Networking
The Networking forum covers all aspects of Networking in Azure, including endpoints, load-balancing, network security, DNS, Traffic Manager, virtual networks, and external connectivity.
Virtual Network:
Traffic Manager:
Network Watcher:
If you have any feedback on any aspect of Azure relating to Networking, we’d love to hear it.
-
Create Elastic IPs so we can actually create web addressable apps with full DNS, not *.cloudapp.net
Right now, you can't use DNS to make your primary web app run seamlessly on Azure. Azure needs to add elastic IPs so you can point a mydomain.com at an Azure IP, instead of the current *.cloudapp.net requirement.
1,781 votesWe do support Static Public IPs in Azure today that is equivalent to Elastic IP in AWS. Static Public IPs can be mapped to a VM’s NIC (elastic IP equivalent) or to a load balancer’s Front end IP.
Azure DNS (preview feature) allows you to map an IP address (as opposed to an cloudapp.net domain) to a custom DNS name.
The request made here is satisfied by combining the two solutions explained above.
-
Provide DNS Services for my domains and sub-domains
DNS is crucial - if it's down, my Azure web roles are down. I don't trust GoDaddy and Verisign with my production DNS, so I either need to have on-premise load balanced DNS servers or pay someone to do it. It would be great if Windows Azure took care of this for me.
1,500 votesAzure DNS is now Generally Available, see https://azure.microsoft.com/blog/azure-dns-general-availability/ for the announcement blog post.
Thank you for your feedback and please continue to submit your suggestions and vote for others.
-
Either add Point-to-Site SSTP VPN clients for Mac/Linux or enable other connectivity options
With Azure trying to attract more than just Windows devs, we need to be able to VPN using non-Windows platforms for point-to-site connections.
1,467 votes70 comments · VPN Connectivity (Point-to-Site, Site-to-Site) · Flag idea as inappropriate… · Admin →We have announced IKEv2 P2S which is how Non-Windows clients can connect to Azure; and we have documentation on how to do this with Mac OS. You can find more details here: https://docs.microsoft.com/en-us/azure/vpn-gateway/point-to-site-about
Thank you for your patience.
Bridget [MSFT] -
Publish the the list of Traffic Manager Probe IPs
We have several VMs which provide a service to our web roles. We use traffic manager to loadbalance between these VMs.
As the the only valid traffic to these VMs is from our webroles, our office or the TM probes, we use windows firewall on the VMs to restrict all other traffic.
The issue we have is that the traffic manager Probe IPs change on occasion.
If the list of Probe IPs was published, we could ensure that our FW rules are kept upto date ensuring that TM is doing it's supposed to be doing!
1,351 votesThis feature has been completed. The IP addresses used by the Traffic Manager health checks are now fixed, and can be included in ACLs/firewall whitelists.
The list of health check IP addresses is published here: https://docs.microsoft.com/en-us/azure/traffic-manager/traffic-manager-monitoring#faq
For services in Azure, we are planning in future to make it easier to whitelist these IP addresses via a pre-defined NSG rule.
This feature is available in the Azure Public Cloud. It is not yet deployed to the Azure China Cloud, German Cloud, or FedGov Cloud.
-
Provide Reverse DNS (PTR records) for Virtual Machines
Currently, you cannot operate a Microsoft Exchange Server on Windows Azure. Well, you can, but don't expect to be able to send email to anyone on AOL, Comcast, and a multitude of other domains. The reason is that these providers REQUIRE that the sending IP address have a reverse lookup.
For simplicity (and a quick implementation by Microsoft), I suggest that you simply provide the option for a Reverse lookup or not. So if your VM is named myserver.cloudapp.net, then the reverse lookup on the current IP would return that name.
Is this something you can do quickly? I'm having…
1,283 votesThis feature is now completed—we support reverse DNS for both IaaS and PaaS cloud services. You can use either the Azure-provided ‘cloudapp.net’ name or your own vanity domain name.
For full details, please see this blog post: http://azure.microsoft.com/blog/2014/07/21/announcing-reverse-dns-for-azure-cloud-services/
-
Allow assigning and removing (and swapping!) reserved IP's on cloud services
It is unfortunate right now you cannot just assign or remove reserved ips on a cloud service (or use them with cloud services in Affinity Groups).
We have different cloud services for different environments and it would be great to be able to swap the reserved IP to the current production service. Technically it doesn't need to take the VIP from the cloud service it is swapping with rather just obtain a new (or use its old VIP) once the reserved IP is gone.
