Networking

The Networking forum covers all aspects of Networking in Azure, including endpoints, load-balancing, network security, DNS, Traffic Manager, virtual networks, and external connectivity.

Virtual Network:

  • Service overview

  • Technical documentation

  • Pricing details
  • Traffic Manager:

  • Service overview

  • Technical documentation

  • Pricing details
  • Network Watcher:

  • Service overview

  • Technical documentation

  • Pricing details
  • If you have any feedback on any aspect of Azure relating to Networking, we’d love to hear it.

    How can we improve Azure Networking?

    You've used all your votes and won't be able to post a new idea, but you can still search and comment on existing ideas.

    There are two ways to get more votes:

    • When an admin closes an idea you've voted on, you'll get your votes back from that idea.
    • You can remove your votes from an open idea you support.
    • To see ideas you have already voted on, select the "My feedback" filter and select "My open ideas".
    (thinking…)

    Enter your idea and we'll search to see if someone has already suggested it.

    If a similar idea already exists, you can support and comment on it.

    If it doesn't exist, you can post your idea so others can support it.

    Enter your idea and we'll search to see if someone has already suggested it.

    • Hot ideas
    • Top ideas
    • New ideas
    • My feedback
    1. Stop/Start Virtual Network Gateway - to don't pay when it not in use

      There are two charges related to the Azure VPN service: the compute resource charge at $0.05/hour, and the egress data volume charge. Both are based on resource consumption, Unfortunately, even if the VPN tunnels are not connected, the gateway compute resource is still being consumed and will cost ~$38 monthly!
      This is not really "Pay only for what you use".

      Need functionality to “STOP” (and of course "START") a gateway if the customer is certain that the gateway will not be in use.

      1,535 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: oidc
      Signed in as (Sign out)
      You have left! (?) (thinking…)
    2. Allow Mutual SSL Auth on Application Gateway

      At the moment SSL termination is possible with Application Gateway but it doesn't cater for instances where client authentication is required (mutual auth). So if client auth is required, SSL needs to be passed through and terminated on each of the web servers. This increases load across the server farm and makes management of certificates more difficult since all certs need to be maintained on all servers. I believe this function is available with API Management but the additional cost is hard to justify if one doesn't require the other additional features. So having mutual SSL auth capability built into…

      714 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: oidc
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      39 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    3. change virtual machine virtual network through portal

      Today, I needed to change a virtual network to a existing Virtual Machine. I had to delete this VM, create a new one using attached disks from the old one and set the Virtual Network. It would be nice if we had another way to do that, using Portal for example.

      651 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: oidc
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      16 comments  ·  Virtual Networks (VNET)  ·  Flag idea as inappropriate…  ·  Admin →
    4. Please add port-mirroring to Azure to enable DLP and logging applications

      We would like a virtual span port or port-mirroring ability

      364 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: oidc
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      planned  ·  13 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
    5. Traffic Manager Failover profile alert

      Can you please add alert rule for Azure traffic manager to update the co-admin by sending mail alert whenever there is a down of primary / secondary and switch over?

      Since our customer wants to create alert for this scenario.

      This will greatly relax the customer to sit in a place to watch service changes through mail.

      322 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: oidc
      Signed in as (Sign out)
      You have left! (?) (thinking…)
    6. Add Custom Tags to NSG Rules

      It would be great if we can define our own on-premise network ranges (using 'Named networks' in AAD?) and add these as Custom Tags to our NSG rules. Now we have our on-premise ip-adresses/subnets as a seperate item in every NSG. When these ip-adresses/subnets change for whatever reason, we have to check every NSG and change this item. If we could use these 'centrally managed' ip-adresses/subnets as 'Custom Tags' in our NSG's rules we don't have to check and change every NSG rule with every ip-address change.

      263 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: oidc
      Signed in as (Sign out)
      You have left! (?) (thinking…)
    7. Azure Application Gateway WAF Mode Increase Limit on SecRequestBodyLimit

      When we have the WAF set to prevention mode some of our HTTP post are denied with code 413.

      Request body no files data length is larger than the configured limit (131072).. Deny with code (413)

      Can you make these two settings configurable on the WAF?

      SecRequestBodyLimit
      SecRequestBodyNoFilesLimit

      Thanks
      Mark

      250 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: oidc
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      14 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    8. Allow Network Security Groups (NSGs) to Reference Application Security Groups (ASGs) From Different Location

      Remove the limitation of restricting Network Security Groups (NSGs) ability to leverage/associate Application Security Groups (ASGs) that are not within the same location of the target Virtual Network (VNET).

      This is especially important, to provide granularity and segregation/isolation in a hub-and-spoke networking model (i.e. VNetA-ASG1-to-VNetB-ASG1), in association with VNet Peering.

      231 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: oidc
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      12 comments  ·  Virtual Networks (VNET)  ·  Flag idea as inappropriate…  ·  Admin →
    9. Offer NAT as a Service

      There is often the need to connect two or more networks with overlapping addresses over a VPN in regulated industries. The address spaces (often 10.0.0.0/8) can't be changed, however a DMZ subnet can be introduced in each network from the 172.16.0.0/12 address space. The DMZ subnets will not overlap between any network.

      Just like the load balancer, make a NAT device a first class function citizen in virtual networking and allow us to define SNAT, DNAT or Full NAT. Feel free to require a dedicated subnet for the device.

