Networking

The Networking forum covers all aspects of Networking in Azure, including endpoints, load-balancing, network security, DNS, Traffic Manager, virtual networks, and external connectivity.

Virtual Network:

  • Service overview

  • Technical documentation

  • Pricing details

  • Traffic Manager:

  • Service overview

  • Technical documentation

  • Pricing details

  • Network Watcher:

  • Service overview

  • Technical documentation

  • Pricing details

  • If you have any feedback on any aspect of Azure relating to Networking, we’d love to hear it.

    • Hot ideas
    • Top ideas
    • New ideas
    • My feedback
    1. Azure Firewall - managed backup function

      Azure Firewall is a managed service but as of now is missing some critical operational functions like backup/restore and audit trail. Please enhance the service to automatically backup configuration (i.e. rules) and allow for restore into existing or a new instance of the Firewall. Also, enable some reporting capability that will show a history of configuration/rule modifications (add/delete/update)

      10 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    2. Add what network rule is matched in logging

      The Network rule log does not include the matching rule name like it does for Application rule log. In the Application rule log it reads "Action: Allow. Rule Collection: collection1000. Rule: rule1002" in the message, but Network rules end at "Action: Allow". It makes it hard to troubleshoot firewalls, and know what rule is causing the issue. It also makes it hard to introduce the firewall into an existing environment where you have to start with an allow all rule because you do not know if what rules are getting matched.

      10 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    3. Diagnostic log for Azure Firewall includes rule collection name for each entry

      Right now, if we follow https://docs.microsoft.com/en-us/azure/firewall/tutorial-diagnostics. The Diagnostic log entry for Azure Firewall likes below:
      { "category": "AzureFirewallNetworkRule", "time": "2019-09-03T10:08:17.4381790Z", "resourceId": "/SUBSCRIPTIONS/xxxx/RESOURCEGROUPS//PROVIDERS/MICROSOFT.NETWORK/AZUREFIREWALLS/", "operationName": "AzureFirewallNetworkRuleLog", "properties": {"msg":"TCP request from 10.0.1.100:22 to 112.85.42.195:45791. Action: Deny"}}

      Due to security policy and audit purpose on customer side, We want to have the rule collection name can be recorded as well, so that we know the traffic hits which rule.

      "category": "AzureFirewallNetworkRule", "time": "2019-09-03T10:08:17.4381790Z", "resourceId": "/SUBSCRIPTIONS/xxxx/RESOURCEGROUPS//PROVIDERS/MICROSOFT.NETWORK/AZUREFIREWALLS/", "operationName": "AzureFirewallNetworkRuleLog", "properties": {"msg":"TCP request from 10.0.1.100:22 to 112.85.42.195:45791. Action: Deny"}, "RuleCollectionName": "***"}

      9 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  2 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    4. Diagnostic log for Azure Firewall includes rule collection name and priority for each entry

      The current log format for Azure Firewall as following, Rule Name and Priority Number is not supported by Azure Firewall diagnostic log yet.

      We would like to suggest to add this two columns on Azure Firewall Diagnostic log, I believe it will help to troubleshoot any network connectivity in an effective way for end users. Thank you!

      Application Rule.

      {
      "category": "AzureFirewallApplicationRule",
      "time": "2018-04-16T23:45:04.8295030Z",
      "resourceId": "/SUBSCRIPTIONS/{subscriptionId}/RESOURCEGROUPS/{resourceGroupName}/PROVIDERS/MICROSOFT.NETWORK/AZUREFIREWALLS/{resourceName}",
      "operationName": "AzureFirewallApplicationRuleLog",
      "properties": {

        "msg": "HTTPS request from 10.1.0.5:55640 to mydestination.com:443. Action: Allow. Rule Collection: collection1000. Rule: rule1002"
      

      }
      }

      Network Rule.

      {
      "category": "AzureFirewallNetworkRule",
      "time": "2018-06-14T23:44:11.0590400Z",
      "resourceId": "/SUBSCRIPTIONS/{subscriptionId}/RESOURCEGROUPS/{resourceGroupName}/PROVIDERS/MICROSOFT.NETWORK/AZUREFIREWALLS/{resourceName}",
      "operationName": "AzureFirewallNetworkRuleLog",
      "properties": {

        "msg":
      9 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    5. Allow Azure Firewall to be deployed to different resource group to VNet

      Currently Azure firewall must be in the same RG as the VNet, which impacts current RBAC models.

