Networking
The Networking forum covers all aspects of Networking in Azure, including endpoints, load-balancing, network security, DNS, Traffic Manager, virtual networks, and external connectivity.
Virtual Network:
Traffic Manager:
Network Watcher:
If you have any feedback on any aspect of Azure relating to Networking, we’d love to hear it.
-
Support URL rewriting with Application Gateway
PathBasedRouting is nice, but not super great without the ability to rewrite paths. I am trying to front a Service Fabric cluster, where multiple HTTP services live on http://+:80, at different path prefixes. Would be nice to use Application Gateway to direct https://api.company.com to http://cluster/api, and https://www.company.com to http://cluster/www
927 votesThank you for all the votes/feedback. We are unable to give an ETA in this public forum but please be assured this is one of our top priorities at the moment.
-
Allow Mutual SSL Auth on Application Gateway
At the moment SSL termination is possible with Application Gateway but it doesn't cater for instances where client authentication is required (mutual auth). So if client auth is required, SSL needs to be passed through and terminated on each of the web servers. This increases load across the server farm and makes management of certificates more difficult since all certs need to be maintained on all servers. I believe this function is available with API Management but the additional cost is hard to justify if one doesn't require the other additional features. So having mutual SSL auth capability built into…
500 votesThanks for all your feedback so far. This is something we are looking to address relatively soon. Please stay tuned.
-
Application Gateway: Support wildcard hosts in listeners
Our product creates dynamic DNS zones for our customers, e.g. foo.z1.contoso.com, bar.z2.contoso.com, etc. We use Azure DNS for this. (Notice that we stripe our customer's domains across multiple zones (z1, z2), because Azure DNS has a max record count of 5000.)
So, to support this, we have a wildcard SSL certificate for each zone e.g. *.z1.contoso.com, *.z2.contoso.com.
In order to have Application Gateway provide SSL termintation for us, we obviously need to create Multi-site listeners for port 443. Unfortuantely, the 'Host' field on the Multi-site listener does not accept wildcard entries. Furthermore, specifying the host name 'z1.contoso.com' does not appear…
484 votes -
Let's Encrypt Integration for HTTPS certificates
It should be possible to define a list of SSL hostnames. Application Gateway should automatically acquire and renew certificates for all given hostnames (most probably through the HTTP domain validation process).
For every request, Application Gateway should use the correct certificate based on the hostname.
Supporting multiple hostnames is critical to use Let's Encrypt with multi-site routing.
409 votesThis is on our long term roadmap.
-
Support SSL certificates stored in Key Vault secrets for listeners and backend HTTP settings on Application Gateway
Azure Web Apps support the ability to store an SSL certificate in a Key Vault secret. A certificate resource can be created that references the Key Vault secret. The App service will periodically check for an updated SSL certificate in the Key Vault. The Application Gateway needs to have the same support for storing the SSL certificates in the Key Vault. It should be able to reference a Key Vault secret that contains the SSL certificate in the listener and backend HTTP settings configuration. This capability will allow the management of SSL certificates for Application Gateway and the Web Apps…
315 votesWe are planning to support SSL certificates stored in Key Vault secrets for listeners and backend HTTP settings on AppGw
-
Increase listener limit for Application Gateway
Application gateway has a very low listener limit (20 listeners / certificates). This severely limits it's usefulness for multi-tenant/domain applications where a web farm / service hosts many endpoints. IIS itself has no such small limit, but due to constraints on certificate deployment in cloud services, Application Gateway is the only clear path to wide scale SNI based SSL hosting. With it's low limit, it does not come close to meeting our use case. I would suggest the limit be removed or set to a very high limit like 10k+ so many certificates could be bound to host many different…
317 votesWe have raised the limit to 100 recently. We are regularly reviewing the limits and will continue to look for opportunities to raise the limits even further. If you have scenarios requiring limits higher than what is supported, please add your scenario details here (if you are comfortable with that) or raise an issue with Azure support and we will get back to you.
-
Enable Multiple IP addresses for Azure Application Gateway
Azure Application Gateway is a nice Service for Load Balancing Layer 7 HTTP and HTTPS traffic. Today, we can only attribute one IP address (Public or Private) to the Application Gateway Deployment. It is fundamental that a Load Balancer can support multiple IP addresses to provide flexibility (Based on many customers feedback)
252 votesWe started working on this.
-
Integration with Key Vault Certificates
It should be possible to select HTTPS certificates from Azure Key Vault. Since Azure Key Vault support auto-renewal of certificates, Application Gateway should also automatically update the certificates.
209 votes -
Azure Application Gateway WAF Mode Increase Limit on SecRequestBodyLimit
When we have the WAF set to prevention mode some of our HTTP post are denied with code 413.
