At the moment SSL termination is possible with Application Gateway but it doesn't cater for instances where client authentication is required (mutual auth). So if client auth is required, SSL needs to be passed through and terminated on each of the web servers. This increases load across the server farm and makes management of certificates more difficult since all certs need to be maintained on all servers. I believe this function is available with API Management but the additional cost is hard to justify if one doesn't require the other additional features. So having mutual SSL auth capability built into the Application Gateway would be fantastic.
At the moment SSL termination is possible with Application Gateway but it doesn't cater for instances where client authentication is required (mutual auth). So if client auth is required, SSL needs to be passed through and terminated on each of the web servers. This increases load across the server farm and makes management of certificates more difficult since all certs need to be maintained on all servers. I believe this function is available with API Management but the additional cost is hard to justify if one doesn't require the other additional features. So having mutual SSL auth capability built into…905 votes
Thanks for all your feedback so far. This is something we are looking to address relatively soon. Please stay tuned.
There must be an option of Upgrading Public IP SKU from Basic to Standard without losing Static PIP as it is a creating a big road block when we do any planning like moving existing PIP behind any NVA Standard Load balancer.
If any existing Production Server are already running on Basic PIP then it is very tough to make any decisions to upgrade SKU or move it behind any Standard ELB.
Need suggestion here how and till what time we can overcome here.743 votes
Thank you for the feedback. We are working on prereqs to make this possible. Not in scope for CY2019.
Many on-prem systems rely on an ability to gracefully drain traffic from a node before removing it from load balancing for updates or maintenance. While there are workarounds today for the Azure Load Balancing infrastructure (http://serverfault.com/questions/686095/gracefully-take-a-server-out-of-azure-load-balancer-drain-stop) it's not as flexible as existing on-prem services. Please add this feature.551 votes
We’re working on planning this feature.
When we have the WAF set to prevention mode some of our HTTP post are denied with code 413.
Request body no files data length is larger than the configured limit (131072).. Deny with code (413)
Can you make these two settings configurable on the WAF?
Thanks for your feedback. This is planned as part of global waf configurable parameters.
Please allow us to deploy Bastion in Hub & Spoke vnet design. It makes sense to deploy Bastion in Hub vnet only. Than we can access VMs in spoke vnets from Bastion. Hub & Spoke design is Azure recommended Reference architecture, make sense to support it.316 votes
We are currently planning for this!
Allow Network Security Groups (NSGs) to Reference Application Security Groups (ASGs) From Different Location
Remove the limitation of restricting Network Security Groups (NSGs) ability to leverage/associate Application Security Groups (ASGs) that are not within the same location of the target Virtual Network (VNET).
This is especially important, to provide granularity and segregation/isolation in a hub-and-spoke networking model (i.e. VNetA-ASG1-to-VNetB-ASG1), in association with VNet Peering.301 votes
Thanks for the feedback, we are working on enabling ASG references across subscriptions/VNets, it’s currently on our plans
I'd like to be able to block all outbound traffic on my NSG but still allow windows update to work. This is difficult to do as the windows update depends on quite a few DNS names and the IP address of these apparently changes often.
If I could specify an "Allow" rule for a service tag called "WindowsUpdate" or similar with a higher priority than my "DenyAll" rule this would acheive this.301 votes
Thanks for your feedback, we are working on this.
- Anavi N [MSFT]
Allow transit routing between ExpressRoute, VPN Gateways, and NVAs by allowing them to peer with BGP and exchange routes.
Allow transit routing between ExpressRoute Gateways, VPN Gateways, and NVAs by allowing them to peer with BGP and exchange routes. This functionality would give the customer more flexibility in how they lay out their network.185 votes
Thank you for your feedback. We plan to address this gap.
When creating NSGs it would be nice to be able to define network object groups that contain a list of IP addresses or ranges which can then be applied to the source or destination addresses of the NSG. If I only want to allow services to a specific set of IPs I have to create a rule for each distinct IP address. Even having the ability to add multiple IPs or IP ranges would work for source/destination but objects would be better so they can be used across multiple rules.166 votes
Custom tags and service tags for Azure public services have been included in our planning. NSG rule grouping has been delivered. Custom tags for explicit IPs is a roadmap item for now.
If raw logs were made available and posted to blob storage, developers could use them for sub-billing our customers for their usage of the CDN.158 votes
As for Application Gateway, we need to be able to customize the error page displayed when the access to an url is refused by an ip restriction rule.158 votes
Support IPv6 in Application Gateway front-end public IP154 votes
We require confidentiality and integrity of our network links into Azure, and want to use ExpressRoute. Currently the Azure gateway ExpressRoute SKU does not support IPSec.
Can you please add IPSec support to ExpressRoute, or to the Azure gateway Expressroute SKU.140 votes
Active / passive load balancing without the dependency of the cluster service.139 votes
We are looking at ways to support this scenario where one active instance/one or more passive instances can be supported and flows are not impacted.
There is no way I can purge AKAMAI CDN endpoint fully or with wildcard which is best fit for our project.122 votes
Support is planned for this later this year.
Currently you can only have one reserved (static) public IP for a given Azure VM. This limits any case where you would want to run multiple SSL enabled sites/applications on the standard 443 port.
I understand there is support for SNI SSL with host headers but not all applications and devices support this feature. Current competition in you market allow up to 5 IPs. A limit I believe is still arbitrarily low given the power of your larger VM instances available.122 votesplanned · AdminAzure IaaS Engineering Team (Azure IaaS Engineering Team, Microsoft, Microsoft Azure) responded
This is an area with active investment.
The 'OWASP 3.0' (3.0.0) WAF rule set generates a lot of false positives, even on random base64 payloads. The only option is to disable many rules.
2 examples which frequently trigger on SAML authentication exchanges are 932140 (https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/671) and 941120 (https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/675).
OWASP CRS 3.0.2 reworked some rules, in order to reduce some of these false positives. Please support CRS 3.0.2 (either as an in-place upgrade for 3.0.0, or as a new option).112 votes
Thanks for your feedback. This is planned as a new supported RuleSet.
Allow changing pricing their from Verizon Standard to Verizon Premium and vice versa105 votes
Please extend DNS zones solution to add forwarding & client features to implement the following in PaaS instead of with VMs:
Use case: use azure dns to forward dns queries to 188.8.131.52 & between subnets. Enterprise DNS would forward to Azure DNS. VNET has Azure-provided name resolution (*.internal.cloudapp.net). In this way Enterprise DNS could dynamically learn of a PaaS offering on VNET.98 votes
- Don't see your idea?