      8 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    6. Integrate Azure Firewall with Just in Time VM Access

      I'd like to get rid of my NSGs but need to keep them around for Just in Time VM Access. It would be nice if that feature integrated with Azure Firewall instead of just the Network Security Groups.

      8 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    7. Why does it take 5 minutes+ to save changes to Azure Firewall?

      Is it possible to make it quicker to save changes to Azure Firewall? A simple rule change takes upwards of 5 minutes to complete.

      7 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    8. User / Group based Firewall Rules

      To move existing Webservices to Azure (Linux Webservers with internal Services) i would like to place them behind an Azure Firewall with Path Through Authentication against Azure AD, so that employees have access to the Ressource and any other access is blocked.I want to create Rules based on users not on IP-Addresses.

      Regards,
      Reiner

      7 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  1 comment  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    9. FQDN like this 'gr-Prod-*.cloudapp.net' can not be set

      Even though this rule is mentioned in the docs here - https://docs.microsoft.com/en-us/azure/app-service/environment/firewall-integration#fqdn-httphttps-dependencies, it's not possible to create because the portal says gr-Prod-*.cloudapp.net invalid FQDN.

      I know that ASE rules should be handled by Service Tags, but not in my case.

      6 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    10. Update Subscription Limits Documentation

      Update your subscription limits documentation. Your documentation makes no mention of the single public IP address limitation. https://docs.microsoft.com/en-us/azure/azure-subscription-service-limits#azure-firewall-limits. Thanks.

      6 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      2 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →

      Thanks for the valid suggestion. Your feedback is now open for the user community to upvote which allows us to effectively prioritize your request against our existing feature list and also gives us insight into the potential impact of implementing the suggested feature

    11. Add Service Tag (Internet) to Azure Firewall Network Rule

      Hello Team,

      It would be nice to add some service tags like Internet in the network rule section when we have to configure an outbound rule to allow VMs to browse the Internet. The current option only allows for IPs, which makes it a bit difficult if one wants the VM to browse the Internet.

      6 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    12. Feeback regarding Firewall Deployment on Azure

      The following feedback has been posted by one of your customers regarding Deployments of Firewalls on Azure:
      "I did not recieve a cost per day when deploying, and no indication for the monthly cost via the analysis. So i was supprised that the cost in a matter of a few days exceeded 100. It was good that I triggered a cost alert. The dashboard should provide cost of FW up front, and a way to down the FW when the rest of the machines are turned off. I would like to run the VMs only when needed, so I would…

      4 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    13. Rules disappear

      I've had several instances where rules are saved but then disappear. This occurs in both Edge and Chrome.

      4 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      2 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    14. Consumption based pricing for Azure Firewall

      The fixed hourly cost of azure firewall makes it prohibitively expensive to use in low-volume scenarios. We don't want to be put in a situation where we have to make a financial decision that overrides security patterns/architectures. Please give us some more licensing options so that we can take this product and deploy comprehensively through our networks at any point of scale.
      Thanks,
      Ben

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    15. 3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    16. Windows KMS servicetag is missing in Azure Firewall

      I have several Azure Firewall deployments with Windows servers. I'm looking for KMS servicetag. I cannot use fqdn destination address because KMS is not using http/https. Please could you add this service tag ?

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    17. Add support for Azure Firewall in Cloud App Discovery

      Cloud App Discovery can digest firewall logs from known firewall brands. Manually or by implementing a log parsing container application.

      Please enable seamless integrations between Cloud App Discovery and Azure Firewall

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →

      Thanks for the valid suggestion. Your feedback is now open for the user community to upvote which allows us to effectively prioritize your request against our existing feature list and also gives us insight into the potential impact of implementing the suggested feature

    18. Allow different ICMP packets through Virtual Networks

      Currently when defining rules under virtual networks you can only specify ICMP as a whole, you can not specify which type of ICMP packet is allowed

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    19. Azure Firewall - DNAT rule for the target FQDN.

      We can use DNAT rule with source ip address or destination ip address. But I want to use the DNAT rule with the target FQDN. I know application rule can use the target FQDN so I hope we can also use the feature with DNAT rule.

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    20. Azure Firewall showing up as "Other classic resources > Deployments"

      In Cost Management + Billing, Azure firewall cost shows up under the category "Other Classic Resources > Deployments. This can be misleading. I understand that Firewall billing is billed in two ways, But it should be better designated, so resources billing can be traced.

      Thanks

      Ref: Service request: 118111921002018

      2 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    • Don't see your idea?

    Feedback and Knowledge Base