For lift & shift of legacy systems, application gateway is very useful as we have different kinds of backends (VMs, service fabric, other PaaS services, etc.). The only missing capability is authentication, so we have to implement and configure authentication in various services, which is a big overhead. Otherwise, we have to give up application gateway but set up Nginx VMs instead.
I have also looked at Azure API Gateway, but it seems to be too specialized for public APIs but our services also service static contents and ever-changing private APIs without swagger definition.246 votes
Thank you for all the votes. We need more feedback on your scenarios. If you would like to get in touch with us for a discussion, please fill this form: https://aka.ms/ApplicationGatewayCohort
A virtual network that spans subscriptions. Multiple different subscriptions can deploy to the same virtual network in a region.
If you are interested in this feature, please up-vote and add details about your company/scenario.
We appreciate the feedback.
- VNet Team [MSFT]
Expose Azure blob storage via Application Gateway.
I would like to remove public access for Azure Blob and only make it accessible via virtual network. The Azure Application Gateway will be public facing which does the SSL termination and forwards the request to blob.
This would allow scanning for malicious content via virtual appliances before content is stored in blob.163 votes
We are still under consideration for this feature. In the meanwhile, could you use Azure CDN to accomplish this?
I have create Azure VMSS behind Public Azure Std LB with HTTP based Health Probe. Azure Loadbalancer is working as per expectation. But If VM is unhealthy then it must be deleted or re-provisioned. So that machine can attain healthy state again.152 votes
I’d like to ask you for more feedback on this request please. Load Balancer doesn’t control the VMSS. I think what you’re looking for is a way for VMSS to replace any instances with a LB health probe status of 0. I’ve reached out to VMSS team to get their input. LB is likely not the right place to do this.
Provide a way to monitor Application Gateway CPU/Memory in order to track load. It's hard to know only based on current access/http errors when the WAF is under heavy preasure and we need to scale it up.153 votes
There is no plan currently to offer these system level metrics for Application Gateway Standard (V1). However, we are planning to offer more observability with our new Autoscaling version (V2) of Application Gateway/WAF. We already offer Capacity Units as a metric which gives you a sense of the traffic load on your Application Gateway. More are planned for V2. Please send in your specific feedback via https://aka.ms/ApplicationGatewayCohort
Best practices are to create a subscription for ExpressRoute and then peer VNets for different subscriptions. This doubles the cost of traffic to and from Azure making it a non start for most. It is understandable to have costs between regions, but for networking that would be no cost if in the same subscription, why is there then a cost for my networks in my two subscriptions in the same region? These cost make it impossible to follow best practices for security, design, partner management, etc.85 votes
Thank you for your feedback.
We are evaluating what we can do in this space.
- Anavi N [MSFT]
Application Gateway WAF does not support gzipped content in the request body.79 votes
Thanks for reaching out, can you please share your use case scenario?
Current endpoint monitoring in Traffic Manger only supports a relative path. For flexibility, it would be great to support a full url path like http://www.example.com/health66 votes
Traffic Manager constructs the probing URL by appending the endpoint FQDN with the relative path. So if the FQDN of your endpoint is example.com and a relative path is /index.html then the probing path would be example.com/index.html
You can also specify custom host header for each endpoint if required and set expected HTTP codes for the profile; in case the application does not return 200OK for the probes. Please see https://docs.microsoft.com/en-us/azure/traffic-manager/traffic-manager-monitoring
Could you elaborate on the scenario that would require absolute URLs for each endpoint?
Enable Load Balancer to serve multiple regions via a single global IP using anycast. GCP does this today. In Azure, you must use Traffic Manager and manually configure for the same effect. Also TM doesn't validate HTTPS while LB can.29 votes
Please reach out with more details on your scenario.
Show the private IP address of a virtual network gateway in the "Connected devices" blade.24 votes
Currently, the gateway private IP addresses are not required for configurations or operations, other than the GatewaySubnet range. They should have been hidden from users. The gateway resource model does not have a field for those either.
There may be use cases for new features down the road. We will update the gateway resource model accordingly and expose those properly.
Accelerated Network still has MTU = 1500, which creates too much overhead at 30 Gb/s speed. Would be helpful to have it at 9000 by default or at least configurable.22 votes
Accelerated Networking offloads this function to hardware allowing the VM to send larger segments so the overhead should be minimal or even negligible. How are you measuring overhead?