Request body no files data length is larger than the configured limit (131072).. Deny with code (413)
Can you make these two settings configurable on the WAF?
SecRequestBodyLimit
SecRequestBodyNoFilesLimitThanks
Mark203 votesThanks for your feedback. This is planned as part of global waf configurable parameters.
-
Allow Static Public IP Address
Hi,
We currently have VMSS running inside a public Load Balancer, that ensures all the apps have the same Public IP address. This is important for us, as we need to be able to publish our IP Addresses for all clients to whitelist.We really want to move to using the Application Gateway, but can't because it doesn't support static Public IP addresses.
I don't believe there is a work around either?
182 votesThank you for your feedback. This is part of product roadmap.
-Amit -
Hibernate/pause a resource group or subscription
After talking to one of your Senior Support Engineers, they suggested I made a feature request for this.
I'd like to be able to pause, hibernate or otherwise stop a resource group or subscription so that it incurs minimal costs when not in use. I'm suggesting resource group or subscription as one may be easier to implement than the other. Ideally this would be done through ARM but I’d settle for doing it via PowerShell if needed.
I appreciate that VMs can be deallocated but we found that a customer's solution was still using approximately £200 a month due to…
179 votes -
Allow customization of Application Gateway WAF rule matching
I would like to be able to selectively remove some cookies and some HTTP headers from all rule application scans, on a case by case basis.
Problem Statement:
The web application firewall functionality of the application gateway scans the entire HTTP message, without the ability to customize where the scan will occur.This leads to false positives where scan pattern matches will detect suspicious characters in URL encoded blobs like security or access tokens, or in other arbitrary places like cookies.
The following Microsoft tools have caused this problem on my environment:
- Kudu tools for web applications
- API…175 votesThank you for the ask, we are reviewing this request.
-
Support for dropping port out of x-forwarded-for header
Hi,
I've seen some compatibility issues with the x-forwarded-for header as it comes in on the format IP:Port rather than just IP. It would be useful to be able to adjust this header to just provide IP without the port. I think this should be adjustable, so IP:Port or just IP being available options rather than just one or the other.
This would help x-forwarded-for being easy to parse on systems that only expect the IP to be sent through.
Thanks,
Neil
146 votes -
Authentication support for application gateway
For lift & shift of legacy systems, application gateway is very useful as we have different kinds of backends (VMs, service fabric, other PaaS services, etc.). The only missing capability is authentication, so we have to implement and configure authentication in various services, which is a big overhead. Otherwise, we have to give up application gateway but set up Nginx VMs instead.
I have also looked at Azure API Gateway, but it seems to be too specialized for public APIs but our services also service static contents and ever-changing private APIs without swagger definition.
126 votes -
WAF file size limit to be increased
Currently as the WAF limit is set to 100mb, we cannot process our large files which could hit 500mb for example.
Can you please increase the WAF file silze limit? To possibly 1GB / 2GB
123 votesWe are reviewing increased limits. We have not finalized the supported size.
-
Is it possible to expose Azure blob storage via Application Gateway
Expose Azure blob storage via Application Gateway.
I would like to remove public access for Azure Blob and only make it accessible via virtual network. The Azure Application Gateway will be public facing which does the SSL termination and forwards the request to blob.
This would allow scanning for malicious content via virtual appliances before content is stored in blob.
107 votesWe are still under consideration for this feature. In the meanwhile, could you use Azure CDN to accomplish this?
-
Support IPv6 in Application Gateway front-end public IP
Support IPv6 in Application Gateway front-end public IP
99 votes -
Support EV SSL cerrtificates in application gateway
Please support EV SSL certificates in Application Gateway. What is the reason they aren't supported already?
94 votesThank you for your feedback. This is part of product roadmap. We will send notification once this is completed.
Thanks,
Amit -
Insight in Azure application gateway performance
Currently there is no way to view usage statistics of the Azure application gateway. Information I would like to see:
* Per hour performance statistics (e.g. nr of connections, bandwith, CPU usage, etc.)
* Advice on number of required instances based on metrics from last few days with recommendations to increase or decrease the number of instancesRegards,
Jan-Willem
88 votesWe are working to provide the capabilities to our customers. Stay tuned.
-
Support chunked file transfers through Azure Application Gateway + WAF
This is an issue with the WAF's configuration of OWASP.
When the WAF is in protection mode, it is currently not possible to use the js File API to upload files in a chunked manner to an application behind the Application Gateway. Some of the "chunks" get blocked by the firewall (see attached). This doesn't happen to all chunks but it is common enough that a 100mb file will probably encounter the issue.
I have created a barebones test website which reproduces the issue here: https://github.com/elexisvenator/AzureWAF-chunked-upload-test
I have contacted the OWASP ModSecurity project, who have responded that the Firewall rule…
86 votes
- Don't see your idea?