I'm experimenting with using App Gateway as a frontend server to do URL routing to one Windows App Service and one Linux App Service, via the portal. I'm an hour in to this process because each and every step takes many minutes to complete.38 votes
Thanks for your feedback. We are working on improving the update experience to make it faster. As an alternate suggestion, please note that multiple configuration steps can be combined into a single update via PowerShell or ARM template for faster updates.
When running MVC applications with federated authentication with IdPs like Azure AD B2C, the OAuth response coming back from AD is always greater than 2048 character url length. This becomes limitation of AG as AG can not be used for application doing federated authentication with various IdPs including Azure AD B2C.
Please remove the 2048 character limitation as well any other request size limitation which could truncate url as well as request body including cookies etc.30 votes
I want to be alerted, when my metered ExpressRoute is reaching a certain limit (that it is cheaper for me to go with unlimited model).
Overall no monitoring supported to verify if peering is up, how much inbound and outbound traffic is going through the ExpressRoute/Virtual Network Gateway.
The ExpressRoute is critical and therefore its state needs to be monitored.43 votes
The only way to get diagnostics logs from a VNet gateway is via ASM cmdlets. CSP subscriptions do not offer any support for ASM, so troubleshooting is impossible. Please add native support in ARM for retrieving logs from a VNet gateway135 votes
Thank you for your suggestion. We currently have something in the Portal called “Resource Health Check” under “Support + Troubleshooting” within your Gateway. It will check the health of your Gateway and try to determine the cause of an unhealthy Gateway. We understand how important this is, and are working on further improvements to monitoring and diagnostics.
Azure forces clients to have a class A default route when using 10.x.x.x as their internal network. This should reflect the subnet mask illustrated in the portal
More information:7 votes
Thank you for bringing this to our attention. We are now working on this.
For the sake of security, it would great if we could get the following tags removed from the AG responses:
< Server: Microsoft-IIS/8.5
< X-Powered-By: ARR/3.0
< X-Powered-By: ASP.NET97 votes
Thank you for the feedback. We are working on removing these headers.
In case when the connection is done via Application Gateway, it shows no response when HTTP connection takes over 4 minutes.
I predict the root cause of this issue is due to Azure’s Load Balancer, as it depends on limitations.
Therefore, I ask you to change it so we can make the limitation optional.
Application Gateway を経由した通信の場合、 4 分間を超える HTTP 通信が発生すると、応答を返さなくなる。
この動作は、Load Balancer の制限に依存すると思われるが、これを任意で変更できるようにしてほしい。47 votes
We are working on providing this support. Customers would specify timeout on the PublicIPAddress resource which is attached to the Application Gateway.
Azure classic had a very good powershell cmdlet, Get-AzureEffectiveRouteTable, which showed the route table for a VM with all the UDRs applied to it from the VM's perspective. It would be great if we can apply this concept to NSG's and Routes in ARM and especially in the portal. If I click on a NIC, it will show me the effective inbound and outbound NSGs applied to it by combining the subnet level NSG rules and the NIC level rules. For routes, it should show me something similar to the cmdlet above by combining all the VNET peering routes, VNET routes, and UDRs.
This would be REALLY helpful in diagnosing routing and ACL issues in a deployment to see all of this information in one place instead of having to go to different areas in the portal to dig up the information.
Azure classic had a very good powershell cmdlet, Get-AzureEffectiveRouteTable, which showed the route table for a VM with all the UDRs applied to it from the VM's perspective. It would be great if we can apply this concept to NSG's and Routes in ARM and especially in the portal. If I click on a NIC, it will show me the effective inbound and outbound NSGs applied to it by combining the subnet level NSG rules and the NIC level rules. For routes, it should show me something similar to the cmdlet above by combining all the VNET peering routes, VNET…6 votes
Hi Erwen, thanks for your feedback, we appreciate you taking the time to let us know. We are actively working on this and you should hear more about it soon.
Unable to add a tag to an ExpressRoute Circuit.
When attempting to add a tag to a resource of type ExpressRoute Circuit, I get an error message "The requested resource does not support http method 'PATCH'."
Seems like the resource provider for ExpressRoute doesn't provide all API calls that are required for supporting tags.1 vote
Thank you for your feedback. This bug has been fixed and will be in production soon. We will notify you as soon as it is in production.
