Networking

The Networking forum covers all aspects of Networking in Azure, including endpoints, load-balancing, network security, DNS, Traffic Manager, virtual networks, and external connectivity.

Virtual Network:

  • Service overview

  • Technical documentation

  • Pricing details

  • Traffic Manager:

  • Service overview

  • Technical documentation

  • Pricing details

  • Network Watcher:

  • Service overview

  • Technical documentation

  • Pricing details

  • If you have any feedback on any aspect of Azure relating to Networking, we’d love to hear it.

    • Hot ideas
    • Top ideas
    • New ideas
    • My feedback
    1. Azure Firewall: more granular threat intel rules and actions

      Currenly the only choices for TI are: Alert or Deny. It would be nice to have a choice actions based on threat category/severities/confidence.

      For example: block high confidence matches while only alerting on medium risks.

      Sites like abuseipdb.com often provide a "Confidence of abuse" level to indicate how likely it is that a given ip is abused. I assume TI internally uses a similar rating that could be used?

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    2. Make WAF accept application/octet-stream

      We do POST requests with content type application/octet-stream with binary content in it (user uploads archived binary data to server), it triggers 920420 rule with critical score (it blocks request immediately).
      - According to OWASP mod-security 3.0 source code it checks for tx.allowedrequestcontenttype variable that contains list of allowed content types - https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.0/master/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf#L991
      - By default tx.allowed
      requestcontenttype contains application/octet-stream so OWASP accepts POST requests with this content type - https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.0/master/rules/REQUEST-901-INITIALIZATION.conf#L163
      - Looks like mod-security in Azure WAF has custom tx.allowedrequestcontent_type configuration without this content type

      It would be nice to synchronize mod-security…

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    3. Azure firewall Threat Intel logs: option to always add fqdn to "Deny" log entries

      When TI blocks by IP instead of fqdn (which it seems to do most of the time, given the amount of blocks we notice), it would be very useful for troubleshooting if AzFW would also log the fqdn the client is accessing (from TLS Client Hello packet) in addition to only the blocked IP from SYN packets.

      We are experiencing quite a lot of false positives for Google and GitHub shared IP's on fresh Win 10 VMs with basic dev tools like Chrome/VScode, and this would help pinpoint what ligitimate fqdn the clients are trying to access.

      It's also quite…

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    4. Azure Firewall - Utilize Existing Subnet

      Azure Firewall should allow for deployment into an existing subnet, pending the requirements met for available IP address space.

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    5. Add support for Azure Firewall in Cloud App Discovery

      Cloud App Discovery can digest firewall logs from known firewall brands. Manually or by implementing a log parsing container application.

      Please enable seamless integrations between Cloud App Discovery and Azure Firewall

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →

      Thanks for the valid suggestion. Your feedback is now open for the user community to upvote which allows us to effectively prioritize your request against our existing feature list and also gives us insight into the potential impact of implementing the suggested feature

    6. Azure Firewall - DNAT rule for the target FQDN.

      We can use DNAT rule with source ip address or destination ip address. But I want to use the DNAT rule with the target FQDN. I know application rule can use the target FQDN so I hope we can also use the feature with DNAT rule.

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    7. Azure Firewall showing up as "Other classic resources > Deployments"

      In Cost Management + Billing, Azure firewall cost shows up under the category "Other Classic Resources > Deployments. This can be misleading. I understand that Firewall billing is billed in two ways, But it should be better designated, so resources billing can be traced.

      Thanks

      Ref: Service request: 118111921002018

      2 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    8. Allow PowerBI Pro to be whitelisted in firewall rules of Azure resources

      I couldn't find any information or how to whitelist PowerBI Pro to connect securely to Azure resources like SQL Database and Storage Account

      2 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →

      Thanks for the valid suggestion. Your feedback is now open for the user community to upvote which allows us to effectively prioritize your request against our existing feature list and also gives us insight into the potential impact of implementing the suggested feature

    9. Azure firewall provisionning fail cause French local : LocationNotAvailableForResourceType

      Azure firewall provisionning fail because French local on portal

      LocationNotAvailableForResourceType
      L'emplacement fourni « Europe occidentale » n'est pas disponible pour le type de ressource « Microsoft.Network/publicIPAddresses ».

      1 vote
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    10. Create default IP Rule for IP restrictions

      When creating first IP restrictions rule in a Web Application the default rule Deny all is implemented.
      This default rule is not visible and should automatically be generated on creation of first visible rule to then be configurable with Priority numeric.
      Otherwise many users of Azure Web apps will create a rule and no realise the whole site is blocked due to this default rule being applied.

      1 vote
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    11. Please create a blog post discussing when FTP - Active client connections were blocked from Azure

      We had a case opened to learn that FTP - Active mode was blocked form Azure. This was documented internally at Microsoft but nothing we could find on the web or Azure documentation. Many companies still use Active FTP (not saying that is a best practice) and for these companies it would be helpful to call this issue out as a known fact for migrating to Azure (if code changes are required)

      1 vote
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    12. WAF fails to establish success health using the web service SAP cloud connector with custom TLS1.2 and struggled to find the issue from WAF.

      WAF fails to establish success health using the web service SAP cloud connector with custom TLS1.2 and struggled to find the issue from WAF stand point. Means, We modified multiple TLS1.2 algorithm and tested to fix the issue. Why the custom/selected TLS1.2 algo is not working? Can you build the "front end troubleshooting page or packet capture page" to select correct TLS1.2 or elect the correct TLS1.2 automatically?

      Moreover, Could you modify the name from "Listener" to "Backend Listener"? Boz, This name is really confusing with frontend certificate and backend TLS parameters.

      1 vote
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →

      Thanks for the valid suggestion. Your feedback is now open for the user community to upvote which allows us to effectively prioritize your request against our existing feature list and also gives us insight into the potential impact of implementing the suggested feature

    13. FQDN tag in Azure Firewall for AzureMonitor

      FQDN tag in Azure Firewall for AzureMonitor

      1 vote
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    14. Azure Firewall - NAT Rules Clarification

      The NAT rules UI is little wonky and less intuitive than I would like. I think the terms "destination" address and "translated" address could be modified to be more clear. Almost every customer that I have worked with on deployment of Azure Firewall has reversed these and hence impacted their configuration and timing for deployment. I think the UI should have F/W interface address (it should know it since it only can have one today) and the translated address field should be labeled target. That simple change would've saved a couple of customers an hour or two of frustration and…

      1 vote
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    1 3 Next →
    • Don't see your idea?

    Feedback and Knowledge Base