Networking

The Networking forum covers all aspects of Networking in Azure, including endpoints, load-balancing, network security, DNS, Traffic Manager, virtual networks, and external connectivity.

Virtual Network:

  • Service overview

  • Technical documentation

  • Pricing details
  • Traffic Manager:

  • Service overview

  • Technical documentation

  • Pricing details
  • Network Watcher:

  • Service overview

  • Technical documentation

  • Pricing details
  • If you have any feedback on any aspect of Azure relating to Networking, we’d love to hear it.

    • Hot ideas
    • Top ideas
    • New ideas
    • My feedback
    1. Create Elastic IPs so we can actually create web addressable apps with full DNS, not *.cloudapp.net

      Right now, you can't use DNS to make your primary web app run seamlessly on Azure. Azure needs to add elastic IPs so you can point a mydomain.com at an Azure IP, instead of the current *.cloudapp.net requirement.

      1,781 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      54 comments  ·  IP addresses  ·  Flag idea as inappropriate…  ·  Admin →

      We do support Static Public IPs in Azure today that is equivalent to Elastic IP in AWS. Static Public IPs can be mapped to a VM’s NIC (elastic IP equivalent) or to a load balancer’s Front end IP.

      Azure DNS (preview feature) allows you to map an IP address (as opposed to an cloudapp.net domain) to a custom DNS name.

      The request made here is satisfied by combining the two solutions explained above.

    2. Provide DNS Services for my domains and sub-domains

      DNS is crucial - if it's down, my Azure web roles are down. I don't trust GoDaddy and Verisign with my production DNS, so I either need to have on-premise load balanced DNS servers or pay someone to do it. It would be great if Windows Azure took care of this for me.

      1,500 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      33 comments  ·  DNS  ·  Flag idea as inappropriate…  ·  Admin →
    3. Either add Point-to-Site SSTP VPN clients for Mac/Linux or enable other connectivity options

      With Azure trying to attract more than just Windows devs, we need to be able to VPN using non-Windows platforms for point-to-site connections.

      1,464 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      71 comments  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    4. Publish the the list of Traffic Manager Probe IPs

      We have several VMs which provide a service to our web roles. We use traffic manager to loadbalance between these VMs.

      As the the only valid traffic to these VMs is from our webroles, our office or the TM probes, we use windows firewall on the VMs to restrict all other traffic.

      The issue we have is that the traffic manager Probe IPs change on occasion.

      If the list of Probe IPs was published, we could ensure that our FW rules are kept upto date ensuring that TM is doing it's supposed to be doing!

      1,351 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      11 comments  ·  DNS  ·  Flag idea as inappropriate…  ·  Admin →

      This feature has been completed. The IP addresses used by the Traffic Manager health checks are now fixed, and can be included in ACLs/firewall whitelists.

      The list of health check IP addresses is published here: https://docs.microsoft.com/en-us/azure/traffic-manager/traffic-manager-monitoring#faq

      For services in Azure, we are planning in future to make it easier to whitelist these IP addresses via a pre-defined NSG rule.

      This feature is available in the Azure Public Cloud. It is not yet deployed to the Azure China Cloud, German Cloud, or FedGov Cloud.

    5. Provide Reverse DNS (PTR records) for Virtual Machines

      Currently, you cannot operate a Microsoft Exchange Server on Windows Azure. Well, you can, but don't expect to be able to send email to anyone on AOL, Comcast, and a multitude of other domains. The reason is that these providers REQUIRE that the sending IP address have a reverse lookup.

      For simplicity (and a quick implementation by Microsoft), I suggest that you simply provide the option for a Reverse lookup or not. So if your VM is named myserver.cloudapp.net, then the reverse lookup on the current IP would return that name.

      Is this something you can do quickly? I'm having…

      1,283 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      87 comments  ·  DNS  ·  Flag idea as inappropriate…  ·  Admin →
    6. Allow assigning and removing (and swapping!) reserved IP's on cloud services

      It is unfortunate right now you cannot just assign or remove reserved ips on a cloud service (or use them with cloud services in Affinity Groups).

      We have different cloud services for different environments and it would be great to be able to swap the reserved IP to the current production service. Technically it doesn't need to take the VIP from the cloud service it is swapping with rather just obtain a new (or use its old VIP) once the reserved IP is gone.

      Right now reserved IP's are extremely immobile.

      1,278 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      6 comments  ·  Virtual Network  ·  Flag idea as inappropriate…  ·  Admin →
    7. Possibility to change default gateway and force traffic via 3rd party gateway deployed as vm in Azure.

      Traffic generated by VMs in Azure is not possible to be filtered or monitored right now. As there are vendors offering this type of functionality, it would be great to redirect machines to 3rd party gateway running in the cloud. Implementation for Azure team is trivial: change one dhcp option and disable default Azure gateway.

      1,154 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      10 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    8. Multiple Network Interface Cards on VM

      This is a big restriction where we cannot assign multiple IP addresses to a single VM.

      There could be several design considerations that demand this,
      - two public IP's on a Single V,
      - internal IP address on one NIC to route traffic inside Azure private cloud and one public IP (for DNS or whatever other service that needs to be reached over a secure tunnel

      964 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      33 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    9. allow multi-site VPN's using static gateways

      being restricted to only one VPN when using a static gateway is extremely limiting. This means that once a static VPN has been created between a VNet and a site (i.e. our office) we have no way of connecting the Azure Vnet to another VNet using a different VPN i.e. no multi-site VPN feature if a static gateway has to be used for ANY VPN. This stops any other connectivity into the VNet apart from enpoints and ACL's which is both less secure and messy to manage.

