At the moment SSL termination is possible with Application Gateway but it doesn't cater for instances where client authentication is required (mutual auth). So if client auth is required, SSL needs to be passed through and terminated on each of the web servers. This increases load across the server farm and makes management of certificates more difficult since all certs need to be maintained on all servers. I believe this function is available with API Management but the additional cost is hard to justify if one doesn't require the other additional features. So having mutual SSL auth capability built into the Application Gateway would be fantastic.
At the moment SSL termination is possible with Application Gateway but it doesn't cater for instances where client authentication is required (mutual auth). So if client auth is required, SSL needs to be passed through and terminated on each of the web servers. This increases load across the server farm and makes management of certificates more difficult since all certs need to be maintained on all servers. I believe this function is available with API Management but the additional cost is hard to justify if one doesn't require the other additional features. So having mutual SSL auth capability built into…1,170 votes
Thanks for all your feedback so far. This is something we are looking to address relatively soon. Please stay tuned.
There must be an option of Upgrading Public IP SKU from Basic to Standard without losing Static PIP as it is a creating a big road block when we do any planning like moving existing PIP behind any NVA Standard Load balancer.
If any existing Production Server are already running on Basic PIP then it is very tough to make any decisions to upgrade SKU or move it behind any Standard ELB.
Need suggestion here how and till what time we can overcome here.1,125 votes
Thank you for the feedback. We are working on prereqs to make this possible. Not in scope for CY2019.
Please allow us to deploy Bastion in Hub & Spoke vnet design. It makes sense to deploy Bastion in Hub vnet only. Than we can access VMs in spoke vnets from Bastion. Hub & Spoke design is Azure recommended Reference architecture, make sense to support it.856 votes
We are currently planning for this!
Many on-prem systems rely on an ability to gracefully drain traffic from a node before removing it from load balancing for updates or maintenance. While there are workarounds today for the Azure Load Balancing infrastructure (http://serverfault.com/questions/686095/gracefully-take-a-server-out-of-azure-load-balancer-drain-stop) it's not as flexible as existing on-prem services. Please add this feature.592 votes
We’re working on planning this feature.
I'd like to be able to block all outbound traffic on my NSG but still allow windows update to work. This is difficult to do as the windows update depends on quite a few DNS names and the IP address of these apparently changes often.
If I could specify an "Allow" rule for a service tag called "WindowsUpdate" or similar with a higher priority than my "DenyAll" rule this would acheive this.449 votes
Thanks for your feedback, we are working on this.
- Anavi N [MSFT]
When we have the WAF set to prevention mode some of our HTTP post are denied with code 413.
Request body no files data length is larger than the configured limit (131072).. Deny with code (413)
Can you make these two settings configurable on the WAF?
Thanks for your feedback. This is planned as part of global waf configurable parameters.
Allow Network Security Groups (NSGs) to Reference Application Security Groups (ASGs) From Different Location
Remove the limitation of restricting Network Security Groups (NSGs) ability to leverage/associate Application Security Groups (ASGs) that are not within the same location of the target Virtual Network (VNET).
This is especially important, to provide granularity and segregation/isolation in a hub-and-spoke networking model (i.e. VNetA-ASG1-to-VNetB-ASG1), in association with VNet Peering.390 votes
Thanks for the feedback, we are working on enabling ASG references across subscriptions/VNets, it’s currently on our plans
Make it possible to enable the Name Resolution from onpremise if i have an azure private dns Zone.
It should be possible to make an Forward from onpremise dns to an azure private dns Zone.272 votes
As for Application Gateway, we need to be able to customize the error page displayed when the access to an url is refused by an ip restriction rule.241 votes
Allow transit routing between ExpressRoute, VPN Gateways, and NVAs by allowing them to peer with BGP and exchange routes.
Allow transit routing between ExpressRoute Gateways, VPN Gateways, and NVAs by allowing them to peer with BGP and exchange routes. This functionality would give the customer more flexibility in how they lay out their network.205 votes
Thank you for your feedback. We plan to address this gap.
Please extend DNS zones solution to add forwarding & client features to implement the following in PaaS instead of with VMs:
Use case: use azure dns to forward dns queries to 18.104.22.168 & between subnets. Enterprise DNS would forward to Azure DNS. VNET has Azure-provided name resolution (*.internal.cloudapp.net). In this way Enterprise DNS could dynamically learn of a PaaS offering on VNET.199 votes
Support IPv6 in Application Gateway front-end public IP182 votes
When creating NSGs it would be nice to be able to define network object groups that contain a list of IP addresses or ranges which can then be applied to the source or destination addresses of the NSG. If I only want to allow services to a specific set of IPs I have to create a rule for each distinct IP address. Even having the ability to add multiple IPs or IP ranges would work for source/destination but objects would be better so they can be used across multiple rules.170 votes
Custom tags and service tags for Azure public services have been included in our planning. NSG rule grouping has been delivered. Custom tags for explicit IPs is a roadmap item for now.
If raw logs were made available and posted to blob storage, developers could use them for sub-billing our customers for their usage of the CDN.161 votes
Active / passive load balancing without the dependency of the cluster service.158 votes
We are looking at ways to support this scenario where one active instance/one or more passive instances can be supported and flows are not impacted.
We require confidentiality and integrity of our network links into Azure, and want to use ExpressRoute. Currently the Azure gateway ExpressRoute SKU does not support IPSec.
Can you please add IPSec support to ExpressRoute, or to the Azure gateway Expressroute SKU.143 votes
Allow multiple Network Security Groups per NIC. Amazon Web Services allows multiple NSGs to be associated to a NIC. This allows us to define one NSG for "Remote Access", a second for VLAN (it allows itself) and a third for "server role (DC, SQL, etc.)141 votes
Why does it take upwards of 30 minutes to create a vnet gateway?
If I am doing a PowerShell script or a CI/CD deployment, the whole world stops while the VPN takes 30-odd minutes to be initialised and start. Can this please be addressed?135 votes
There is no way I can purge AKAMAI CDN endpoint fully or with wildcard which is best fit for our project.133 votes
Support is planned for this later this year.
- Don't see your idea?