Right now reserved IP's are extremely immobile.
1,278 votesWith recent announcements at the Ignite conference we now allow associating and disassociating reserved IPs on cloud services. Read update here: http://azure.microsoft.com/en-us/documentation/articles/virtual-networks-reserved-public-ip/
-
Possibility to change default gateway and force traffic via 3rd party gateway deployed as vm in Azure.
Traffic generated by VMs in Azure is not possible to be filtered or monitored right now. As there are vendors offering this type of functionality, it would be great to redirect machines to 3rd party gateway running in the cloud. Implementation for Azure team is trivial: change one dhcp option and disable default Azure gateway.
1,154 votes10 comments · Security (ACLs, Firewalls, Intrusion Detection) · Flag idea as inappropriate… · Admin →This feature was released in Ignite 2015, and is available in all Public Azure globally. Please check the documentation link:
http://azure.microsoft.com/en-us/documentation/articles/virtual-networks-udr-overview/
Thanks,
Yushun [MSFT] -
Multiple Network Interface Cards on VM
This is a big restriction where we cannot assign multiple IP addresses to a single VM.
There could be several design considerations that demand this,
- two public IP's on a Single V,
- internal IP address on one NIC to route traffic inside Azure private cloud and one public IP (for DNS or whatever other service that needs to be reached over a secure tunnel964 votesAnnounced at Ignite.
-
allow multi-site VPN's using static gateways
being restricted to only one VPN when using a static gateway is extremely limiting. This means that once a static VPN has been created between a VNet and a site (i.e. our office) we have no way of connecting the Azure Vnet to another VNet using a different VPN i.e. no multi-site VPN feature if a static gateway has to be used for ANY VPN. This stops any other connectivity into the VNet apart from enpoints and ACL's which is both less secure and messy to manage.
927 votes53 comments · VPN Connectivity (Point-to-Site, Site-to-Site) · Flag idea as inappropriate… · Admin →Folks,
This work is completed from our side. As long as your VPN devices support IKEv2, you can leverage Azure route-based VPN with custom policy (UsePolicyBasedTrafficSelectors) to connect to your policy-based VPN firewalls. Please refer to this link for more details:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-connect-multiple-policybased-rm-ps
Thanks,
Yushun [MSFT] -
add a source tag for Azure Datacenter IPs to NSG Rules
On the following link, we are able to get the list of the azure datacenter / endpoint IPs that are actually used.
https://www.microsoft.com/EN-US/DOWNLOAD/DETAILS.ASPX?ID=41653
Please add a source tag like INTERNET or VIRTUALNETWORK to use Azure IP addresses in NSG rules.
917 votes40 comments · Security (ACLs, Firewalls, Intrusion Detection) · Flag idea as inappropriate… · Admin →Thanks for the feedback, the service tag is already available, the name is AzureCloud and can be used in GA quality on all regions, it contains all public IP addresses advertised on the XML publication.
https://docs.microsoft.com/en-us/azure/virtual-network/security-overview#service-tags
-
Support apex (naked) domains more seamlessly
Some things work, other things don't. I can setup an apex domain, but to get SSL working on an apex domain in hosted cloud service web role requires tweaking. Traffic manager doesn't work with apex domains.
Azure needs a DNS service like Amazon's Route 53. (http://aws.amazon.com/route53/)830 votesWe just announced support for Alias records in Azure DNS public zones. See our blog post here: This is now available with Azure DNS in the form of support for Alias records. See our blog post here: https://azure.microsoft.com/en-us/blog/announcing-alias-records-for-azure-dns/
You can point to any Public IP-backed resource (such as AppGW) or a Traffic Manager profile (with external endpoints) from your apex (naked) domain.
-
Allow S2S VPNs from multiple sites to one Virtual Network
Allow connection to VPN from multiple sites even from sites which are on Dynamic IP addressed to use azure as central site and others a branch offices
As well as allow the possibility of windows machines with direct access to connect to azure VPN
666 votes86 comments · VPN Connectivity (Point-to-Site, Site-to-Site) · Flag idea as inappropriate… · Admin →We have announced the general availability of the Multi-Site VPNs (or Multiple S2S VPNs) in TechEd 2014. A quick start page is available on the configuration:
http://msdn.microsoft.com/en-us/library/azure/dn690124.aspx
Please let us know if you have any questions.
