Networking

The Networking forum covers all aspects of Networking in Azure, including endpoints, load-balancing, network security, DNS, Traffic Manager, virtual networks, and external connectivity.

Virtual Network:

  • Service overview

  • Technical documentation

  • Pricing details
  • Traffic Manager:

  • Service overview

  • Technical documentation

  • Pricing details
  • Network Watcher:

  • Service overview

  • Technical documentation

  • Pricing details
  • If you have any feedback on any aspect of Azure relating to Networking, we’d love to hear it.

    • Hot ideas
    • Top ideas
    • New ideas
    • My feedback
    1. Allow Mutual SSL Auth on Application Gateway

      At the moment SSL termination is possible with Application Gateway but it doesn't cater for instances where client authentication is required (mutual auth). So if client auth is required, SSL needs to be passed through and terminated on each of the web servers. This increases load across the server farm and makes management of certificates more difficult since all certs need to be maintained on all servers. I believe this function is available with API Management but the additional cost is hard to justify if one doesn't require the other additional features. So having mutual SSL auth capability built into…

      997 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      52 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    2. Load Balancer and Public IP SKU.

      There must be an option of Upgrading Public IP SKU from Basic to Standard without losing Static PIP as it is a creating a big road block when we do any planning like moving existing PIP behind any NVA Standard Load balancer.
      If any existing Production Server are already running on Basic PIP then it is very tough to make any decisions to upgrade SKU or move it behind any Standard ELB.

      Need suggestion here how and till what time we can overcome here.

      903 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      40 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    3. Drain/admin endpoint control for Load Balancer

      Many on-prem systems rely on an ability to gracefully drain traffic from a node before removing it from load balancing for updates or maintenance. While there are workarounds today for the Azure Load Balancing infrastructure (http://serverfault.com/questions/686095/gracefully-take-a-server-out-of-azure-load-balancer-drain-stop) it's not as flexible as existing on-prem services. Please add this feature.

      572 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      21 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    4. Bastion supporting vnet peering for Hub & Spoke design

      Please allow us to deploy Bastion in Hub & Spoke vnet design. It makes sense to deploy Bastion in Hub vnet only. Than we can access VMs in spoke vnets from Bastion. Hub & Spoke design is Azure recommended Reference architecture, make sense to support it.

      440 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      3 comments  ·  Bastion  ·  Flag idea as inappropriate…  ·  Admin →
    5. Azure Application Gateway WAF Mode Increase Limit on SecRequestBodyLimit

      When we have the WAF set to prevention mode some of our HTTP post are denied with code 413.

      Request body no files data length is larger than the configured limit (131072).. Deny with code (413)

      Can you make these two settings configurable on the WAF?

      SecRequestBodyLimit
      SecRequestBodyNoFilesLimit

      Thanks
      Mark

      357 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      17 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    6. Add a Network Security Group tag for Windows Update

      I'd like to be able to block all outbound traffic on my NSG but still allow windows update to work. This is difficult to do as the windows update depends on quite a few DNS names and the IP address of these apparently changes often.

      If I could specify an "Allow" rule for a service tag called "WindowsUpdate" or similar with a higher priority than my "DenyAll" rule this would acheive this.

      330 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      23 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    7. Allow Network Security Groups (NSGs) to Reference Application Security Groups (ASGs) From Different Location

      Remove the limitation of restricting Network Security Groups (NSGs) ability to leverage/associate Application Security Groups (ASGs) that are not within the same location of the target Virtual Network (VNET).

      This is especially important, to provide granularity and segregation/isolation in a hub-and-spoke networking model (i.e. VNetA-ASG1-to-VNetB-ASG1), in association with VNet Peering.

      326 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      17 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    8. Allow transit routing between ExpressRoute, VPN Gateways, and NVAs by allowing them to peer with BGP and exchange routes.

      Allow transit routing between ExpressRoute Gateways, VPN Gateways, and NVAs by allowing them to peer with BGP and exchange routes. This functionality would give the customer more flexibility in how they lay out their network.

