Networking

The Networking forum covers all aspects of Networking in Azure, including endpoints, load-balancing, network security, DNS, Traffic Manager, virtual networks, and external connectivity.

Virtual Network:

  • Service overview

  • Technical documentation

  • Pricing details
  • Traffic Manager:

  • Service overview

  • Technical documentation

  • Pricing details
  • Network Watcher:

  • Service overview

  • Technical documentation

  • Pricing details
  • If you have any feedback on any aspect of Azure relating to Networking, we’d love to hear it.

    • Hot ideas
    • Top ideas
    • New ideas
    • My feedback
    1. Offer NAT as a Service

      There is often the need to connect two or more networks with overlapping addresses over a VPN in regulated industries. The address spaces (often 10.0.0.0/8) can't be changed, however a DMZ subnet can be introduced in each network from the 172.16.0.0/12 address space. The DMZ subnets will not overlap between any network.

      Just like the load balancer, make a NAT device a first class function citizen in virtual networking and allow us to define SNAT, DNAT or Full NAT. Feel free to require a dedicated subnet for the device.

      Then make it easier for custom route rules to route traffic…

      274 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      11 comments  ·  Virtual Network  ·  Flag idea as inappropriate…  ·  Admin →
    2. Support SNAT on internal Azure load Balancer

      Currently it seems Azure Internal Load Balancer does not support Source NAT.
      this mean that if 2 different services hosted on 2 different VM and the VM are on the same vnet the traffic is not load balanced if the ILB route the traffic to the same VM that start the request.
      example:
      Service A (exposed on port x) and B (exposed on port y) are hosted on VM 1 and VM2 on the same vnet.
      Service A has VIP z and Service B has VIP m.
      if service A is recalled via VIP z from VM 1 and ILB…

      239 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      8 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    3. HA Ports for Standard load balancers with Public IP

      Current review of HA ports only supports Internal LB without any public IP attached. The majority of NVA deployments are with Public IP attached to the LB.

      186 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      8 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    4. Allow ICMP ping to VIP (Allow Ping inbound)

      Vote for allowing UDP through the firewall. Such as ping inbound, because the ping are the minimal required for so much app.

      56 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      6 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    5. Standard Load Balancer should support using an "internal" IP address for probing the ports.

      The Standard Load Balancer and HA ports are are recommended for load balancing firewall appliances. However, the Load Balancer probe uses a common IP address for internal and external load balancers. This means that only the internal or external ports can be load balanced, which means that a messy Zookeeper alternative must be built to monitor the firewall availability.

      43 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      3 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →

      Typically this is addressed by SNAT’ing the probe source on the interface within the VM. This is how virtual appliances (firewalls, etc) typically address this scenario. Changing the probe source is non trivial and not likely in the near term.
      — Christian

    6. Allow Upgrade or Swap VIP also when number of endpoints has been changed

      Or allow the external IP address to be fixed/allocated to the Hosted Service.

      The scenario is that during the lifetime of the application you may need to modify the number of endpoints, and re-deploy the solution BUT KEEP PUBLIC IP.

      The best would be if Swap VIP could handle this - to avoid downtime, but I am willing to have some downtime as long as Upgrade is supported. This is to avoid service unavailable during the time DNS CNAME records are updated.

      41 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      4 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    7. allow custom host header for azure load balancer health probes

      HTTP health probes for Azure load balancer are hard-coded to use the IP of backend as their host headers. This forces the backend hosts have to be configured to allow its IP as one of its allowed domain. It's very surprising that Azure doesn't custom host header for HTTP(s) health probes. Please add custom headers for HTTP(s) heath probes; at least, host header support should be there.

      38 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    8. TLS termination of TCP/TLS traffic

      It would be useful for Azure Load Balancer to support TLS termination / offloading when using TCP/TLS traffic.
      Application Gateway can do it for HTTPs traffic but there is no way to do it for other protocols based on TLS.
      AWS can do it with the Network Load Balancer tier of AWS Elastic Load Balancing.

      25 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    9. Retry policy for failed requests on Application Gateway

      To reduce the number of 502 bad gateway requests that are served up Application Gateway should have a retry policy for failed requests, allowing it to move the the next available server. This would be especially useful when used in front of Service Fabric where services are moved between servers.