Thanks!
Yushun [MSFT] -
Add the ability to set firewall rules at the subnet level
I would like the ability to set firewall rules at the subnet level in order to create a properly segmented network (i.e. DMZ vs. Internal).
630 votes8 comments · Security (ACLs, Firewalls, Intrusion Detection) · Flag idea as inappropriate… · Admin →Network Security Groups delivers this capability.
-
Network Security Group logging capabilities to show dropped packets
Enable Network Security Group logging capabilities to show dropped packets.
Please provide a way to log the dropped packets that are blocked by Network Security Groups and make the log accessible to us for auditing and security reasons.
500 votes17 comments · Security (ACLs, Firewalls, Intrusion Detection) · Flag idea as inappropriate… · Admin →Released in Public Preview as part of the Network Watcher service
-
Support SSL certificates stored in Key Vault secrets for listeners and backend HTTP settings on Application Gateway
Azure Web Apps support the ability to store an SSL certificate in a Key Vault secret. A certificate resource can be created that references the Key Vault secret. The App service will periodically check for an updated SSL certificate in the Key Vault. The Application Gateway needs to have the same support for storing the SSL certificates in the Key Vault. It should be able to reference a Key Vault secret that contains the SSL certificate in the listener and backend HTTP settings configuration. This capability will allow the management of SSL certificates for Application Gateway and the Web Apps…
482 votesThis is available now. Now users can reference SSL certificates from Key Vault in the Application Gateway. Also, it periodically checks for any updated certificate in the Key Vault and updates the certificate automatically (auto renewal). Read more about it here: https://docs.microsoft.com/en-us/azure/application-gateway/key-vault-certs
Note: This is only supported for SSL Certificates in the listener and not for Backend authentication certificates or Trusted root certificates.
-
Azure Load Balancer to support HTTPS probes
Currently it is not possible to utilise a HTTPS (port 443) probe against a backend pool and as a result you must use either port 80 or a TCP probe which isn't the same as actually making a HTTPS request and testing the HTTP response code.
481 votesThis feature is now available for Standard Load Balancers. Please take a look at https://aka.ms/lbprobes for details.
-
VPN Gateway monitoring
It would be great to have monitoring options in the azure portal which would show the bandwidth usage and throughput charts. It would help in figuring out if the 100mbps limit of the standard gateway sku is being hit at peak loads. If the details can be further provided for each individual site-to-site or point-to-site connection then that would be great thing to have. It would help immensely in finding out which connection is hogging the bandwidth the most.
434 votes24 comments · VPN Connectivity (Point-to-Site, Site-to-Site) · Flag idea as inappropriate… · Admin →You can monitor VPN status using Azure Monitor and Azure Resource Health Check.
-
Site to Site VPN: allow local network range to include Azure VNET range
I’ve created a virtual network (10.25.0.0/17) that our instances will live in, and created a local network representing CORPNET (10.0.0.0/8). In effect, we’re trying to have the virtual network be a subnet within our larger internal IP block to emulate an internal datacenter. When trying to create the site to site VPN using the local network, I get an error about an address conflict, which seems to be due to the virtual network and local network be overlapping.
Per MSFT: The local network range cannot include the Azure VNET range. The local network definition(s) are used to establish routes between…429 votesWe’ve removed this constraint. Please let us know if you are still experiencing any issues.
-
OSPF / BGP advertising from Azure to on-premisis network
In order to ensure full resiliency to the Azure Network, I would like to be able to create two VPNs to two different geographical points on our physical network. Then use BGP to advertise the IP Ranges hosted in Azure, from Azure. This will allow the route to fail over to the second VPN automatically should the first fail for whatever reason
421 votesBGP support is added to Azure VPN gateways (route-based, standard/highperformance). Please refer to the documentation pages:
https://azure.microsoft.com/en-us/documentation/articles/vpn-gateway-bgp-overview/
https://azure.microsoft.com/en-us/documentation/articles/vpn-gateway-bgp-resource-manager-ps/Thanks,
Yushun -
Auto-connect for point-to-site VPN.
When the device is restarted, or internet connectivity is regained, the device automatically connects to the VPN again.
401 votes20 comments · VPN Connectivity (Point-to-Site, Site-to-Site) · Flag idea as inappropriate… · Admin →This is supported today with Windows 10 clients. Please refer to following document https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections
- Don't see your idea?