      186 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      12 comments  ·  Virtual Network  ·  Flag idea as inappropriate…  ·  Admin →
    9. Custom error pages in Azure Front Door

      As for Application Gateway, we need to be able to customize the error page displayed when the access to an url is refused by an ip restriction rule.

      See : https://feedback.azure.com/forums/217313-networking/suggestions/18749326-application-gateway-custom-error-pages

      180 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      planned  ·  2 comments  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →
    10. Ability to create source/destination objects containing multiple IP addresses/ranges

      When creating NSGs it would be nice to be able to define network object groups that contain a list of IP addresses or ranges which can then be applied to the source or destination addresses of the NSG. If I only want to allow services to a specific set of IPs I have to create a rule for each distinct IP address. Even having the ability to add multiple IPs or IP ranges would work for source/destination but objects would be better so they can be used across multiple rules.

      166 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      3 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    11. Support IPv6 in Application Gateway front-end public IP

      Support IPv6 in Application Gateway front-end public IP

      163 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      planned  ·  1 comment  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    12. Make raw logs available for CDN traffic

      If raw logs were made available and posted to blob storage, developers could use them for sub-billing our customers for their usage of the CDN.

      158 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      planned  ·  10 comments  ·  Content Delivery Network  ·  Flag idea as inappropriate…  ·  Admin →
    13. 149 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      13 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    14. IPSec tunnel over ExpressRoute

      We require confidentiality and integrity of our network links into Azure, and want to use ExpressRoute. Currently the Azure gateway ExpressRoute SKU does not support IPSec.

      Can you please add IPSec support to ExpressRoute, or to the Azure gateway Expressroute SKU.

      140 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      planned  ·  11 comments  ·  ExpressRoute  ·  Flag idea as inappropriate…  ·  Admin →
    15. azure zones dns-forwarder

      Please extend DNS zones solution to add forwarding & client features to implement the following in PaaS instead of with VMs:
      https://github.com/Azure/azure-quickstart-templates/tree/master/301-dns-forwarder

      Use case: use azure dns to forward dns queries to 168.63.129.16 & between subnets. Enterprise DNS would forward to Azure DNS. VNET has Azure-provided name resolution (*.internal.cloudapp.net). In this way Enterprise DNS could dynamically learn of a PaaS offering on VNET.

      140 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      planned  ·  1 comment  ·  DNS  ·  Flag idea as inappropriate…  ·  Admin →
    16. 133 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      planned  ·  13 comments  ·  Content Delivery Network  ·  Flag idea as inappropriate…  ·  Admin →
    17. Make full purge and wildcard purge for AKAMAI CDN

      There is no way I can purge AKAMAI CDN endpoint fully or with wildcard which is best fit for our project.

      128 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      6 comments  ·  Content Delivery Network  ·  Flag idea as inappropriate…  ·  Admin →
    18. Allow multiple reserved IP addresses be assigned to a single VM

      Currently you can only have one reserved (static) public IP for a given Azure VM. This limits any case where you would want to run multiple SSL enabled sites/applications on the standard 443 port.

      I understand there is support for SNI SSL with host headers but not all applications and devices support this feature. Current competition in you market allow up to 5 IPs. A limit I believe is still arbitrarily low given the power of your larger VM instances available.

      122 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      8 comments  ·  IP addresses  ·  Flag idea as inappropriate…  ·  Admin →
    19. Application Gateway WAF: update to OWASP CRS 3.0.2

      The 'OWASP 3.0' (3.0.0) WAF rule set generates a lot of false positives, even on random base64 payloads. The only option is to disable many rules.

      2 examples which frequently trigger on SAML authentication exchanges are 932140 (https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/671) and 941120 (https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/675).

      OWASP CRS 3.0.2 reworked some rules, in order to reduce some of these false positives. Please support CRS 3.0.2 (either as an in-place upgrade for 3.0.0, or as a new option).

      115 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      12 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    20. Allow changing of pricing tier

      Allow changing pricing their from Verizon Standard to Verizon Premium and vice versa

      116 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      planned  ·  2 comments  ·  Content Delivery Network  ·  Flag idea as inappropriate…  ·  Admin →
    ← Previous 1 3 4 5 6
    • Don't see your idea?

    Feedback and Knowledge Base