      Then make it easier for custom route rules to route traffic…

      229 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: oidc
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      planned  ·  8 comments  ·  Virtual Networks (VNET)  ·  Flag idea as inappropriate…  ·  Admin →
    10. HA Ports for Standard load balancers with Public IP

      Current review of HA ports only supports Internal LB without any public IP attached. The majority of NVA deployments are with Public IP attached to the LB.

      185 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: oidc
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      8 comments  ·  Load Balancing  ·  Flag idea as inappropriate…  ·  Admin →
    11. Allow transit routing between ExpressRoute, VPN Gateways, and NVAs by allowing them to peer with BGP and exchange routes.

      Allow transit routing between ExpressRoute Gateways, VPN Gateways, and NVAs by allowing them to peer with BGP and exchange routes. This functionality would give the customer more flexibility in how they lay out their network.

      161 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: oidc
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      12 comments  ·  Virtual Networks (VNET)  ·  Flag idea as inappropriate…  ·  Admin →
    12. Ability to create source/destination objects containing multiple IP addresses/ranges

      When creating NSGs it would be nice to be able to define network object groups that contain a list of IP addresses or ranges which can then be applied to the source or destination addresses of the NSG. If I only want to allow services to a specific set of IPs I have to create a rule for each distinct IP address. Even having the ability to add multiple IPs or IP ranges would work for source/destination but objects would be better so they can be used across multiple rules.

      155 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: oidc
      Signed in as (Sign out)
      You have left! (?) (thinking…)
    13. Enable OWASP secure headers on Azure FrontDoor service

      Requesting Front Door be supporting OWASP secure headers (https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#tab=Headers)?
      Currently, our POC website using Azure FrontDoor fails many OWASP header tests, especially when Front Door would claim to protect against few OWASP attacks.
      Appreciate that these be on the FrontDoor roadmap in very near future.

      OWASP HTTP Secure Headers
      ------------------------------
      HTTP Strict Transport Security (HSTS)
      Public Key Pinning Extension for HTTP (HPKP)
      X-Frame-Options
      X-XSS-Protection
      X-Content-Type-Options
      Content-Security-Policy
      X-Permitted-Cross-Domain-Policies
      Referrer-Policy
      Expect-CT
      Feature-Policy

      145 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: oidc
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      planned  ·  2 comments  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →
    14. Support IPv6 in Application Gateway front-end public IP

      Support IPv6 in Application Gateway front-end public IP

      134 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: oidc
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      planned  ·  0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    15. IPSec tunnel over ExpressRoute

      We require confidentiality and integrity of our network links into Azure, and want to use ExpressRoute. Currently the Azure gateway ExpressRoute SKU does not support IPSec.

      Can you please add IPSec support to ExpressRoute, or to the Azure gateway Expressroute SKU.

      130 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: oidc
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      planned  ·  11 comments  ·  ExpressRoute  ·  Flag idea as inappropriate…  ·  Admin →
    16. Allow specification of multiple ports in a single NSG rule

      Allow a comma separated list of port numbers to allow a single rule to provide (for example) access to a domain controller (which would normally require the following ports opened: 53, 88, 135, 139, 389, 445, 464, 636, 1025, 3268-3269, 5722, 9389, 49152-65535).
      This seems to be basic functionality for firewall applications, but the absence of this ability within NSG rules means that the 200 soft limit (400 hard limit) is reached extremely quickly in a corporate environment.

      110 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: oidc
      Signed in as (Sign out)
      You have left! (?) (thinking…)
    17. Support wildcard hosts in custom hostnames

      Many of current SaaS applications enable customers to select it`s own subdomain in order do have a personalized url.

      So let's say I own contoso.com and I let my customers select any subdomain (*.contoso.com) like:

      foo.contoso.com
      bar.contoso.com

      That's cool with a couple customers but when you have a large system it's not doable setup one by one, even that you can automate that.

      The ideal solution would be allowing custom hostname field to bind a wildcard domain, in this example *.contoso.com

      There's a similar idea for Application Gateway that has been for a while (https://feedback.azure.com/forums/217313-networking/suggestions/19527121-application-gateway-support-wildcard-hosts-in-lis)

      Similar products on…

      110 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: oidc
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      planned  ·  1 comment  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →
    18. Traffic Manager Logging & Alerts

      Traffic Manager needs to keep track of past endpoint health failures.
      In addition to this it should be possible to configure alerts about changes to endpoint health.

      107 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: oidc
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      planned  ·  6 comments  ·  Domain Name Service (DNS, Traffic Manager)  ·  Flag idea as inappropriate…  ·  Admin →
    19. Allow the use of a known outbound nat gateway for vnets

      VMs placed in a vnet today with a public ip attached, access the Internet from arbitrary, unknown addresses. This makes it hard to manage access from Azure VMs to backend systems relying on IP-address ACLs. We simply need to know which ip address azure vms use for accessing resources outside the vnet. If I use UDR's with dest 0.0.0.0/0, load balancing in Azure doesnt work. Please give us a configurable NAT gatway per subnet or vnet similar to what aws has.

      102 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: oidc
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      7 comments  ·  Virtual Networks (VNET)  ·  Flag idea as inappropriate…  ·  Admin →
    20. Custom error pages in Azure Front Door

      As for Application Gateway, we need to be able to customize the error page displayed when the access to an url is refused by an ip restriction rule.

      See : https://feedback.azure.com/forums/217313-networking/suggestions/18749326-application-gateway-custom-error-pages

      89 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: oidc
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      planned  ·  0 comments  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →
    ← Previous 1 3 4 5
    • Don't see your idea?

    Feedback and Knowledge Base