Networking

The Networking forum covers all aspects of Networking in Azure, including endpoints, load-balancing, network security, DNS, Traffic Manager, virtual networks, and external connectivity.

Virtual Network:

  • Service overview

  • Technical documentation

  • Pricing details
  • Traffic Manager:

  • Service overview

  • Technical documentation

  • Pricing details
  • Network Watcher:

  • Service overview

  • Technical documentation

  • Pricing details
  • If you have any feedback on any aspect of Azure relating to Networking, we’d love to hear it.

    How can we improve Azure Networking?

    You've used all your votes and won't be able to post a new idea, but you can still search and comment on existing ideas.

    There are two ways to get more votes:

    • When an admin closes an idea you've voted on, you'll get your votes back from that idea.
    • You can remove your votes from an open idea you support.
    • To see ideas you have already voted on, select the "My feedback" filter and select "My open ideas".
    (thinking…)

    Enter your idea and we'll search to see if someone has already suggested it.

    If a similar idea already exists, you can support and comment on it.

    If it doesn't exist, you can post your idea so others can support it.

    Enter your idea and we'll search to see if someone has already suggested it.

    • Hot ideas
    • Top ideas
    • New ideas
    • My feedback
    1. Monitor Application Gateway Load

      Provide a way to monitor Application Gateway CPU/Memory in order to track load. It's hard to know only based on current access/http errors when the WAF is under heavy preasure and we need to scale it up.

      138 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →

      There is no plan currently to offer these system level metrics for Application Gateway Standard (V1). However, we are planning to offer more observability with our new Autoscaling version (V2) of Application Gateway/WAF. We already offer Capacity Units as a metric which gives you a sense of the traffic load on your Application Gateway. More are planned for V2. Please send in your specific feedback via https://aka.ms/ApplicationGatewayCohort

    2. Is it possible to expose Azure blob storage via Application Gateway

      Expose Azure blob storage via Application Gateway.

      I would like to remove public access for Azure Blob and only make it accessible via virtual network. The Azure Application Gateway will be public facing which does the SSL termination and forwards the request to blob.

      This would allow scanning for malicious content via virtual appliances before content is stored in blob.

      133 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      5 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    3. Application Gateway WAF support gzipped content in the request body

      Application Gateway WAF does not support gzipped content in the request body.

      41 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      4 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    4. vnet peering too expensive

      Best practices are to create a subscription for ExpressRoute and then peer VNets for different subscriptions. This doubles the cost of traffic to and from Azure making it a non start for most. It is understandable to have costs between regions, but for networking that would be no cost if in the same subscription, why is there then a cost for my networks in my two subscriptions in the same region? These cost make it impossible to follow best practices for security, design, partner management, etc.

      27 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      2 comments  ·  Speed/Bandwidth  ·  Flag idea as inappropriate…  ·  Admin →
    5. Enable Jumbo Frames with Accelerated Network

      Accelerated Network still has MTU = 1500, which creates too much overhead at 30 Gb/s speed. Would be helpful to have it at 9000 by default or at least configurable.

      16 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      2 comments  ·  Virtual Networks (VNET)  ·  Flag idea as inappropriate…  ·  Admin →
    6. custom domain verification for Azure users is a hassle and blocker

      We are setting up an Azure tenant which we want to link to VSTS in order to create a Devops infrastructure.

      To do so we need to add a custom domain in the Azure tenant's AD, but this is impossible because the domain is already listed in another AD (the one used by our Office365 tenant).

      So now we need to use a separate domain, and change all users in VSTS???

      Please remove this barrier....

      15 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
    7. Built-in policy to audit VNet rules / usage of service endpoints

      Built-in policy to audit VNet rules / usage of service endpoints

      More and more services in Azure have the ability to use service endpoints (e.g. Azure SQL Database, Azure Storage Account, Azure Data Lake, ...)

      This is necessary to fulfill IT-Security requirements and helps to restrict the access to critical Azure service resources from only specific virtual networks.

      At the moment there is no built-in policy / initiative to audit the usage of these service endpoints.

      Would be possible provide a built-in policy / initiative for this case?

      10 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Virtual Networks (VNET)  ·  Flag idea as inappropriate…  ·  Admin →
    8. Transparent interception for security appliances

      Allowing a method of transparent interception for network/security appliances to allow them to operate, but still be able to take advantage of configuring new applications completely via ARM.

      e.g. new app has external load balancer, 3 tier of VMs etc. But we could slot an IPS in between Ext Load Balancer and Web tier, or outside ELB etc.. Without having to also configure a Layer 3 policy & NAT on security appliance.

      Ideally have options of both inline, and "SPAN" mode. and be able to attach to Load Balancers, NICs, and where there are tags, eg 'Internet' routes.

      9 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)

      Hi Peter, Thanks for the suggestion, Looks like you are looking for a way to be able to get ERSPAN or port mirroring functionality that can be transparently switched on any VM , and if you slot in a IPS/advanced inline processing functionality of your choice that acts a collector to obtain and do what it needs to do, that would do the job, is that right?

    9. List the private IP address of a virtual network gateway

      Show the private IP address of a virtual network gateway in the "Connected devices" blade.