      16 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      unplanned  ·  0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    10. [Azure Front Door Service]Support password protected PFX

      Support password protected PFX for HTTPS

      10 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →
    11. Attach second network interface to already running instance

      I would like to be able to attach new network interface to already started instance (single VM or VM in scale set)

      Reason for that is for example:
      https://www.credera.com/blog/technology-solutions/how-to-automate-zookeeper-in-aws/ (Option 3)

      4 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Virtual Network  ·  Flag idea as inappropriate…  ·  Admin →
    12. Permit Outbound Rules to reference secondary IPconfigs

      Is there any plan to permit an "Outbound Rule" on an External Standard Load Balancer to reference a backend address pool that is in turn referencing a Secondary IPconfig of a Network Interface?

      Currently when I try this I get the following error:

      OutboundRule <outbound rule name> cannot be used with Backend Address Pool <backend pool name> that contains Secondary IPConfig <ip config name within a NIC>

      I am able to reference the first (primary) IP Configuration of a NIC - but this VM (a Palo Alto firewall) has multiple IP addresses on its external interface which we wish to…

      4 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    13. Support ipv6 for microsoft peering and receive IPv4 subnets over it

      Allow users to create microsoft peering using IPv6 and receive/advertise IPv4 subnets over it. This will save some IPv4 subnets for us.

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      unplanned  ·  1 comment  ·  IPv6  ·  Flag idea as inappropriate…  ·  Admin →
    14. Start and stop Application Gateway on Azure portal

      Just like ios and andoroid's Azure app, I want the Azure Portal to be able to start and stop Application gateway.

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      2 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    15. Configurable HTTP status code for Load Balancer Probe

      The HTTPS probe considers any HTTP status other than 200 to be a failure. Any response 200-299 should be considered a success. See https://tools.ietf.org/html/rfc7231#section-6.3

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      2 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    16. Develop a tool that will import DNS zone files hosted at other providers like Route53

      Since many DNS providers do not allow you to export your zone files create a utility that will harvest them in a format that could be used to import them into Azure DNS.

      2 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  DNS  ·  Flag idea as inappropriate…  ·  Admin →
    17. BGP Peering IP modification on different subnet

      Hey,
      For business purpose, we wanna offer an idea of selecting peering IP from non-GW subnet while using Azure VPN BGP. this IP was currnetly allocated from ge subnet. but we wanna change to specific IP . let's say our address space range is 10.0.0.0/16, but our GW subnet is 10.0.0.0/24, Peering IP is 10.0.0.254. but one of subnet is 10.13.100.70/28, we wanna change peering IP to 10.13.100.70. but this is impossible, could we make some changes in further?

      1 vote
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    18. Provide certificate-based authentication for S2S VPN

      Can you describe the technical reason why you decide not to offer this option when creating a s2s vpn and you offer only the phase1 pre-shared key method? The communications in Madrid HC Region are administered by Cesus and they follow directives from the Security Group of Madrid Digital (former ICM). In their form to require a s2s vpn only cert based is accepted for ipsec tunnels and without a clear technical reason it is almost impossible to negotiate an exception to shift to pre-shared key based phase 1 vpn

      1 vote
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →

      Thank you for the suggestion. The key reasons for not offering cert-based IKE authentication is due to the additional compliance requirements and validations related to handling certificates. As a result, this is currently not on the roadmap.

      If certificate-based authentication is a requirement, currently customers will need to leverage a VPN appliances available from Azure Marketplace.

      Thanks,
      Yushun [MSFT]

    19. VNET GW packet filter

      Hi All.

      I would like to set up a packet filter for VPN GW.
      It is the same as RRAS packet filter setting.
      Inbound IP address and port range filter, and outbound IP address and port range filter.

      Our VNET is connecting between sites with customers' VNET and VNET GW. Even if it is attacked from outside the customer's VNET, I do not want to endanger our VNET. I would like to filter traffic arriving at VNET with source IP and destination port number.

      How can it be realized?

      regards.

      1 vote
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  VPN Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    • Don't see your idea?

    Feedback and Knowledge Base