Create a Secure DNS service that can be used by Enterprise DNS servers and report and block suspect activity from clients. The solution should be based in Microsoft Azure, but should also be integrated with either Microsoft OMS og Windows ATP service.
All log files collected from Enterprise DNS servers should be forwarded to the Azure Secure DNS service (https://blogs.technet.microsoft.com/teamdhcp/2015/11/23/network-forensics-with-windows-dns-analytical-logging/)3 votes
We’re working with a number of leading DNS firewall providers to provide this functionality. We have two in the marketplace now, ThreatSTOP and InfoBLOX.
I pretty much want to keep storage, SQL database, web app, VMs, and any other service I use within a private network to keep granular control of which services can connect to other services. The "open to all" connection strings to all services is a hard sell to any organization used to securing their IT behind firewalls and networks of networks. Where are you on this today? It must be considered a less secure since these connection strings always tend to leak..8 votes
We have started working on this for some services. More to follow.
Azure Application Gateway is a nice Service for Load Balancing Layer 7 HTTP and HTTPS traffic. Today, we can only attribute one IP address (Public or Private) to the Application Gateway Deployment. It is fundamental that a Load Balancer can support multiple IP addresses to provide flexibility (Based on many customers feedback)163 votes
We started working on this.
We need records in log when someone apply or remove NSG for subnet. Also it would be great to log changes to NSR rules.16 votes0 comments · Security (ACLs, Firewalls, Intrusion Detection) · Flag idea as inappropriate… · Admin →
This is already in the pipeline
currently as azure admin i can not see the gateway log when Vnet to Vnet connection is made94 votes
The ask is pretty self-explanatory.
We want to host sensitive data in Azure VMs and enable connectivity only via P2S VPN.
Today, the VPN client only requires having the cert to gain access the Azure Network. As the cert can easily end up in the hands of someone who shouldn't have access to it...it's not very secure.
For MFA, integration with PhoneFactor would be cool. At a minimum, the VPN client should require a username/password in addition to requiring the cert.179 votes12 comments · VPN Connectivity (Point-to-Site, Site-to-Site) · Flag idea as inappropriate… · Admin →
We are working on giving more control over authentication within Point-to-Site connectivity to Azure.
IPv6 has been a standard for years and ISPs are starting to roll out native IPv6 stacks to consumers. The time is now to support IPv6.1,139 votes
As noted by SamirF, Azure now offers load-balanced, dual-stack (IPv4+IPv6) Internet connectivity for Azure VMs. This native IPv6 connectivity (TCP, UDP, HTTP…inbound and outbound initiated) all the way to the VM enables a broad range of service architectures. IPv6 for Azure VMs is available now in most Azure regions. Data transfers over IPv6 are billed at the same rates as IPv4. For more information, please visit this Overview of IPv6 for Azure Load Balancer: https://azure.microsoft.com/en-us/documentation/articles/load-balancer-ipv6-overview/
We realize load-balanced Internet connectivity is just the first step of what is implied by this suggestion & comments and support for more scenarios is under development.
Please add suggestions for specific scenario/service you need IPv6 enabled to help guide our prioritization and work?
The Azure Networking IPv6 feature team
With Azure trying to attract more than just Windows devs, we need to be able to VPN using non-Windows platforms for point-to-site connections.1,416 votes68 comments · VPN Connectivity (Point-to-Site, Site-to-Site) · Flag idea as inappropriate… · Admin →
Thank you for your suggestion, and all of the support it has received. We understand this is a major pain point for a lot of our customers. We are currently working on enabling non-Windows clients to connect to Azure.
It would be nice if we could purchase elastic IPv6 blocks of IPs, then when setting up an endpoint for a VM we could select the specific IP from the block for the endpoint.44 votes
We currently offer the option of reserving single IPv4 public addresses. Reservation of blocks of IPv4 and IPv6 public addresses is, unfortunately, still in work- we apologize for the delay.
On a related topic, Azure now offers load-balanced, dual-stack (IPv4+IPv6) Internet connectivity for Azure VMs. This native IPv6 connectivity (TCP, UDP, HTTP…inbound and outbound initiated) all the way to the VM enables a broad range of service architectures. IPv6 for Azure VMs is available now in most Azure regions. Data transfers over IPv6 are billed at the same rates as IPv4. For more information, please visit this Overview of IPv6 for Azure Load Balancer: https://azure.microsoft.com/en-us/documentation/articles/load-balancer-ipv6-overview/
- Don't see your idea?