Networking
The Networking forum covers all aspects of Networking in Azure, including endpoints, load-balancing, network security, DNS, Traffic Manager, virtual networks, and external connectivity.
Virtual Network:
Traffic Manager:
Network Watcher:
If you have any feedback on any aspect of Azure relating to Networking, we’d love to hear it.
-
Let's Encrypt Integration for HTTPS certificates
It should be possible to define a list of SSL hostnames. Application Gateway should automatically acquire and renew certificates for all given hostnames (most probably through the HTTP domain validation process).
For every request, Application Gateway should use the correct certificate based on the hostname.
Supporting multiple hostnames is critical to use Let's Encrypt with multi-site routing.
658 votesThis is on our long term roadmap.
-
Support server-sent events
Azure Application Gateway apparently does not support server-sent events. This surprised me, since SSE really is just http. However after quite a bit of testing, and asking on the forum, I can confirm it does not.
SSE is an arguably better way of doing server push than websockets, which is a lot more complex. We rely heavily on it, so hope it will be prioritized.
Best regards,
Alf182 votes -
WAF file size limit to be increased
Currently as the WAF limit is set to 100mb, we cannot process our large files which could hit 500mb for example.
Can you please increase the WAF file silze limit? To possibly 1GB / 2GB
165 votesWe are reviewing increased limits. We have not finalized the supported size.
-
Support chunked file transfers through Azure Application Gateway + WAF
This is an issue with the WAF's configuration of OWASP.
When the WAF is in protection mode, it is currently not possible to use the js File API to upload files in a chunked manner to an application behind the Application Gateway. Some of the "chunks" get blocked by the firewall (see attached). This doesn't happen to all chunks but it is common enough that a 100mb file will probably encounter the issue.
I have created a barebones test website which reproduces the issue here: https://github.com/elexisvenator/AzureWAF-chunked-upload-test
I have contacted the OWASP ModSecurity project, who have responded that the Firewall rule…
149 votes -
Add effective route for gateway subnet UDR
Allow effective routes to be viewed for troubleshooting when a UDR is applied to a gateway subnet
86 votesThank you for your suggestion. Showing effective NSG and Routes in ARM is available. Is this what you are looking for?
-
When Azure-application-gateway will update with support of TLS 1.3
Akamai-CDN recommended with TLS 1.3 but Azure-application-gateway is not available with the same.
Due to this issue, we have see url-access issue over Akamai.
So we have moved to Azure-traffic-manager\Azure-Load balancer.72 votesSupport for TLS 1.3 is under review and is on long term roadmap. We do not have a firm ETA yet.
-
Application Gateway should support OAuth2 and/or JWT token validation
Azure Application Gateway should support OAuth2 and/or JWT token validation so it can be used as a reverse proxy.
67 votes -
Feature request: Changing idle timeout for Application Gateway with private IP address.
Currently we can specify timeout only to a public IP address of Application Gateway. But we can’t change the timeout of a private IP of Application Gateway. Can you add a new feature to allow us to specify timeout for private IP address too.
65 votes -
There is no way for us to find the private IP assigned for the application gateway in the back end. Hence please improve this feature.
There is no way for us to find the private IP assigned for the application gateway in the back end. Hence please improve this feature. Please have it enabled for the GUI, so that this can be use full to troubleshoot any network issues.
32 votes -
Capability to apply WAF rules to each path rule.
One of the customer wants capability to apply WAF rules to each path. Can you consider that?
31 votesThank you for your suggestion. We are considering this for our roadmap.
-
Application Gateway Disable Probe
It's impossible to host non-HTTP processes behind an application gateway due to the health probes. I run a Service Fabric cluster and want the TCP management endpoint (19000) to be available through the gateway so I can take advantage of other offerings. The endpoint is marked as dead since it doesn't respond to HTTTP/S requests. If the AGW could support TCP health checks or allow marking a service as always-up I could accomplish my goal.
28 votes -
Support traffic fork/shadowing/mirror on application gateway.
Support traffic fork/shadowing/mirror on application gateway. Sometimes we need send shadow traffic to a testing/staging environment, and the best place to do this is layer 7 load balancer..
19 votesThank you for your suggestion. We are considering this for inclusion in our roadmap.
-
HEAD requests to monitor health
It would be nice to be able to use HEAD requests for health monitoring instead of full GET
18 votes -
Is it possible to disable http 1.0 protocol in Azure App Gateway?
If the request is sent as HTTP 1.0 with a blank host header, the server may respond with its own internal IP (10.x.x.x) in the Location Header. This results in the internal IP address of the Real Server being exposed.
E.g.
Location: https://10.19.xx.***/17 votes -
Show domain in logs
The access logs for the application gateway only show the routes. We use a single gateway to host multiple sites and some have similar folder structures, this makes evaluating access and tracing issues a bit difficult. It would be great if the actual domain (http://www.something.com) was listed in there too.
16 votes -
support ESI (Edge Side Includes) in the Application Gateway and CDN like Vanish or Akamai.
ESI can be a great feature for server side content based integration ( transclude of html fragments ) in a microservice architecture. For more information please read : ( https://gustafnk.github.io/microservice-websites/#integrating-on-content ).
16 votesThank you for your suggestion. We are considering this for inclusion in our roadmap.
-
Add MTOM support to the Microsoft WAF
We currently have a use case for utilizing MTOM to more efficiently transmit binary data in a SOAP-based service.
We are also trying to place the application behind a Microsoft WAF in Azure, but are unable to do so due with the WAF in prevention mode as the WAF does not currently support/allow MTOM requests.
We reached out to Azure support and were told that:
"MTOM is not supported and it's not yet on implementations plans".
We are requesting that the Microsoft WAF team add support for making MTOM calls to a service that go through the WAF.
16 votesThank you for your suggestion. We are reviewing this request and will get back to you.
-
Headers to identify health monitoring requests
My ApplicationInsights logs show all the health requests done by AG to monitor the health of the system.
I'd like to have the possibility to recognize health requests through specific headers so that I can skip standard HTTP pipeline and immediately return 200 status code, without logging the request13 votes -
Application Gateway: SSL Offload: OWASP Header support
Application Gateway: SSL Offload: OWASP Header support
When using an Application Gateway to provide SSL offloading, there are no OWASP security header options. Without them, sites using ssl offloading will remain vulnerable to multiple attacks.
Adding a security headers section to the WAF rules area will allow these to be set for SSL offload sites (and ssl passthrough ideally also). Alternately, these could be tied to each listener or the ssl policy.
This would allow sites that depend on these headers for COMPLIANCE in their industry to use this product without having to configure an expensive workaround for this basic…
12 votesSupport for HSTS is planned. Others still need review before we make a decision.
-
Prioritize Multi Site rules over Basic rules
Currently, basic rules take precedent over multi-site rules. Logically you want to go from granular to generic, so this really should work the other way around. For example, if i have a multi-site rule for sitea.com on port 443 that uses backend pool a and a basic rule that forwards everything else on 443 to pool b currently everything will go to pool b instead of the filtering action occurring.
10 votesCurrently the rules are matched by order. So if you have multi-site rule first in your configuration, it would take precedence. We take the feedback on most specific rule match and will be reviewing it for release.
- Don't see your idea?