How can we improve Azure Networking?

Allow creation of NSG rules based on FQDN along with Ports

NSG gives option to configure NSG rules with IPAddress and Ports. Same like that we need option to configure Inbound/Outbound NSG rules based on the FQDN. Because most of our customers wants to block Internet access from their Azure IaaS VMs, If we do so, we lose the ability to configure Azure Disk Encryption, Azure Keyvault, Azure File Storage Services, Azure Websites...etc. Because all these Azure services requires its endpoints (FQDN) to be reachable from inside the VM

190 votes
Vote
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    Narayanababu Krishnan shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

    6 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)
      Submitting...
      • Jeff Miles commented  ·   ·  Flag as inappropriate

        This is a really crucial feature that's missing right now.

        NIST recommendations are a "Deny by default" posture, even for outbound traffic. We want to adhere to this, and block all outbound, but need to add ability to access Windows Update, and other interfaces like *.argis.com.

      • Sean McNellis commented  ·   ·  Flag as inappropriate

        Please please please - those of us using DNS services (even large scale like cloudflare) could benefit from using FQDN based rules as sources. Additionally it helps secure RDP and VPN Services for clients that may be located at sites with Dynamic DNS.

      • Mario Lopez [MSFT] commented  ·   ·  Flag as inappropriate

        Thanks for the feedback, we have on our roadmap some features related to this problem

        System Tags for Microsoft services like SQL and Storage are going to be available to user to define NSG Rules in an abstract form, this Tags will be maintained by us to reflect only the services endpoints you use

        I Hope it helps, it's not the same but it goes on the same direction, to help users to create and managed his security rules in an abstract form.

      Feedback and Knowledge Base