      927 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      53 comments  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    10. add a source tag for Azure Datacenter IPs to NSG Rules

      On the following link, we are able to get the list of the azure datacenter / endpoint IPs that are actually used.

      https://www.microsoft.com/EN-US/DOWNLOAD/DETAILS.ASPX?ID=41653

      Please add a source tag like INTERNET or VIRTUALNETWORK to use Azure IP addresses in NSG rules.

      917 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      40 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    11. Support apex (naked) domains more seamlessly

      Some things work, other things don't. I can setup an apex domain, but to get SSL working on an apex domain in hosted cloud service web role requires tweaking. Traffic manager doesn't work with apex domains.
      Azure needs a DNS service like Amazon's Route 53. (http://aws.amazon.com/route53/)

      827 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      32 comments  ·  DNS  ·  Flag idea as inappropriate…  ·  Admin →

      We just announced support for Alias records in Azure DNS public zones. See our blog post here: This is now available with Azure DNS in the form of support for Alias records. See our blog post here: https://azure.microsoft.com/en-us/blog/announcing-alias-records-for-azure-dns/

      You can point to any Public IP-backed resource (such as AppGW) or a Traffic Manager profile (with external endpoints) from your apex (naked) domain.

    12. Allow S2S VPNs from multiple sites to one Virtual Network

      Allow connection to VPN from multiple sites even from sites which are on Dynamic IP addressed to use azure as central site and others a branch offices

      As well as allow the possibility of windows machines with direct access to connect to azure VPN

      666 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      86 comments  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    13. Add the ability to set firewall rules at the subnet level

      I would like the ability to set firewall rules at the subnet level in order to create a properly segmented network (i.e. DMZ vs. Internal).

      630 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      8 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    14. Custom domain HTTPS support for Azure CDN from Akamai

      This is supported for Azure CDN from Verizon profiles (https://azure.microsoft.com/en-us/blog/announcing-custom-domain-https-support-with-azure-cdn). Also add this support for Azure CDN from Akamai.

      591 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      12 comments  ·  Content Delivery Network  ·  Flag idea as inappropriate…  ·  Admin →
    15. Enable ICMP traffic to Azure VMs over the Internet

      There are several scenarios that ICMP traffic to Azure VMs is necessary. Specially for monitoring tools that requires this kind of communication. When the time this was written, AWS offers ICMP traffic controlled by endpoints, which is not possible with Azure VMs endpoints.

      565 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      37 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    16. Network Security Group logging capabilities to show dropped packets

      Enable Network Security Group logging capabilities to show dropped packets.

      Please provide a way to log the dropped packets that are blocked by Network Security Groups and make the log accessible to us for auditing and security reasons.

      500 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      17 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    17. Support SSL certificates stored in Key Vault secrets for listeners and backend HTTP settings on Application Gateway

      Azure Web Apps support the ability to store an SSL certificate in a Key Vault secret. A certificate resource can be created that references the Key Vault secret. The App service will periodically check for an updated SSL certificate in the Key Vault. The Application Gateway needs to have the same support for storing the SSL certificates in the Key Vault. It should be able to reference a Key Vault secret that contains the SSL certificate in the listener and backend HTTP settings configuration. This capability will allow the management of SSL certificates for Application Gateway and the Web Apps…

      482 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      26 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →

      This is available now. Now users can reference SSL certificates from Key Vault in the Application Gateway. Also, it periodically checks for any updated certificate in the Key Vault and updates the certificate automatically (auto renewal). Read more about it here: https://docs.microsoft.com/en-us/azure/application-gateway/key-vault-certs

      Note: This is only supported for SSL Certificates in the listener and not for Backend authentication certificates or Trusted root certificates.

    18. Azure Load Balancer to support HTTPS probes

      Currently it is not possible to utilise a HTTPS (port 443) probe against a backend pool and as a result you must use either port 80 or a TCP probe which isn't the same as actually making a HTTPS request and testing the HTTP response code.

      478 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      10 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    19. VPN Gateway monitoring

      It would be great to have monitoring options in the azure portal which would show the bandwidth usage and throughput charts. It would help in figuring out if the 100mbps limit of the standard gateway sku is being hit at peak loads. If the details can be further provided for each individual site-to-site or point-to-site connection then that would be great thing to have. It would help immensely in finding out which connection is hogging the bandwidth the most.

      434 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      24 comments  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    20. Site to Site VPN: allow local network range to include Azure VNET range

      I’ve created a virtual network (10.25.0.0/17) that our instances will live in, and created a local network representing CORPNET (10.0.0.0/8). In effect, we’re trying to have the virtual network be a subnet within our larger internal IP block to emulate an internal datacenter. When trying to create the site to site VPN using the local network, I get an error about an address conflict, which seems to be due to the virtual network and local network be overlapping.
      Per MSFT: The local network range cannot include the Azure VNET range. The local network definition(s) are used to establish routes between…

      429 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      3 comments  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    ← Previous 1 3 4 5 15 16
    • Don't see your idea?

    Feedback and Knowledge Base