We are setting up an Azure tenant which we want to link to VSTS in order to create a Devops infrastructure.
To do so we need to add a custom domain in the Azure tenant's AD, but this is impossible because the domain is already listed in another AD (the one used by our Office365 tenant).
So now we need to use a separate domain, and change all users in VSTS???
Please remove this barrier....15 votes
We didn’t see a reply on your specific AD setup. Please feel free to add more detail so we can understand the request more thoroughly.
Is it possible to add the swicth "--internal-dns-name <Name>" for an internal loadbalancer ?
This is possible for an NIC today, please add this to loadbalancer12 votes
Hi there – thanks so much for the feedback.
Curious to know about your use case for this? This helps us plan and prioritize better.
Looking forward to hearing from you.
– Anavi N [MSFT]
Multiple people have access to our DNS zones. We would like to know who changed what.11 votes
Have you tried the Activity Logs feature to see if it handles your use case ? https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-audit
Built-in policy to audit VNet rules / usage of service endpoints
More and more services in Azure have the ability to use service endpoints (e.g. Azure SQL Database, Azure Storage Account, Azure Data Lake, ...)
This is necessary to fulfill IT-Security requirements and helps to restrict the access to critical Azure service resources from only specific virtual networks.
At the moment there is no built-in policy / initiative to audit the usage of these service endpoints.
Would be possible provide a built-in policy / initiative for this case?10 votes
Could you say more about your scenario? What would you like thisaudit to show?
Is it just how many servic eendpoints and what services?
- Anavi N [MSFT]
Allowing a method of transparent interception for network/security appliances to allow them to operate, but still be able to take advantage of configuring new applications completely via ARM.
e.g. new app has external load balancer, 3 tier of VMs etc. But we could slot an IPS in between Ext Load Balancer and Web tier, or outside ELB etc.. Without having to also configure a Layer 3 policy & NAT on security appliance.
Ideally have options of both inline, and "SPAN" mode. and be able to attach to Load Balancers, NICs, and where there are tags, eg 'Internet' routes.9 votes
Hi Peter, Thanks for the suggestion, Looks like you are looking for a way to be able to get ERSPAN or port mirroring functionality that can be transparently switched on any VM , and if you slot in a IPS/advanced inline processing functionality of your choice that acts a collector to obtain and do what it needs to do, that would do the job, is that right?
The current Azure Load Balancer checks are very basic. They should be extended to allow
* Custom headers added to HTTP checks
* Auth headers on HTTP checks
* Check returned content for a pattern
* Allow POST rather than GET with customisable content
* Accept other HTTP return statuses (for example, 3xx) as valid
* TCP checks should allow configuration of Send/Expect strings
* Maybe additional checks for such services as LDAP, DNS, etc
As comparison, the popular HAProxy load balancer supports most of these capabilities.9 votes
Thank you for the feedback.
When we deploy SSL listener with default settings, ssl configuration in not very secure (although acceptable for some services). Popular checker https://www.ssllabs.com gives just B-rate for this. You can check recommendations for example looking at report for our sample AGW deployed with default settings https://www.ssllabs.com/ssltest/analyze.html?d=tb-ag-dev.textback.io9 votes
Default setting are for backward compatibility. Please use pre-configured SSL policy with the newer policies like AppGwSslPolicy20170401 or AppGwSslPolicy20170401S.
We see 400 errors in Log Analytics. We don't see these connections on the web servers. We think the App gateway is dropping traffic. Support doesnt seem to know why this happens. We don't have enough good information to track these issues. requestQuery_s is blank, MS support cannot tell me what this is, let alone what it means if it is blank.
We need more information.7 votes
requestQuery_s contains the queryString. It might be that these requests did not have querystring in http request. Could you look at requestUri_s field to confirm?
Occasionally we need to take one of the member in the pool for troubleshooting/debugging. This require to bring down the gateway at least 15-30 minutes. If possible to quickly enable/disable the member vm without long downtime.6 votes
Adding/removing backend pool member would not affect live traffic – even while updates are ongoing. Updates on the gateway today are slow and we are working on enhancing this experience. We have a private preview program ongoing currently, for quicker updates and you can sign up for it by emailing me.
- Don't see your idea?