      9 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)

      Hi,

      Currently, the gateway private IP addresses are not required for configurations or operations, other than the GatewaySubnet range. They should have been hidden from users. The gateway resource model does not have a field for those either.

      There may be use cases for new features down the road. We will update the gateway resource model accordingly and expose those properly.

      Thanks,
      Yushun [MSFT]

    10. Need more information from Log Analytics for App Gateway.

      We see 400 errors in Log Analytics. We don't see these connections on the web servers. We think the App gateway is dropping traffic. Support doesnt seem to know why this happens. We don't have enough good information to track these issues. requestQuery_s is blank, MS support cannot tell me what this is, let alone what it means if it is blank.
      We need more information.

      7 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    11. Ability to enable/disable vm members on a pool without reconfiguring the gateway

      Occasionally we need to take one of the member in the pool for troubleshooting/debugging. This require to bring down the gateway at least 15-30 minutes. If possible to quickly enable/disable the member vm without long downtime.

      6 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →

      Adding/removing backend pool member would not affect live traffic – even while updates are ongoing. Updates on the gateway today are slow and we are working on enhancing this experience. We have a private preview program ongoing currently, for quicker updates and you can sign up for it by emailing me.

      Thanks,
      Amit [MSFT]

    12. Cross-subscription VNet (Shared VNet)

      A virtual network that spans subscriptions. Multiple different subscriptions can deploy to the same virtual network in a region.

      If you are interested in this feature, please up-vote and add details about your company/scenario.

      We appreciate the feedback.

      - VNet Team [MSFT]

      6 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      need-feedback  ·  0 comments  ·  Virtual Networks (VNET)  ·  Flag idea as inappropriate…  ·  Admin →
    13. Make default ssl settings more secure (https://www.ssllabs.com gives only B-rate).

      When we deploy SSL listener with default settings, ssl configuration in not very secure (although acceptable for some services). Popular checker https://www.ssllabs.com gives just B-rate for this. You can check recommendations for example looking at report for our sample AGW deployed with default settings https://www.ssllabs.com/ssltest/analyze.html?d=tb-ag-dev.textback.io

      6 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
    14. Audit logs for DNS record changes

      Multiple people have access to our DNS zones. We would like to know who changed what.

      5 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
    15. create a non-disruptive an Azure VNET address space update to ER

      create a non-disruptive an Azure VNET address space update to advertise prefixes to expressroute. Currently there is no way to do this without knocking down the connection for a period of time - breaking connectivity between the azure data center and on-premise data center.

      5 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  ExpressRoute  ·  Flag idea as inappropriate…  ·  Admin →
    16. stop letting non-Azure Microsoft networks use BGP routes that Azure learns through ExpressRoute. This easily leads to asymmetric routing.

      stop letting non-Azure Microsoft networks use the BGP routes that Azure learns through ExpressRoute. This leads to asymmetry in many cases.

      Also, the current behavior lets bandwidth hungry Microsoft services like Windows Update consume the bandwidth and metered data of ExpressRoute.

      As of today, companies using ExpressRoute need to set up their network in an unnecessary complicated way to avoid this problem.

      One way to do it is to only announce a small prefix, and use that prefix for NAT'ing all the traffic destined for Azure services over ExpressRoute.
      Then one has to make sure that all traffic destined for…

      4 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      need-feedback  ·  1 comment  ·  ExpressRoute  ·  Flag idea as inappropriate…  ·  Admin →
    17. Introduce managed SSL for Microsoft Azure

      This should be the accepted standard for secure Internet communications. Not sure why Microsoft refuses to commit to this after so many customer requests. Instead, charging customers high prices to communicate securely continues. Google Cloud has already implemented this feature.

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
    18. Public IP Address Lock Period After Deletion

      It would be valuable to have a lock period for a public IP address that has been deleted from Azure. A use case would be if a user accidentally removes a public IP address from the Azure Portal, az cli, terraform, etc., a lock period of ~30 minutes is put in place so that the user is able to recreate the public IP address resource and bind to the previously deleted IP address.

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  IP addresses  ·  Flag idea as inappropriate…  ·  Admin →

      Hi Nate,

      Thanks for your feedback. In order to help reduce deleting dynamic Public IPs by accident, we added a feature in the Azure Portal that will prompt to ask customers if they want to reserve the IP address before deleting.

      In the future, we will default to Static Public IPs to prevent users from hitting this issue. However, we will not be building a lock mechanism.

      Hope this helps.

      - Anavi N [MSFT]

    19. Predefined Access Rules for Every Region

      Microsoft Azure should have predefined access rules for every region.
      For example, if someone wants to block traffic for every region except only one, should choose to allow for the specific one and add block rule for every other region.
      That would be good for DDos attacks

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
    20. Local Network Watcher for End User for their Azure Instance

      Local Network Watcher possibly tied into Internet Connection API. No overhead and only fires when the connection drops or is having issues. Allows the user to input their own instances and is able to visually see where the issue might be and possible solutions. So a mini Network Monitor.

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Watcher  ·  Flag idea as inappropriate…  ·  Admin →
    ← Previous 1
    • Don't see your idea?

    Feedback and Knowledge Base