      • facebook
                                      • google
                                        Password icon
                                        Signed in as (Sign out)
                                        You have left! (?) (thinking…)
                                      • Introduce 'Vanity name servers'

                                        We would like to see an introduction of delegations using name server names in our own zone (sometimes called 'vanity name servers').

                                        Using 'vanity name servers' are important for consolidating our corporate brand.

                                        Currently, the 'host' field of the SOA and the NS records at the zone apex are deliberately locked to discourage us from setting up delegations other than via the Azure DNS name server names.

                                        We realise such delegations would break were we ever to change the Azure DNS name server IP ranges in future, which would obviously need to be resolved prior to the introduction of this.

                                        158 votes
                                        Vote
                                        Sign in
                                        Check!
                                        (thinking…)
                                        Reset
                                        or sign in with
                                        • facebook
                                        • google
                                          Password icon
                                          Signed in as (Sign out)
                                          You have left! (?) (thinking…)
                                        • 142 votes
                                          Vote
                                          Sign in
                                          Check!
                                          (thinking…)
                                          Reset
                                          or sign in with
                                          • facebook
                                          • google
                                            Password icon
                                            Signed in as (Sign out)
                                            You have left! (?) (thinking…)

                                            Thank you for your patience. This is still under review. We are working on other features that are moving us closer to being able to provide these capabilities, but cannot yet dedicate resources to this feature.
                                            Thanks,
                                            Bridget [MSFT]

                                          • Support VNET re-deployment without destroying subnets

                                            When you deploy a VNET from an ARM template in incremental mode I would expect omitting the subnet property would not change the subnets since they are child resources. Instead they are destroyed. I think this is inconsistent with all other similar resource types e.g. app service plans and web apps, azure SQL servers and databases, etc... Please make VNETs and subnets deployments consistent.

                                            https://github.com/Azure/azure-quickstart-templates/issues/2786

                                            128 votes
                                            Vote
                                            Sign in
                                            Check!
                                            (thinking…)
                                            Reset
                                            or sign in with
                                            • facebook
                                            • google
                                              Password icon
                                              Signed in as (Sign out)
                                              You have left! (?) (thinking…)
                                              under review  ·  3 comments  ·  Virtual Networks (VNET)  ·  Flag idea as inappropriate…  ·  Admin →
                                            ← Previous 1 3 4 5 11 12
                                            • Don't see your idea?

                                            Feedback and Knowledge Base